2018-12-23 10:00:12 +01:00
# Adjusting SSL certificate retrieval (optional, advanced)
2023-02-26 15:14:05 +01:00
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt ](https://letsencrypt.org/ ) for the domains it needs (e.g. `matrix.<your-domain>` and others)
2018-12-23 10:00:12 +01:00
2023-02-26 15:14:05 +01:00
This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver ](configuring-playbook-own-webserver.md ).
2019-02-01 15:50:02 +01:00
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
## Using staging Let's Encrypt certificates instead of real ones
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
For testing purposes, you may wish to use staging certificates provide by Let's Encrypt.
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
You can do this with the following configuration:
2019-02-01 15:50:02 +01:00
```yaml
2023-02-26 15:14:05 +01:00
devture_traefik_config_certificatesResolvers_acme_use_staging: true
2019-02-01 15:50:02 +01:00
```
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
## Disabling SSL termination
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://` .
2019-02-08 10:59:00 +01:00
2023-02-26 15:14:05 +01:00
You can do this with the following configuration:
2019-02-08 10:59:00 +01:00
```yaml
2023-02-26 15:14:05 +01:00
devture_traefik_config_entrypoint_web_secure_enabled: false
2019-02-08 10:59:00 +01:00
```
2023-02-26 15:14:05 +01:00
## Using self-signed SSL certificates
2022-03-03 17:15:39 +01:00
2023-03-01 08:54:23 +01:00
If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME ](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ) from [Let's Encrypt ](https://letsencrypt.org/ )):
2023-02-28 21:09:37 +01:00
2023-03-01 08:54:23 +01:00
- generate your self-signed certificate files
- follow the [Using your own SSL certificates ](#using-your-own-ssl-certificates ) documentation below
## Using your own SSL certificates
To use your own SSL certificates with Traefik, you need to:
- disable [ACME ](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment ) / [Let's Encrypt ](https://letsencrypt.org/ ) support
2023-03-01 08:45:54 +01:00
- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
- register your custom configuration file with Traefik, by adding an extra provider of type [file ](https://doc.traefik.io/traefik/providers/file/ )
- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
2023-02-28 21:07:16 +01:00
```yaml
2023-03-01 08:54:23 +01:00
# Disable ACME / Let's Encrypt support.
2023-02-28 21:07:16 +01:00
devture_traefik_config_certificatesResolvers_acme_enabled: false
2023-03-01 08:45:54 +01:00
2023-03-01 08:54:23 +01:00
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
2023-02-28 21:07:16 +01:00
devture_traefik_ssl_dir_enabled: true
2023-03-01 08:45:54 +01:00
# Tell Traefik to load our custom configuration file (certificates.yml).
2023-03-01 08:54:23 +01:00
# The file is created below, in `matrix_aux_file_definitions`.
2023-03-06 08:51:14 +01:00
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
2023-02-28 21:07:16 +01:00
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
2023-03-01 08:45:54 +01:00
# Use the matrix-aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
matrix_aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
src: /path/on/your/Ansible/computer/to/privkey.pem
2023-03-01 08:54:23 +01:00
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
2023-03-01 08:45:54 +01:00
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
src: /path/on/your/Ansible/computer/to/cert.pem
2023-03-01 08:54:23 +01:00
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
2023-03-01 08:45:54 +01:00
# Create the custom Traefik configuration.
2023-03-06 08:51:14 +01:00
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
2023-03-01 08:45:54 +01:00
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
2023-02-28 21:07:16 +01:00
```