4.3.2.3 Static TLS certificates

Static TLS certificates

Traefik requires access to the content from 2 certificate files which your certificate supplier must provide to you. In the previous step these were created by certbot for LetsEncrypt but other certificate providers will provide equivalent files albeit they may be named differently. The files that Traefik requires are:

.crt

This is the certificate "Full Chain File", equivalent to the fullchain.pem file that is created by certbot. The full chain file combines both your domain's certificate and the intermediate certificates in a single file.

.key

This file holds the private key associated with your SSL certificate, equivalent to the privkey.pem file that is created by certbot. It's crucial to keep this file secure and private, as anyone with access to it can impersonate your domain.

Static TLS certificate files have an expiry, therefore they need to be refreshed. The default country configuration doesnt provide an automated way to do this, but the following snippets explain how static files and their refresh can be automatically configurable going forward.

1. In your countryconfig repository code, create a folder named "traefik" in the "infrastructure" folder and create this certs.yaml file inside of it:

Content of certs.yaml:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/cert.crt
        keyFile: /etc/certs/cert.key
  certificates:
    - certFile: /etc/certs/cert.crt
      keyFile: /etc/certs/cert.key
      stores:
        - default

1. Edit the docker compose deploy files to ensure that the Traefik service can access the .crt & .key files that the provisioning Ansible script will create from Github Secrets and the cert.yaml file.

  traefik:
    .. <search for the volumes & command block>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/traefik/certs:/etc/certs
      - /opt/opencrvs/infrastructure/traefik/certs.yaml:/etc/traefik/certs.yaml
    command:
      .. <search for --providers>
      - --providers.file.directory=/etc/traefik
      - --providers.file.watch=true
      .. <remove any lines associated with automated certs e.g. --certificatesresolvers.certResolver.acme>

- name: Create crt file with variable content
  copy:
    dest: "/data/traefik/certs/cert.crt"
    content: |
      {{ssl_crt}}
    owner: root
    group: application
    mode: 0644
  when: ssl_crt is defined and ssl_crt | length > 0

- name: Create key file with variable content
  copy:
    dest: "/data/traefik/certs/cert.key"
    content: |
      {{ssl_key}}
    owner: root
    group: application
    mode: 0600
  when: ssl_key is defined and ssl_key | length > 0

- name: Clean newlines in crt file
  replace:
    path: "/data/traefik/certs/cert.crt"
    regexp: '\\n'
    replace: '\n'
  when: ssl_crt is defined and ssl_crt | length > 0

- name: Clean newlines in key file
  replace:
    path: "/data/traefik/certs/cert.key"
    regexp: '\\n'
    replace: '\n'
  when: ssl_key is defined and ssl_key | length > 0

ssl_crt: ${{ secrets.SSL_CRT }}
ssl_key: ${{ secrets.SSL_KEY }}

1. After you have created Github environments by following the steps in 4.3.4 Create a Github environment you will be required to manually create the following Github environment secrets to store the contents of the certificate files.

1. When you run the provision action, the files will be created on your servers appropriately.

Refreshing static TLS certificates on expiry

When it is time to refresh your certificate files, you will need to do the following steps:

1. Replace the content of the Github environment secrets SSL_CRT and SSL_KEY with your new certificate content.

2. Run the provision action on your servers again. To save time you do not need to run all the provision tasks. You can select simply the "traefik" task and run that.

1. Re-deploy OpenCRVS. Re-deploying OpenCRVS is required so that the traefik service is refreshed to load the new content from the .crt and .key files.