Setup custom certificates for a site
We already take care of the certificate management, but if you want to use your own certificates you can do so by configuring them manually.
There is a one-to-one relationship between a certificate and a site. The certificates are managed by Cert Manager and are signed using Let's Encrypt , a free certificate provider.
NOTE
For now this feature is only available from the command line, so go ahead and connect to your cluster.
To make things easier, let's define some helpful constants that will simplify our commands: The Project Namespace
and the Site Name
. Both can be found in the Presslabs Dashboard on the
Runtime page
of the site.
PROJECT_NS=<your_namespace>
SITE_NAME=<your_site_name>
How to use custom certificates
In order to use a custom certificate, you need to do the following steps:
1. Upload the certificates
The certificate should include all the Domain names from the Routing section.
You should have 2 files: one containing the private key (tls.key
) and one containing the certificates bundle (tls.crt
).
Both should be in PEM format. In other words, your certificate should start with -----BEGIN CERTIFICATE-----
and end with -----END CERTIFICATE-----
and your key file should begin
with -----BEGIN RSA PRIVATE KEY-----
and end with -----END RSA PRIVATE KEY-----
.
Let's name the new certificate (any name is good):
CERTIFICATE_NAME=$SITE_NAME-custom-tls
Create it.
kubectl -n $PROJECT_NS create secret tls $CERTIFICATE_NAME --cert=tls.crt --key=tls.key
2. Disable the certificate automatic management
In order to set a custom certificate, you have to tell Cert Manager that you don't want to generate a certificate for your site.
kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate=""
3. Set the new certificate
Once the certificate is uploaded, you can set it to be used by the site.
kubectl -n $PROJECT_NS patch wp $SITE_NAME --type=merge -p "{\"spec\": { \"tlsSecretRef\": \"$CERTIFICATE_NAME\"}}"
4. Optional: Force ingress-nginx to reload certificates
In some cases, the certificate is not used right away by ingress-nginx and you have to reset the ingress controller.
How to re-enable the managed certificates
If you want to use again the managed certificates by Cert Manager , run the following command to remove the mark from your site:
kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate-
See Also
Add custom init containers
If you want to run migrations or perform other operations that are required before your site starts, [...]
Configure ProxySQL
Sometimes you will need to set custom variables in ProxySQL configuration or you will want to cache [...]
Increase the default limit range resources
Presslabs Dashboard has default limit ranges for memory and CPU, which you can modify to accommodate [...]