matrix-docker-ansible-deploy/docs/configuring-playbook-ssl-certificates.md

76 lines
2.2 KiB
Markdown
Raw Normal View History

# Adjusting SSL certificate retrieval (optional, advanced)
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.<your-domain>` and others)
This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md).
## Using staging Let's Encrypt certificates instead of real ones
For testing purposes, you may wish to use staging certificates provide by Let's Encrypt.
You can do this with the following configuration:
```yaml
devture_traefik_config_certificatesResolvers_acme_use_staging: true
```
## Disabling SSL termination
For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`.
You can do this with the following configuration:
```yaml
devture_traefik_config_entrypoint_web_secure_enabled: false
```
## Using self-signed SSL certificates
2023-02-28 20:07:16 +00:00
To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool.
You also need to override the providers.file setting in the Traefik configs.
2023-02-28 20:09:37 +00:00
2023-02-28 20:07:16 +00:00
Create a file 'certificates.yml' in /devture-traefik/config/ with the following content:
2023-02-28 20:07:16 +00:00
```yaml
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
```
Place the key and your certificate in /devture-traefik/ssl/
2023-02-28 20:09:37 +00:00
2023-02-28 20:07:16 +00:00
You can use the matrix-aux role for this:
```yaml
matrix_aux_file_definitions:
- dest: /devture-traefik/ssl/privkey.pem
src: /path/to/privkey.pem
- dest: /devture-traefik/ssl/cert.pem
src: /path/to/cert.pem
- dest: /devture-traefik/config/certificates.yml
src: /path/to/certificates.yml
```
Then add the following to your vars.yml:
```yaml
devture_traefik_config_certificatesResolvers_acme_enabled: false
devture_traefik_certResolver_primary: ''
devture_traefik_ssl_dir_enabled: true
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
matrix_playbook_traefik_certs_dumper_role_enabled: false
```