Homelab Wiki

User Tools

Site Tools

Trace:
infrastructure:tls-certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
infrastructure:tls-certificates [2026/02/06 20:08] – Document TLS/SSL setup with Lets Encrypt admininfrastructure:tls-certificates [2026/02/07 10:39] (current) – Simplified admin
Line 1: Line 1:
-====== TLS / SSL Certificates ======+====== TLS Certificates ======
  
-Configured: 2026-02-06+Wildcard cert for ''*.home.miskam.xyz'' via Let's Encrypt + Cloudflare DNS challenge.
  
-===== Overview =====+===== Traefik Config =====
  
-All internal services use valid Lets Encrypt certificates via Cloudflare DNS challenge.+  * Config: ''/etc/traefik/traefik.yaml'' 
 +  * Routes: ''/etc/traefik/conf.d/automation.yml'' 
 +  * CF Token: ''/etc/systemd/system/traefik.service.d/cloudflare.conf''
  
-===== Domain Structure =====+Auto-renewal every 90 days.
  
-^ Type ^ Domain ^ Target ^ 
-| Wildcard | *.home.miskam.xyz | 10.100.161.102 (Traefik) | 
-| Public | burgenlandkreis.events | WAN (existing) | 
- 
-===== Services ===== 
- 
-^ Service ^ URL ^ 
-| n8n | https://n8n.home.miskam.xyz | 
-| Vaultwarden | https://vault.home.miskam.xyz | 
-| DokuWiki | https://wiki.home.miskam.xyz | 
-| Uptime Kuma | https://status.home.miskam.xyz | 
-| Checkmk | https://monitoring.home.miskam.xyz | 
- 
-Legacy URLs (*.srv.internal) still work but use self-signed certificates. 
- 
-===== Architecture ===== 
- 
-<code> 
-Internet/VPN 
-     | 
-     v 
-*.home.miskam.xyz (Cloudflare DNS → 10.100.161.102) 
-     | 
-     v 
-┌─────────────────────────────────────────┐ 
-│           Traefik (CT 102)              │ 
-│  - Lets Encrypt via DNS Challenge       │ 
-│  - Wildcard cert: *.home.miskam.xyz     │ 
-│  - Auto-renewal                         │ 
-└─────────────────────────────────────────┘ 
-     | 
-     v 
-Backend Services (CT 110-115) 
-</code> 
- 
-===== Certificate Details ===== 
- 
-  * **Issuer:** Lets Encrypt R12 
-  * **Type:** Wildcard 
-  * **Domain:** *.home.miskam.xyz 
-  * **Valid:** 90 days (auto-renewed by Traefik) 
-  * **Challenge:** DNS-01 via Cloudflare API 
- 
-===== Configuration Files ===== 
- 
-^ File ^ Purpose ^ 
-| /etc/traefik/traefik.yaml | Main config with ACME/DNS settings | 
-| /etc/traefik/conf.d/automation.yml | Service routes | 
-| /etc/traefik/ssl/acme.json | Certificate storage | 
-| /etc/systemd/system/traefik.service.d/cloudflare.conf | CF API token | 
- 
-===== Cloudflare Setup ===== 
- 
-  * **Zone:** miskam.xyz 
-  * **DNS Record:** *.home A 10.100.161.102 (not proxied) 
-  * **API Token:** Stored in Vaultwarden (Zone:DNS Edit permission) 
- 
-===== Adding New Services ===== 
- 
-1. Add route to /etc/traefik/conf.d/automation.yml: 
- 
-<code yaml> 
-    newservice: 
-      rule: "Host(`newservice.home.miskam.xyz`)" 
-      service: newservice 
-      entryPoints: 
-        - websecure 
-      tls: 
-        certResolver: letsencrypt 
-        domains: 
-          - main: "*.home.miskam.xyz" 
-</code> 
- 
-2. Add service backend: 
- 
-<code yaml> 
-    newservice: 
-      loadBalancer: 
-        servers: 
-          - url: "http://10.100.161.XXX:PORT" 
-</code> 
- 
-3. Traefik picks up changes automatically (file provider) 
- 
-===== Troubleshooting ===== 
- 
-<code bash> 
-# Check certificate status 
-cat /etc/traefik/ssl/acme.json | jq ".letsencrypt.Certificates[].domain" 
- 
-# Check Traefik logs 
-journalctl -u traefik -f 
- 
-# Test certificate 
-echo | openssl s_client -connect 10.100.161.102:443 -servername n8n.home.miskam.xyz 2>/dev/null | openssl x509 -noout -dates 
-</code> 
infrastructure/tls-certificates.1770408533.txt.gz · Last modified: by admin