Maison/AliExpress/Certificates.md

Setting Up HTTPS for naval.lan with Traefik (Kubernetes)

This guide explains how to set up HTTPS for your local domain naval.lan using Traefik in Kubernetes without certificate warnings on Windows and Linux clients.

Overview

To avoid self-signed certificate warnings, you need to:

1. Create your own Certificate Authority (CA)
2. Generate SSL certificates signed by your CA
3. Configure Traefik to use these certificates
4. Install the CA certificate on all client machines

Part 1: Create Your Own Certificate Authority

1.1. Generate CA Private Key and Certificate

On your Linux server or workstation:

# Create a directory for certificates
mkdir -p ~/certs/naval-ca
cd ~/certs/naval-ca

# Generate CA private key (4096-bit RSA)
openssl genrsa -out ca-key.pem 4096

# Generate CA certificate (valid for 10 years)
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem \
  -subj "/C=US/ST=State/L=City/O=Naval Local CA/OU=IT/CN=Naval Local Root CA"

Important: Keep ca-key.pem secure! This is your root CA private key.

Part 2: Generate SSL Certificate for naval.lan

2.1. Create OpenSSL Configuration File

Create a file named naval-lan.conf:

cat > naval-lan.conf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = US
ST = State
L = City
O = Naval Local
OU = IT Department
CN = *.naval.lan

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = naval.lan
DNS.2 = *.naval.lan
DNS.3 = localhost
IP.1 = 127.0.0.1
EOF

2.2. Generate Certificate Signing Request (CSR)

# Generate private key for naval.lan
openssl genrsa -out naval-lan-key.pem 2048

# Generate CSR
openssl req -new -key naval-lan-key.pem -out naval-lan.csr -config naval-lan.conf

2.3. Sign the Certificate with Your CA

# Sign the certificate (valid for 2 years)
openssl x509 -req -in naval-lan.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out naval-lan-cert.pem -days 730 \
  -extensions req_ext -extfile naval-lan.conf

# Verify the certificate
openssl x509 -in naval-lan-cert.pem -text -noout

Part 3: Configure Traefik in Kubernetes

3.1. Create Kubernetes Secret with Certificates

# Create a namespace for Traefik (if not exists)
kubectl create namespace traefik --dry-run=client -o yaml | kubectl apply -f -

# Create secret with your certificates
kubectl create secret tls naval-lan-tls \
  --cert=naval-lan-cert.pem \
  --key=naval-lan-key.pem \
  -n traefik

3.2. Update Traefik Configuration

Create or update your Traefik Helm values file (traefik-values.yaml):

# traefik-values.yaml
additionalArguments:
  - "--providers.kubernetescrd"
  - "--entrypoints.websecure.http.tls=true"
  - "--entrypoints.web.address=:80"
  - "--entrypoints.websecure.address=:443"

ports:
  web:
    port: 80
    exposedPort: 80
  websecure:
    port: 443
    exposedPort: 443
    tls:
      enabled: true
      
# Mount the TLS certificate
volumes:
  - name: naval-lan-tls
    mountPath: "/certs"
    type: secret

persistence:
  enabled: true

3.3. Create IngressRoute for Your Services

Example IngressRoute configuration:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myapp-ingressroute
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`myapp.naval.lan`)
      kind: Rule
      services:
        - name: myapp-service
          port: 80
  tls:
    secretName: naval-lan-tls
---
# Optional: HTTP to HTTPS redirect
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myapp-http-redirect
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`myapp.naval.lan`)
      kind: Rule
      services:
        - name: myapp-service
          port: 80
      middlewares:
        - name: redirect-to-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-https
  namespace: default
spec:
  redirectScheme:
    scheme: https
    permanent: true

3.4. Apply Traefik Configuration

# If using Helm
helm upgrade --install traefik traefik/traefik \
  -n traefik \
  -f traefik-values.yaml

# Apply IngressRoute
kubectl apply -f ingressroute.yaml

Part 4: Install CA Certificate on Client Machines

4.1. Linux Clients

Ubuntu/Debian:

# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /usr/local/share/ca-certificates/naval-ca.crt

# Update CA certificates
sudo update-ca-certificates

# Verify
openssl s_client -connect myapp.naval.lan:443 -CAfile /usr/local/share/ca-certificates/naval-ca.crt

RHEL/CentOS/Fedora:

# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /etc/pki/ca-trust/source/anchors/naval-ca.crt

# Update CA certificates
sudo update-ca-trust

# Verify
openssl s_client -connect myapp.naval.lan:443

For Firefox (uses its own certificate store):

