webmaster/merchbay
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
dev
merchbay/DIGICERT_SSL_SETUP.md
Frank John Begornia fa2956e8b6
All checks were successful
Deploy Development / deploy (push) Successful in 2m13s
Details
Refactor deployment workflows and add SSL setup documentation for production
2025-12-22 23:23:10 +08:00

3.2 KiB
Raw Permalink Blame History

DigiCert SSL Certificate Setup for Production

Certificate Files Required

From DigiCert, you'll receive these files:

  • merchbay_com.crt - Your domain certificate
  • merchbay_com.key - Private key (generated during CSR creation)
  • DigiCertCA.crt - Intermediate certificate
  • TrustedRoot.crt - Root certificate (optional)

Step 1: Combine Certificate Chain (on your local machine)

# Create full chain certificate
cat merchbay_com.crt DigiCertCA.crt > merchbay.com.crt

# Copy private key
cp merchbay_com.key merchbay.com.key

Step 2: Upload to Production Server

# SSH to production server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST

# Create certificates directory
sudo mkdir -p /srv/certs
sudo chmod 700 /srv/certs

# Exit SSH, then upload from local machine
scp merchbay.com.crt PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
scp merchbay.com.key PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/

# SSH back to server and move files
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mv /tmp/merchbay.com.crt /srv/certs/
sudo mv /tmp/merchbay.com.key /srv/certs/
sudo chmod 600 /srv/certs/*
sudo chown root:root /srv/certs/*

Step 3: Upload Traefik Configuration

# From local machine
scp traefik-certs.yml PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/

# SSH to server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mkdir -p /srv/traefik
sudo mv /tmp/traefik-certs.yml /srv/traefik/dynamic-certs.yml
sudo chmod 644 /srv/traefik/dynamic-certs.yml

Step 4: Update Traefik Container

Ensure your Traefik docker-compose.yml includes:

services:
  traefik:
    image: traefik:v2.10
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic-certs.yml
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/certs:/srv/certs:ro
      - /srv/traefik/dynamic-certs.yml:/dynamic-certs.yml:ro
    networks:
      - traefik-public
    restart: unless-stopped

Step 5: Restart Traefik

cd /opt/traefik  # or wherever your traefik docker-compose.yml is
docker compose restart traefik

# Verify certificate is loaded
docker compose logs traefik | grep -i certificate

Step 6: Deploy merchbay Application

Once Traefik is configured, deploy merchbay:

cd /var/www/merchbay
docker compose up -d

Verification

# Check certificate
openssl s_client -connect merchbay.com:443 -servername merchbay.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

# Should show:
# subject=CN = merchbay.com
# issuer=O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
# notBefore=...
# notAfter=...

Certificate Renewal

DigiCert certificates typically last 1-2 years. Set a reminder to renew 30 days before expiration and repeat Steps 1-3 and 5.

Security Notes

  • Never commit .key files to git
  • Keep private keys secure (600 permissions)
  • Use strong encryption for private key storage
  • Consider using a certificate management system for automatic renewal
Reference in New Issue View Git Blame Copy Permalink