infrastructure:tls-certificates
This is an old revision of the document!
Table of Contents
TLS / SSL Certificates
Configured: 2026-02-06
Overview
All internal services use valid Lets Encrypt certificates via Cloudflare DNS challenge.
Domain Structure
| Type | Domain | Target |
|---|---|---|
| Wildcard | *.home.miskam.xyz | 10.100.161.102 (Traefik) |
| Public | burgenlandkreis.events | WAN (existing) |
Services
| Service | URL |
|---|---|
| n8n | https://n8n.home.miskam.xyz |
| Vaultwarden | https://vault.home.miskam.xyz |
| DokuWiki | https://wiki.home.miskam.xyz |
| Uptime Kuma | https://status.home.miskam.xyz |
| Checkmk | https://monitoring.home.miskam.xyz |
Legacy URLs (*.srv.internal) still work but use self-signed certificates.
Architecture
Internet/VPN
|
v
*.home.miskam.xyz (Cloudflare DNS → 10.100.161.102)
|
v
┌─────────────────────────────────────────┐
│ Traefik (CT 102) │
│ - Lets Encrypt via DNS Challenge │
│ - Wildcard cert: *.home.miskam.xyz │
│ - Auto-renewal │
└─────────────────────────────────────────┘
|
v
Backend Services (CT 110-115)
Certificate Details
- Issuer: Lets Encrypt R12
- Type: Wildcard
- Domain: *.home.miskam.xyz
- Valid: 90 days (auto-renewed by Traefik)
- Challenge: DNS-01 via Cloudflare API
Configuration Files
| File | Purpose |
|---|---|
| /etc/traefik/traefik.yaml | Main config with ACME/DNS settings |
| /etc/traefik/conf.d/automation.yml | Service routes |
| /etc/traefik/ssl/acme.json | Certificate storage |
| /etc/systemd/system/traefik.service.d/cloudflare.conf | CF API token |
Cloudflare Setup
- Zone: miskam.xyz
- DNS Record: *.home A 10.100.161.102 (not proxied)
- API Token: Stored in Vaultwarden (Zone:DNS Edit permission)
Adding New Services
1. Add route to /etc/traefik/conf.d/automation.yml:
newservice: rule: "Host(`newservice.home.miskam.xyz`)" service: newservice entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "*.home.miskam.xyz"
2. Add service backend:
newservice: loadBalancer: servers: - url: "http://10.100.161.XXX:PORT"
3. Traefik picks up changes automatically (file provider)
Troubleshooting
# Check certificate status cat /etc/traefik/ssl/acme.json | jq ".letsencrypt.Certificates[].domain" # Check Traefik logs journalctl -u traefik -f # Test certificate echo | openssl s_client -connect 10.100.161.102:443 -servername n8n.home.miskam.xyz 2>/dev/null | openssl x509 -noout -dates
infrastructure/tls-certificates.1770408533.txt.gz · Last modified: by admin