Certificates

SSL/TLS certificates are essential for securing Buzzy deployments. This guide covers certificate requirements, acquisition, installation, and management for Buzzy services.

Table of contents

  1. Certificate requirements

  2. Certificate types

  3. Obtaining certificates

  4. Certificate installation

  5. Certificate management

  6. Troubleshooting

Certificate requirements

Essential Certificates

  • Main Application: Certificate for the primary Buzzy service domain

  • Logging Service: Certificate for the logging service domain (if separate)

  • API Endpoints: Certificates for API access points

  • File Storage: Certificate for object storage endpoints (if using custom domain)

Certificate Specifications

  • Encryption: Minimum 2048-bit RSA or 256-bit ECC

  • Signature Algorithm: SHA-256 or higher

  • Protocol Support: TLS 1.2 and TLS 1.3

  • Validity Period: Recommended 1-2 years maximum

Certificate types

Domain Validated (DV) Certificates

  • Use Case: Basic encryption for development and testing

  • Validation: Domain ownership verification only

  • Cost: Low cost or free (Let's Encrypt)

  • Trust Level: Basic browser trust

Organization Validated (OV) Certificates

  • Use Case: Production environments with organizational validation

  • Validation: Domain ownership and organization verification

  • Cost: Moderate cost

  • Trust Level: Higher trust with organization details

Extended Validation (EV) Certificates

  • Use Case: High-security environments requiring maximum trust

  • Validation: Extensive organization and legal verification

  • Cost: Higher cost

  • Trust Level: Highest trust with green address bar

Wildcard Certificates

  • Use Case: Multiple subdomains under a single domain

  • Coverage: *.yourdomain.com covers all subdomains

  • Cost: Higher than single-domain certificates

  • Management: Simplified certificate management

Obtaining certificates

Let's Encrypt (Free)

  • Automated: Use ACME clients for automatic certificate management

  • Renewal: Automatic renewal every 90 days

  • Limitations: Domain validation only, rate limits apply

  • Tools: Certbot, cert-manager for Kubernetes

# Example using Certbot
certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

Commercial Certificate Authorities

  • Providers: DigiCert, GlobalSign, Sectigo, GoDaddy

  • Features: Extended validation options, warranty coverage

  • Support: Professional support and documentation

  • Integration: Often easier integration with enterprise systems

Cloud Provider Certificates

  • AWS Certificate Manager: Free certificates for AWS resources

  • Azure Key Vault: Certificate management for Azure services

  • Google Cloud SSL: Managed certificates for Google Cloud

  • Integration: Seamless integration with cloud load balancers

Certificate installation

Kubernetes Deployment

Using cert-manager for automatic certificate management:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: buzzy-tls
  namespace: buzzy
spec:
  secretName: buzzy-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - yourdomain.com
  - www.yourdomain.com

Load Balancer Configuration

For AWS Application Load Balancer:

apiVersion: v1
kind: Service
metadata:
  name: buzzy-service
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:region:account:certificate/certificate-id
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  type: LoadBalancer
  ports:
  - port: 443
    targetPort: 8080
    protocol: TCP

Docker Compose Configuration

For Docker Compose deployments with reverse proxy:

version: '3'
services:
  nginx:
    image: nginx:alpine
    ports:
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./certs:/etc/nginx/certs
    depends_on:
      - buzzy-main

Certificate management

Automated Renewal

  • Let's Encrypt: Use certbot or cert-manager for automatic renewal

  • Commercial: Set up renewal reminders and processes

  • Monitoring: Monitor certificate expiration dates

  • Testing: Test renewal processes regularly

Certificate Storage

  • Kubernetes Secrets: Store certificates as TLS secrets

  • Key Vaults: Use cloud key management services

  • File System: Secure file system storage with proper permissions

  • Backup: Regular backup of certificates and private keys

Security Best Practices

  • Private Key Protection: Secure storage of private keys

  • Access Control: Limit access to certificate files

  • Regular Rotation: Regular certificate renewal and rotation

  • Monitoring: Monitor for certificate-related security issues

Troubleshooting

Common Issues

  • Certificate Mismatch: Domain name doesn't match certificate

  • Expired Certificate: Certificate has passed expiration date

  • Chain Issues: Incomplete certificate chain

  • Permission Problems: Incorrect file permissions

Diagnostic Commands

# Check certificate details
openssl x509 -in certificate.crt -text -noout

# Verify certificate chain
openssl verify -CAfile ca-bundle.crt certificate.crt

# Test SSL connection
openssl s_client -connect yourdomain.com:443

# Check certificate expiration
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Resolution Steps

  1. Verify Domain: Ensure domain names match certificate

  2. Check Expiration: Verify certificate is still valid

  3. Validate Chain: Ensure complete certificate chain

  4. Test Connectivity: Verify network connectivity and DNS

  5. Review Logs: Check application and load balancer logs

PreviousWhitelabelling BuzzyNextRelease Management

Last updated