Static TLS certificates

yarn environment:init script automatically handles this configuration you, check https://github.com/opencrvs/documentation/blob/master/v2.0.0/setup/3.-installation/3.3-set-up-a-server-hosted-environment/4.3.1-create-a-github-environment

Static TLS certificates

Traefik requires access to key and certificate files which your certificate supplier must provide to you. In the previous step these were created by certbot for LetsEncrypt but other certificate providers will provide equivalent files albeit they may be named differently. The files that Traefik requires are:

.crt

This is the certificate "Full Chain File", equivalent to the fullchain.pem file that is created by certbot. The full chain file combines both your domain's certificate and the intermediate certificates in a single file.

.key

This file holds the private key associated with your SSL certificate, equivalent to the privkey.pem file that is created by certbot. It's crucial to keep this file secure and private, as anyone with access to it can impersonate your domain.

Static TLS certificate files have an expiry, therefore they need to be refreshed. The default country configuration doesn't provide an automated way to do this, but the following snippets explain how static files and their refresh can be automatically configurable going forward.

Create temporal folder to store certificate and private key. Folder can be created in your home directory or in any other safe place:

mkdir $(date +%F)

Example folder name: 2025-10-31

Copy and rename certificate and private key files:
- Certificate file name should be cert.pem
- Private key file name should be private.key Example folder content:

~/2025-10-31$ ls -1l
total 12
-rw-r--r-- 1 bob bob 4128 Oct 27 15:43 cert.pem
-rw-r--r-- 1 bob bob 3243 Oct 27 15:43 private.key

Make sure you are connected to correct kubernetes cluster, you need to check your kubernetes context:

kubectl config current-context

Example output: In this output bob is your user name, tmp-k8s-server is master node name:

bob@public-k8s-tmp-k8s-server

Navigate to folder with certificates:

cd $(date +%F)

Create kubernetes secret in traefik namespace:

kubectl create secret tls traefik-cert  --cert=cert.pem --key=private.key -n traefik

tls: is special kubernetes secret type
--cert=cert.pem --key=private.key: are properties passed for secret creation
traefik-cert: is kubernetes secret name
traefik: is namespace

Verify the secret was created:

kubectl get secret -n traefik traefik-cert

Example output

NAME           TYPE                DATA   AGE
traefik-cert   kubernetes.io/tls   2      3m

Update traefik helm chart values by adding following code snippet to environments/<env name>/traefik/values.yaml


# 👇 Disable ACME
certificatesResolvers: {}

# 👇 Custom TLS configuration
tlsStore:
  default:
    defaultCertificate:
      # Provide secret name from previous step
      secretName: traefik-cert

Check full example at examples/dev/traefik/values-custom-ssl

Commit and push changes
Run "Deploy dependencies" workflow or re-deploy traefik helm chart manually

PreviousLetsEncrypt DNS challenge in production NextSSH access

Last updated 1 month ago