1. Open Firefox
2. Go to Settings → Privacy & Security
3. Scroll to Certificates → Click View Certificates
4. Go to Authorities tab
5. Click Import
6. Select ca-cert.pem
7. Check "Trust this CA to identify websites"
8. Click OK

4.2. Windows Clients

Method 1: Using MMC (Microsoft Management Console)

1. Copy ca-cert.pem to your Windows machine
2. Rename it to ca-cert.crt (optional, for easier recognition)
3. Right-click on ca-cert.crt → Install Certificate
4. Choose Local Machine (requires admin rights)
5. Click Next
6. Select Place all certificates in the following store
7. Click Browse → Select Trusted Root Certification Authorities
8. Click Next → Finish
9. Click Yes on the security warning

Method 2: Using Command Line (Admin PowerShell)

# Import certificate to Trusted Root CA store
Import-Certificate -FilePath "C:\path\to\ca-cert.pem" -CertStoreLocation Cert:\LocalMachine\Root

# Verify
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}

Method 3: Using certutil (Command Prompt as Admin)

certutil -addstore -f "ROOT" ca-cert.pem

For Firefox on Windows:

Same steps as Linux Firefox above.

4.3. Verify Installation

Linux:

# Test with curl
curl -v https://myapp.naval.lan

# Test with openssl
openssl s_client -connect myapp.naval.lan:443 -showcerts

Windows:

# Test with PowerShell
Invoke-WebRequest -Uri https://myapp.naval.lan

# Or use browser
# Navigate to https://myapp.naval.lan

Part 5: DNS Configuration

Ensure your clients can resolve naval.lan domains:

5.1. Option 1: Local DNS Server (Recommended)

Set up a local DNS server (dnsmasq, Pi-hole, or Windows DNS) with:

*.naval.lan → [Traefik Ingress IP]

5.2. Option 2: Hosts File

Linux: /etc/hosts

sudo nano /etc/hosts

Windows: C:\Windows\System32\drivers\etc\hosts (as Administrator)

notepad C:\Windows\System32\drivers\etc\hosts

Add entries:

192.168.1.100  myapp.naval.lan
192.168.1.100  dashboard.naval.lan

Replace 192.168.1.100 with your Traefik ingress IP.

Part 6: Certificate Renewal

Your certificates will expire. To renew:

cd ~/certs/naval-ca

# Generate new CSR (or reuse existing key)
openssl req -new -key naval-lan-key.pem -out naval-lan-new.csr -config naval-lan.conf

# Sign with CA
openssl x509 -req -in naval-lan-new.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out naval-lan-cert-new.pem -days 730 \
  -extensions req_ext -extfile naval-lan.conf

# Update Kubernetes secret
kubectl create secret tls naval-lan-tls \
  --cert=naval-lan-cert-new.pem \
  --key=naval-lan-key.pem \
  -n traefik \
  --dry-run=client -o yaml | kubectl apply -f -

# Restart Traefik pods to reload certificate
kubectl rollout restart deployment traefik -n traefik

Troubleshooting

Certificate not trusted after installation

• Clear browser cache: Some browsers cache certificate validation
• Restart browser: Required for Chrome/Edge on Windows
• Check certificate chain: openssl s_client -connect myapp.naval.lan:443 -showcerts

"NET::ERR_CERT_AUTHORITY_INVALID" error

• Verify CA certificate is in the correct store
• On Windows, ensure it's in "Trusted Root Certification Authorities", not "Intermediate"
• Check that the certificate's Subject Alternative Names include your domain

Firefox still shows warning

• Firefox uses its own certificate store on all platforms
• Must import CA certificate directly into Firefox

Certificate expired

• Check certificate validity: openssl x509 -in naval-lan-cert.pem -noout -dates
• Follow renewal steps in Part 6

Security Considerations

1. Protect your CA private key (ca-key.pem):

   • Store it securely
   • Consider encrypting it with a passphrase
   • Keep backups in secure locations

2. Certificate validity period:

   • Don't make it too long (2 years max recommended)
   • Set up calendar reminders for renewal

3. Access control:

   • Only install the CA certificate on machines you control
   • Don't share your CA private key

4. Network isolation:

   • Keep your .lan domain isolated from the internet
   • Use firewall rules to prevent external access

Quick Reference Commands

# Check certificate details
openssl x509 -in naval-lan-cert.pem -text -noout

# Test HTTPS connection
curl -v https://myapp.naval.lan

# View installed CA on Linux
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i naval

# View installed CA on Windows (PowerShell)
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}

# Get Traefik ingress IP
kubectl get svc -n traefik traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

Additional Resources

• Traefik Documentation
• OpenSSL Documentation
• Kubernetes TLS Secrets

---

Created: January 9, 2026
Last Updated: January 9, 2026