Maison/AliExpress/Certificates.md

# Setting Up HTTPS for naval.lan with Traefik (Kubernetes)

This guide explains how to set up HTTPS for your local domain `naval.lan` using Traefik in Kubernetes without certificate warnings on Windows and Linux clients.

## Overview

To avoid self-signed certificate warnings, you need to:
1. Create your own Certificate Authority (CA)
2. Generate SSL certificates signed by your CA
3. Configure Traefik to use these certificates
4. Install the CA certificate on all client machines

## Part 1: Create Your Own Certificate Authority

### 1.1. Generate CA Private Key and Certificate

On your Linux server or workstation:

```bash
# Create a directory for certificates
mkdir -p ~/certs/naval-ca
cd ~/certs/naval-ca

# Generate CA private key (4096-bit RSA)
openssl genrsa -out ca-key.pem 4096

# Generate CA certificate (valid for 10 years)
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem \
  -subj "/C=US/ST=State/L=City/O=Naval Local CA/OU=IT/CN=Naval Local Root CA"
```

**Important**: Keep `ca-key.pem` secure! This is your root CA private key.

## Part 2: Generate SSL Certificate for naval.lan

### 2.1. Create OpenSSL Configuration File

Create a file named `naval-lan.conf`:

```bash
cat > naval-lan.conf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = US
ST = State
L = City
O = Naval Local
OU = IT Department
CN = *.naval.lan

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = naval.lan
DNS.2 = *.naval.lan
DNS.3 = localhost
IP.1 = 127.0.0.1
EOF
```

### 2.2. Generate Certificate Signing Request (CSR)

```bash
# Generate private key for naval.lan
openssl genrsa -out naval-lan-key.pem 2048

# Generate CSR
openssl req -new -key naval-lan-key.pem -out naval-lan.csr -config naval-lan.conf
```

### 2.3. Sign the Certificate with Your CA

```bash
# Sign the certificate (valid for 2 years)
openssl x509 -req -in naval-lan.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out naval-lan-cert.pem -days 730 \
  -extensions req_ext -extfile naval-lan.conf

# Verify the certificate
openssl x509 -in naval-lan-cert.pem -text -noout
```

## Part 3: Configure Traefik in Kubernetes

### 3.1. Create Kubernetes Secret with Certificates

```bash
# Create a namespace for Traefik (if not exists)
kubectl create namespace traefik --dry-run=client -o yaml | kubectl apply -f -

# Create secret with your certificates
kubectl create secret tls naval-lan-tls \
  --cert=naval-lan-cert.pem \
  --key=naval-lan-key.pem \
  -n traefik
```

### 3.2. Update Traefik Configuration

Create or update your Traefik Helm values file (`traefik-values.yaml`):

```yaml
# traefik-values.yaml
additionalArguments:
  - "--providers.kubernetescrd"
  - "--entrypoints.websecure.http.tls=true"
  - "--entrypoints.web.address=:80"
  - "--entrypoints.websecure.address=:443"

ports:
  web:
    port: 80
    exposedPort: 80
  websecure:
    port: 443
    exposedPort: 443
    tls:
      enabled: true
      
# Mount the TLS certificate
volumes:
  - name: naval-lan-tls
    mountPath: "/certs"
    type: secret

persistence:
  enabled: true
```

### 3.3. Create IngressRoute for Your Services

Example IngressRoute configuration:

```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myapp-ingressroute
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`myapp.naval.lan`)
      kind: Rule
      services:
        - name: myapp-service
          port: 80
  tls:
    secretName: naval-lan-tls
---
# Optional: HTTP to HTTPS redirect
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myapp-http-redirect
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`myapp.naval.lan`)
      kind: Rule
      services:
        - name: myapp-service
          port: 80
      middlewares:
        - name: redirect-to-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-https
  namespace: default
spec:
  redirectScheme:
    scheme: https
    permanent: true
```

### 3.4. Apply Traefik Configuration

```bash
# If using Helm
helm upgrade --install traefik traefik/traefik \
  -n traefik \
  -f traefik-values.yaml

# Apply IngressRoute
kubectl apply -f ingressroute.yaml
```

## Part 4: Install CA Certificate on Client Machines

### 4.1. Linux Clients

#### Ubuntu/Debian:

```bash
# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /usr/local/share/ca-certificates/naval-ca.crt

# Update CA certificates
sudo update-ca-certificates

# Verify
openssl s_client -connect myapp.naval.lan:443 -CAfile /usr/local/share/ca-certificates/naval-ca.crt
```

#### RHEL/CentOS/Fedora:

```bash
# Copy ca-cert.pem to your Linux client
sudo cp ca-cert.pem /etc/pki/ca-trust/source/anchors/naval-ca.crt

# Update CA certificates
sudo update-ca-trust

# Verify
openssl s_client -connect myapp.naval.lan:443
```

#### For Firefox (uses its own certificate store):

1. Open Firefox
2. Go to **Settings** → **Privacy & Security**
3. Scroll to **Certificates** → Click **View Certificates**
4. Go to **Authorities** tab
5. Click **Import**
6. Select `ca-cert.pem`
7. Check "Trust this CA to identify websites"
8. Click OK

