easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialisation depot

Browse Source
This commit is contained in:
Serge NOEL
2026-02-10 12:12:11 +01:00
commit c3176e8d79
818 changed files with 52573 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

423
AliExpress/Certificates.md Normal file
View File

@@ -0,0 +1,423 @@
# Setting Up HTTPS for naval.lan with Traefik (Kubernetes)
This guide explains how to set up HTTPS for your local domain `naval.lan` using Traefik in Kubernetes without certificate warnings on Windows and Linux clients.
## Overview
To avoid self-signed certificate warnings, you need to:
1. Create your own Certificate Authority (CA)
2. Generate SSL certificates signed by your CA
3. Configure Traefik to use these certificates
4. Install the CA certificate on all client machines
## Part 1: Create Your Own Certificate Authority
### 1.1. Generate CA Private Key and Certificate
On your Linux server or workstation:
```bash
# Create a directory for certificates
mkdir -p ~/certs/naval-ca
cd ~/certs/naval-ca
# Generate CA private key (4096-bit RSA)
openssl genrsa -out ca-key.pem 4096
# Generate CA certificate (valid for 10 years)
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem \
-subj "/C=US/ST=State/L=City/O=Naval Local CA/OU=IT/CN=Naval Local Root CA"
```
**Important**: Keep `ca-key.pem` secure! This is your root CA private key.
## Part 2: Generate SSL Certificate for naval.lan
### 2.1. Create OpenSSL Configuration File
Create a file named `naval-lan.conf`:
```bash
cat > naval-lan.conf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = US
ST = State
L = City
O = Naval Local
OU = IT Department
CN = *.naval.lan
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = naval.lan
DNS.2 = *.naval.lan
DNS.3 = localhost
IP.1 = 127.0.0.1
EOF
```
### 2.2. Generate Certificate Signing Request (CSR)
```bash
# Generate private key for naval.lan
openssl genrsa -out naval-lan-key.pem 2048
# Generate CSR
openssl req -new -key naval-lan-key.pem -out naval-lan.csr -config naval-lan.conf
```
### 2.3. Sign the Certificate with Your CA
```bash
# Sign the certificate (valid for 2 years)
openssl x509 -req -in naval-lan.csr -CA ca-cert.pem -CAkey ca-key.pem \
-CAcreateserial -out naval-lan-cert.pem -days 730 \
-extensions req_ext -extfile naval-lan.conf
# Verify the certificate
openssl x509 -in naval-lan-cert.pem -text -noout
```
## Part 3: Configure Traefik in Kubernetes
### 3.1. Create Kubernetes Secret with Certificates
```bash
# Create a namespace for Traefik (if not exists)
kubectl create namespace traefik --dry-run=client -o yaml | kubectl apply -f -
# Create secret with your certificates
kubectl create secret tls naval-lan-tls \
--cert=naval-lan-cert.pem \
--key=naval-lan-key.pem \
-n traefik
```
### 3.2. Update Traefik Configuration
Create or update your Traefik Helm values file (`traefik-values.yaml`):
```yaml
# traefik-values.yaml
additionalArguments:
- "--providers.kubernetescrd"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
ports:
web:
port: 80
exposedPort: 80
websecure:
port: 443
exposedPort: 443
tls:
enabled: true
# Mount the TLS certificate
volumes:
- name: naval-lan-tls
mountPath: "/certs"
type: secret
persistence:
enabled: true
```
### 3.3. Create IngressRoute for Your Services
Example IngressRoute configuration:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myapp-ingressroute
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`myapp.naval.lan`)
kind: Rule
services:
- name: myapp-service
port: 80
tls:
secretName: naval-lan-tls
---
# Optional: HTTP to HTTPS redirect
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myapp-http-redirect
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`myapp.naval.lan`)
kind: Rule
services:
- name: myapp-service
port: 80
middlewares:
- name: redirect-to-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-to-https
namespace: default
spec:
redirectScheme:
scheme: https
permanent: true
```
### 3.4. Apply Traefik Configuration
```bash
# If using Helm
helm upgrade --install traefik traefik/traefik \
-n traefik \
-f traefik-values.yaml
# Apply IngressRoute
kubectl apply -f ingressroute.yaml
```
## Part 4: Install CA Certificate on Client Machines
### 4.1. Linux Clients
#### Ubuntu/Debian:
```bash
# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /usr/local/share/ca-certificates/naval-ca.crt
# Update CA certificates
sudo update-ca-certificates
# Verify
openssl s_client -connect myapp.naval.lan:443 -CAfile /usr/local/share/ca-certificates/naval-ca.crt
```
#### RHEL/CentOS/Fedora:
```bash
# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /etc/pki/ca-trust/source/anchors/naval-ca.crt
# Update CA certificates
sudo update-ca-trust
# Verify
openssl s_client -connect myapp.naval.lan:443
```
#### For Firefox (uses its own certificate store):
1. Open Firefox
2. Go to **Settings****Privacy & Security**
3. Scroll to **Certificates** → Click **View Certificates**
