4.3.2 TLS / SSL & DNS
Last updated
Last updated
Watch the videos above to understand the OpenCRVS network and how TLS is configured in OpenCRVS servers
Using your domain management system, A records will need to be created for all the services which are publicly exposed for qa, production & staging environments.
Either use a wildcard or create individual A records for your chosen environment's domain name, with a TTL of 1 hour that forwards the URL to your manager server node's external IP address.
A total of 6 A Records are required for this option, 2 for each environment's domain: qa, production & staging
<your_domain>
*.<your_domain>
A total of 42 A Records are required for this option, 14 for each environment's domain: qa, production & staging
<your_domain>
auth.<your_domain>
config.<your_domain>
countryconfig.<your_domain>
documents.<your_domain>
metabase.<your_domain>
minio.<your_domain>
minio-console.<your_domain>
ui-kit.<your_domain>
gateway.<your_domain>
kibana.<your_domain>
login.<your_domain>
register.<your_domain>
webhooks.<your_domain>
There are a number of ways you can configure TLS / SSL certificates for OpenCRVS. The options are explained in subsequent pages and all methods must be compatible with Traefik.
A free approach is to use LetsEncrypt. However LetsEncrypt certificates must validate and refresh every 3 months. When installing OpenCRVS behind a VPN, your VPN and DNS settings must be configured to enable this, and some techniques may not work in your network.
Alternatively you could consider purchasing a long term SSL certificate and manually replacing the static .crt & .key files every 1, 2 or 3 years depending on it's lifetime. The SSL certificates that you purchase must support the subdomains and each environment's domain: qa, production & staging. You may opt for a single, multi-domain, wildcard SSL certificate that covers all of your domains regardless of the number of subdomain levels. You need to pay close attention to your domain to understand which SSL certificate to purchase.
The following "recipes" are not meant to be exhaustive, but simply describe some examples you may wish to follow. Every country will have unique network, domain name & management considerations to pay attention to.
For each recipe, search the docker-compose.{YOUR ENVIRONMENT}-deploy.yml files for each environment to find the block below. In this block, you can amend configurations for each individual environment: qa, production & staging. Alternatively, you can remove each individual block and have a single block in docker-compose-deploy.yml that will apply a generic approach applied to all environments.