### 4.2. Windows Clients

#### Method 1: Using MMC (Microsoft Management Console)

1. Copy `ca-cert.pem` to your Windows machine
2. Rename it to `ca-cert.crt` (optional, for easier recognition)
3. Right-click on `ca-cert.crt` → **Install Certificate**
4. Choose **Local Machine** (requires admin rights)
5. Click **Next**
6. Select **Place all certificates in the following store**
7. Click **Browse** → Select **Trusted Root Certification Authorities**
8. Click **Next** → **Finish**
9. Click **Yes** on the security warning

#### Method 2: Using Command Line (Admin PowerShell)

```powershell
# Import certificate to Trusted Root CA store
Import-Certificate -FilePath "C:\path\to\ca-cert.pem" -CertStoreLocation Cert:\LocalMachine\Root

# Verify
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}
```

#### Method 3: Using certutil (Command Prompt as Admin)

```cmd
certutil -addstore -f "ROOT" ca-cert.pem
```

#### For Firefox on Windows:

Same steps as Linux Firefox above.

### 4.3. Verify Installation

#### Linux:
```bash
# Test with curl
curl -v https://myapp.naval.lan

# Test with openssl
openssl s_client -connect myapp.naval.lan:443 -showcerts
```

#### Windows:
```powershell
# Test with PowerShell
Invoke-WebRequest -Uri https://myapp.naval.lan

# Or use browser
# Navigate to https://myapp.naval.lan
```

## Part 5: DNS Configuration

Ensure your clients can resolve `naval.lan` domains:

### 5.1. Option 1: Local DNS Server (Recommended)

Set up a local DNS server (dnsmasq, Pi-hole, or Windows DNS) with:
```
*.naval.lan → [Traefik Ingress IP]
```

### 5.2. Option 2: Hosts File

#### Linux: `/etc/hosts`
```bash
sudo nano /etc/hosts
```

#### Windows: `C:\Windows\System32\drivers\etc\hosts` (as Administrator)
```
notepad C:\Windows\System32\drivers\etc\hosts
```

Add entries:
```
192.168.1.100  myapp.naval.lan
192.168.1.100  dashboard.naval.lan
```

Replace `192.168.1.100` with your Traefik ingress IP.

## Part 6: Certificate Renewal

Your certificates will expire. To renew:

```bash
cd ~/certs/naval-ca

# Generate new CSR (or reuse existing key)
openssl req -new -key naval-lan-key.pem -out naval-lan-new.csr -config naval-lan.conf

# Sign with CA
openssl x509 -req -in naval-lan-new.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out naval-lan-cert-new.pem -days 730 \
  -extensions req_ext -extfile naval-lan.conf

# Update Kubernetes secret
kubectl create secret tls naval-lan-tls \
  --cert=naval-lan-cert-new.pem \
  --key=naval-lan-key.pem \
  -n traefik \
  --dry-run=client -o yaml | kubectl apply -f -

# Restart Traefik pods to reload certificate
kubectl rollout restart deployment traefik -n traefik
```

## Troubleshooting

### Certificate not trusted after installation

- **Clear browser cache**: Some browsers cache certificate validation
- **Restart browser**: Required for Chrome/Edge on Windows
- **Check certificate chain**: `openssl s_client -connect myapp.naval.lan:443 -showcerts`

### "NET::ERR_CERT_AUTHORITY_INVALID" error

- Verify CA certificate is in the correct store
- On Windows, ensure it's in "Trusted Root Certification Authorities", not "Intermediate"
- Check that the certificate's Subject Alternative Names include your domain

### Firefox still shows warning

- Firefox uses its own certificate store on all platforms
- Must import CA certificate directly into Firefox

### Certificate expired

- Check certificate validity: `openssl x509 -in naval-lan-cert.pem -noout -dates`
- Follow renewal steps in Part 6

## Security Considerations

1. **Protect your CA private key** (`ca-key.pem`): 
   - Store it securely
   - Consider encrypting it with a passphrase
   - Keep backups in secure locations

2. **Certificate validity period**: 
   - Don't make it too long (2 years max recommended)
   - Set up calendar reminders for renewal

3. **Access control**: 
   - Only install the CA certificate on machines you control
   - Don't share your CA private key

4. **Network isolation**: 
   - Keep your `.lan` domain isolated from the internet
   - Use firewall rules to prevent external access

## Quick Reference Commands

```bash
# Check certificate details
openssl x509 -in naval-lan-cert.pem -text -noout

# Test HTTPS connection
curl -v https://myapp.naval.lan

# View installed CA on Linux
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i naval

# View installed CA on Windows (PowerShell)
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Naval*"}

# Get Traefik ingress IP
kubectl get svc -n traefik traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
```

## Additional Resources

- [Traefik Documentation](https://doc.traefik.io/traefik/)
- [OpenSSL Documentation](https://www.openssl.org/docs/)
- [Kubernetes TLS Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)

---

**Created**: January 9, 2026  
**Last Updated**: January 9, 2026