4. Go to **Authorities** tab
5. Click **Import**
6. Select `ca-cert.pem`
7. Check "Trust this CA to identify websites"
8. Click OK
### 4.2. Windows Clients
#### Method 1: Using MMC (Microsoft Management Console)
1. Copy `ca-cert.pem` to your Windows machine
2. Rename it to `ca-cert.crt` (optional, for easier recognition)
3. Right-click on `ca-cert.crt`**Install Certificate**
4. Choose **Local Machine** (requires admin rights)
5. Click **Next**
6. Select **Place all certificates in the following store**
7. Click **Browse** → Select **Trusted Root Certification Authorities**
8. Click **Next****Finish**
9. Click **Yes** on the security warning
#### Method 2: Using Command Line (Admin PowerShell)
```powershell
# Import certificate to Trusted Root CA store
Import-Certificate -FilePath "C:\path\to\ca-cert.pem" -CertStoreLocation Cert:\LocalMachine\Root
# Verify
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}
```
#### Method 3: Using certutil (Command Prompt as Admin)
```cmd
certutil -addstore -f "ROOT" ca-cert.pem
```
#### For Firefox on Windows:
Same steps as Linux Firefox above.
### 4.3. Verify Installation
#### Linux:
```bash
# Test with curl
curl -v https://myapp.naval.lan
# Test with openssl
openssl s_client -connect myapp.naval.lan:443 -showcerts
```
#### Windows:
```powershell
# Test with PowerShell
Invoke-WebRequest -Uri https://myapp.naval.lan
# Or use browser
# Navigate to https://myapp.naval.lan
```
## Part 5: DNS Configuration
Ensure your clients can resolve `naval.lan` domains:
### 5.1. Option 1: Local DNS Server (Recommended)
Set up a local DNS server (dnsmasq, Pi-hole, or Windows DNS) with:
```
*.naval.lan → [Traefik Ingress IP]
```
### 5.2. Option 2: Hosts File
#### Linux: `/etc/hosts`
```bash
sudo nano /etc/hosts
```
#### Windows: `C:\Windows\System32\drivers\etc\hosts` (as Administrator)
```
notepad C:\Windows\System32\drivers\etc\hosts
```
Add entries:
```
192.168.1.100 myapp.naval.lan
192.168.1.100 dashboard.naval.lan
```
Replace `192.168.1.100` with your Traefik ingress IP.
## Part 6: Certificate Renewal
Your certificates will expire. To renew:
```bash
cd ~/certs/naval-ca
# Generate new CSR (or reuse existing key)
openssl req -new -key naval-lan-key.pem -out naval-lan-new.csr -config naval-lan.conf
# Sign with CA
openssl x509 -req -in naval-lan-new.csr -CA ca-cert.pem -CAkey ca-key.pem \
-CAcreateserial -out naval-lan-cert-new.pem -days 730 \
-extensions req_ext -extfile naval-lan.conf
# Update Kubernetes secret
kubectl create secret tls naval-lan-tls \
--cert=naval-lan-cert-new.pem \
--key=naval-lan-key.pem \
-n traefik \
--dry-run=client -o yaml | kubectl apply -f -
# Restart Traefik pods to reload certificate
kubectl rollout restart deployment traefik -n traefik
```
## Troubleshooting
### Certificate not trusted after installation
- **Clear browser cache**: Some browsers cache certificate validation
- **Restart browser**: Required for Chrome/Edge on Windows
- **Check certificate chain**: `openssl s_client -connect myapp.naval.lan:443 -showcerts`
### "NET::ERR_CERT_AUTHORITY_INVALID" error
- Verify CA certificate is in the correct store
- On Windows, ensure it's in "Trusted Root Certification Authorities", not "Intermediate"
- Check that the certificate's Subject Alternative Names include your domain
### Firefox still shows warning
- Firefox uses its own certificate store on all platforms
- Must import CA certificate directly into Firefox
### Certificate expired
- Check certificate validity: `openssl x509 -in naval-lan-cert.pem -noout -dates`
- Follow renewal steps in Part 6
## Security Considerations
1. **Protect your CA private key** (`ca-key.pem`):
- Store it securely
- Consider encrypting it with a passphrase
- Keep backups in secure locations
2. **Certificate validity period**:
- Don't make it too long (2 years max recommended)
- Set up calendar reminders for renewal
3. **Access control**:
- Only install the CA certificate on machines you control
- Don't share your CA private key
4. **Network isolation**:
- Keep your `.lan` domain isolated from the internet
- Use firewall rules to prevent external access
## Quick Reference Commands
```bash
# Check certificate details
openssl x509 -in naval-lan-cert.pem -text -noout
# Test HTTPS connection
curl -v https://myapp.naval.lan
# View installed CA on Linux
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i naval
# View installed CA on Windows (PowerShell)
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}
# Get Traefik ingress IP
kubectl get svc -n traefik traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
```
## Additional Resources
- [Traefik Documentation](https://doc.traefik.io/traefik/)
- [OpenSSL Documentation](https://www.openssl.org/docs/)
- [Kubernetes TLS Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
---
**Created**: January 9, 2026
**Last Updated**: January 9, 2026