Configuration of SSL Certificates
In rcstack the router component can be responsible for SSL certificates and handling SSL termination.
rcstack uses traefik project for the router component.
Please see detailed documentation about traefik SSL support here: https://doc.traefik.io/traefik/https/tls/
Enable custom traefik config
By default the shared :file:`.custom/traefik_custom/` directory is not mount into traefik. We need to enable this first, before enabling any of the below SSL certificates.
In the file :file:`.custom/docker-compose-router.override.yaml` uncomment the two binds that would override defaults and allow custom code from the .custom directory
traefik: volumes: # ... other items here ... # THESE TWO NEEDS TO BE UNCOMMENTED - $PWD/.custom/traefik_custom:/etc/traefik:ro - $PWD/.custom/traefik_custom/dynamic:/etc/traefik_dynamic:ro
Enable file based certificates
File based certificates (including self-signed) should be places inside this :file:`.custom/traefik_custom/dynamic/certs` We recommend using standard names for the .crt file (rhodecode-ssl.crt) and .key file (rhodecode-ssl.key).
e.g.
root@Ubuntu-2204 ~/rhodecode_docker # ls -la .custom/traefik_custom/certs/ total 416 drwxr-xr-x 2 root root 4096 Jan 7 2023 . drwxr-xr-x 4 root root 4096 Jan 22 2023 .. -rw-r--r-- 1 root root 411001 Jan 7 2023 rhodecode-ssl.crt -rw-r--r-- 1 root root 1675 Jan 7 2023 rhodecode-ssl.key
Then those file can be enabled to act as a default certificates used in traefik.
In file :file:`.custom/traefik_custom/dynamic/traefik_dynamic_custom.yaml` there a section that defines this:
tls: stores: default: {} # the below should be used only if acme/letsencrypt is not used, and we want a default file-based SSL certificates certificates: # first certificate in default store - certFile: /etc/traefik/certs/rhodecode-ssl.crt keyFile: /etc/traefik/certs/rhodecode-ssl.key stores: - default
Enable lets encrypt automatic certificates
In file :file:`.custom/traefik_custom/traefik.yaml`
There's a commented out section that would enable cert resolver using letsencrypt.
entryPoints: http: address: ":80" https: address: ":443" http: # default, that uses certificates from tls.certificates config in traefik_dynamic.yaml # Those are regular key+crt file based certificates tls: options: {} # Enable LE certificate wildcard domain resolver defined above # uncomment this to enable letsencrypt for your domains certResolver: letsEncryptCertResolver domains: - main: "*.rhodecode.com" sans: - "rhodecode.com"
This defines the letsEncryptCertResolver certResolver, which definition can be found above:
certificatesResolvers: letsEncryptCertResolver: acme: email: admin@rhodecode.com storage: /acme.json dnsChallenge: # DNS provider used during the challenge # there are multiple providers available see: https://doc.traefik.io/traefik/https/acme/#providers provider: route53 delayBeforeCheck: 0
Please check specific docs on traefik for more examples and required configuration for letsencrypt certificate handling
Troubleshooting
In both cases when there are some issues with SSL certificates, especially with the Letsencrypt ones. All logs and errors related to the ssl certificates would be printed to the traefik logs.
here's how to view traefik logs with tail options and trim the results to just one last hour
./rcstack stack router logs --follow --since=1h
In case of letsencrypt the typical problems that happen are:
- acme directory permissions (installer should handle that, but still it's important to make sure the acme storage has the right permissions)
- acme certificates credentials missing. In many cases using DNS acme resolver it's important to make sure all credentials are correct in order to generate a proper certificate