webmaster/merchbay
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
merchbay/DIGICERT_SSL_SETUP.md
Frank John Begornia fa2956e8b6
All checks were successful
Deploy Development / deploy (push) Successful in 2m13s
Details
Refactor deployment workflows and add SSL setup documentation for production
2025-12-22 23:23:10 +08:00

126 lines
3.2 KiB
Markdown
Raw Permalink Blame History

# DigiCert SSL Certificate Setup for Production
## Certificate Files Required
From DigiCert, you'll receive these files:
- `merchbay_com.crt` - Your domain certificate
- `merchbay_com.key` - Private key (generated during CSR creation)
- `DigiCertCA.crt` - Intermediate certificate
- `TrustedRoot.crt` - Root certificate (optional)
## Step 1: Combine Certificate Chain (on your local machine)
```bash
# Create full chain certificate
cat merchbay_com.crt DigiCertCA.crt > merchbay.com.crt
# Copy private key
cp merchbay_com.key merchbay.com.key
```
## Step 2: Upload to Production Server
```bash
# SSH to production server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
# Create certificates directory
sudo mkdir -p /srv/certs
sudo chmod 700 /srv/certs
# Exit SSH, then upload from local machine
scp merchbay.com.crt PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
scp merchbay.com.key PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
# SSH back to server and move files
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mv /tmp/merchbay.com.crt /srv/certs/
sudo mv /tmp/merchbay.com.key /srv/certs/
sudo chmod 600 /srv/certs/*
sudo chown root:root /srv/certs/*
```
## Step 3: Upload Traefik Configuration
```bash
# From local machine
scp traefik-certs.yml PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
# SSH to server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mkdir -p /srv/traefik
sudo mv /tmp/traefik-certs.yml /srv/traefik/dynamic-certs.yml
sudo chmod 644 /srv/traefik/dynamic-certs.yml
```
## Step 4: Update Traefik Container
Ensure your Traefik docker-compose.yml includes:
```yaml
services:
traefik:
image: traefik:v2.10
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.filename=/dynamic-certs.yml
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/certs:/srv/certs:ro
- /srv/traefik/dynamic-certs.yml:/dynamic-certs.yml:ro
networks:
- traefik-public
restart: unless-stopped
```
## Step 5: Restart Traefik
```bash
cd /opt/traefik # or wherever your traefik docker-compose.yml is
docker compose restart traefik
# Verify certificate is loaded
docker compose logs traefik | grep -i certificate
```
## Step 6: Deploy merchbay Application
Once Traefik is configured, deploy merchbay:
```bash
cd /var/www/merchbay
docker compose up -d
```
## Verification
```bash
# Check certificate
openssl s_client -connect merchbay.com:443 -servername merchbay.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
# Should show:
# subject=CN = merchbay.com
# issuer=O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
# notBefore=...
# notAfter=...
```
## Certificate Renewal
DigiCert certificates typically last 1-2 years. Set a reminder to renew 30 days before expiration and repeat Steps 1-3 and 5.
## Security Notes
- Never commit `.key` files to git
- Keep private keys secure (600 permissions)
- Use strong encryption for private key storage
- Consider using a certificate management system for automatic renewal
Reference in New Issue View Git Blame Copy Permalink