Setup custom certificates for a site

We already take care of the certificate management, but if you want to use your own certificates you can do so by configuring them manually.

There is a one-to-one relationship between a certificate and a site. The certificates are managed by Cert Manager and are signed using Let's Encrypt , a free certificate provider.

NOTE

For now this feature is only available from the command line, so go ahead and connect to your cluster.

To make things easier, let's define some helpful constants that will simplify our commands: The Project Namespace and the Site Name. Both can be found in the Presslabs Dashboard on the Runtime page of the site.

PROJECT_NS=<your_namespace>
SITE_NAME=<your_site_name>

How to use custom certificates

In order to use a custom certificate, you need to do the following steps:

1. Upload the certificates

The certificate should include all the Domain names from the Routing section.

You should have 2 files: one containing the private key (tls.key) and one containing the certificates bundle (tls.crt).

Both should be in PEM format. In other words, your certificate should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- and your key file should begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

Let's name the new certificate (any name is good):

CERTIFICATE_NAME=$SITE_NAME-custom-tls

Create it.

kubectl -n $PROJECT_NS create secret tls $CERTIFICATE_NAME --cert=tls.crt --key=tls.key

2. Disable the certificate automatic management

In order to set a custom certificate, you have to tell Cert Manager that you don't want to generate a certificate for your site.

kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate=""

3. Set the new certificate

Once the certificate is uploaded, you can set it to be used by the site.

kubectl -n $PROJECT_NS patch wp $SITE_NAME --type=merge -p "{\"spec\": { \"tlsSecretRef\": \"$CERTIFICATE_NAME\"}}"

4. Optional: Force ingress-nginx to reload certificates

In some cases, the certificate is not used right away by ingress-nginx and you have to reset the ingress controller.

How to re-enable the managed certificates

If you want to use again the managed certificates by Cert Manager , run the following command to remove the mark from your site:

kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate-

See Also

Add a preemptible node

To reduce the costs, you can run PHP pods on cheaper nodes.

Add custom init containers

If you want to run migrations or perform other operations that are required before your site starts, [...]

Configure ProxySQL

Sometimes you will need to set custom variables in ProxySQL configuration or you will want to cache [...]

Increase the default limit range resources

Presslabs Dashboard has default limit ranges for memory and CPU, which you can modify to accommodate [...]