4.3.2.3 Static TLS certificates

Static TLS certificates

When using static .crt & .key files either created by certbot for LetsEncrypt, or certificate files provided to you by an official TLS/SSL Certificate Authority provider, these files must be placed on your server environments in a location where the Traefik Docker container can locate them.

We recommend that this process is automated to limit the potential for human error as these static files must be regularly replaced when they expire.

You must include these additional steps when following the Provision Github Action.

In your countryconfig repository code, create a folder named "traefik" in the "infrastructure" folder and create this certs.yaml file inside of it:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/<your combined leaf, intermediate & root, certfile>.crt
        keyFile: /etc/certs/<your cert private key file>.key
  certificates:
    - certFile: /etc/certs/<your combined leaf, intermediate & root, certfile>.crt
      keyFile: /etc/certs/<your cert private key file>.key
      stores:
        - default

The certbot tool for LetsEncrypt explained in the previous section outputs the .crt and .key file exactly as you need them, but if you are used to using Apache, you may have been provided individual leaf, intermediate and root certificate files separately from your TLS Certificate Authority.

Use the Traefik config below to access the cert.yaml file, remove any lines that start with "--certificatesresolvers.certResolver.acme"

volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/traefik/certs:/certs
      - /opt/opencrvs/infrastructure/traefik/certs.yaml:/etc/traefik/certs.yaml
    command:
      - --providers.file.directory=/etc/traefik
      - --providers.file.watch=true

If the certificate is different for each environment, you will have to edit the "Provision" Github Actions to write the contents of the .crt & .key files in the /data/traefik/certs directory on your server from new Github environment secrets you will manually have to create. In the file infrastructure/server-setup/tasks/traefik.yml, add these lines at the end of the file:

- name: Create crt file with variable content
  copy:
    dest: "/data/traefik/certs/cert.crt"
    content: |
      {{ssl_crt}}
    owner: root
    group: application
    mode: 0644
  when: ssl_crt is defined and ssl_crt | length > 0

- name: Create key file with variable content
  copy:
    dest: "/data/traefik/certs/cert.key"
    content: |
      {{ssl_key}}
    owner: root
    group: application
    mode: 0600
  when: ssl_key is defined and ssl_key | length > 0

Add these 2 new Github environment secrets SSL_CRT & SSL_KEY to the "Set variables for ansible in production environments" step in the file .github/workflows/provision.yml

ssl_crt: ${{ secrets.SSL_CRT }}
ssl_key: ${{ secrets.SSL_KEY }}

Previous4.3.2.2 LetsEncrypt DNS challenge in production Next4.3.3 Configure inventory files

Last updated 6 days ago