Adding your own SSL certificate for a domain

1. Connecting the domain to the software

Relevant if the domain is not connected yet.

Go to the "Settings"->"General" section. In the "Domain name" line click "Specify domain". In the window that opens, turn on the switch and enter the domain name.

1.5 Disable existing certificates.

Make sure that you have "Use Let's Encrypt" active in the "TLS" line. If it says something else, then you should click " Change" and in the opened window disable the checkbox "Issue TLS certificate"

Adding a certificate.

Check if the old certificate is available

Go to the software server. Check that there is no certificate secret for the current domain:

$ kubectl -n stopphish get secrets 

NAME                            TYPE                             DATA   AGE
secuchamp-license               Opaque                           2      11d
secuchamp-registry-pullsecret   kubernetes.io/dockerconfigjson   1      11d
stph.local-tls                  kubernetes.io/tls                2      8m56s

The resulting list should not contain any secrets named <your_domain>-tls. If there is one (in the example above it is stph.local-tls), it should be removed:

$ kubectl -n secuchamp delete secret stph.local-tls 

secret "stph.local-tls" deleted

Add your own certificate

Upload your own certificates to the server. In this example they are uploaded to the user directory (~/).

Create a certificate secret for our domain. The format of the name is <your_domain>-tls. In this example it is stph.local-tls.

$ kubectl -n secuchamp create secret tls stph.local-tls \
          --cert=~/server.crt \
          --key=~/server.key

secret/stph.local-tls created

Enabling TLS over Database

Find the filename of the database:

$ kubectl -n secuchamp get pod 

NAME                                   READY   STATUS    RESTARTS       AGE
api-5dbf6896d5-vwqp6                   1/1     Running   0              16m
api-campaigns-64dfd6cc49-wzq5p         1/1     Running   27 (70m ago)   11d
api-hosting-7c96ccf6f4-vdfds           1/1     Running   9 (72m ago)    11d
api-ldap-86f84c9975-lx59d              1/1     Running   7 (72m ago)    8d
api-lms-7ddbf85fb9-prqkp               1/1     Running   3 (70m ago)    18h
api-mailer-85c78f4777-zwdq6            1/1     Running   23 (71m ago)   11d
api-website-scraper-74476d6987-x88xj   1/1     Running   5 (72m ago)    6d19h
frontend-7b98d89cd8-j4kgz              1/1     Running   9 (72m ago)    11d
lms-frontend-5bf6c5cd4f-lwk4x          1/1     Running   1 (72m ago)    18h
nats-98fb57859-z85c9                   1/1     Running   9 (72m ago)    11d
postgres-74468b87f6-l82jz              1/1     Running   9 (72m ago)    11d
redis-c78f8d7bd-hxpzq                  1/1     Running   9 (72m ago)    11d

We need a subname that starts with postgres- (in the example above it is postgres-74468b87f6-l82jz).

Run the query to create the record:

$ kubectl -n secuchamp exec postgres-74468b87f6-l82jz -- psql --user=secuchamp secuchamp -c 'UPDATE settings SET value=\'true\' WHERE namespace = \'core\' AND key =\'tls\';'

UPDATE 1

This will enable "TLS" without starting the Let's Encrypt certificate issuance process.

If for some reason the above query fails, you can run the following command:

$ kubectl -n secuchamp exec postgres-74468b87f6-l82jz -- psql --user=secuchamp secuchamp -c 'INSERT INTO settings (namespace, key, value) VALUES (\'core\', \'tls\', \'true\') ON CONFLICT (namespace, key) DO UPDATE SET value = EXCLUDED.value;'

INSERT 0 1

Restart the API service to apply the changes

Finding the API filing name:

$ kubectl -n secuchamp get pod 

NAME                                   READY   STATUS    RESTARTS       AGE
api-5dbf6896d5-vwqp6                   1/1     Running   0              16m
api-campaigns-64dfd6cc49-wzq5p         1/1     Running   27 (70m ago)   11d
api-hosting-7c96ccf6f4-vdfds           1/1     Running   9 (72m ago)    11d
api-ldap-86f84c9975-lx59d              1/1     Running   7 (72m ago)    8d
api-lms-7ddbf85fb9-prqkp               1/1     Running   3 (70m ago)    18h
api-mailer-85c78f4777-zwdq6            1/1     Running   23 (71m ago)   11d
api-website-scraper-74476d6987-x88xj   1/1     Running   5 (72m ago)    6d19h
frontend-7b98d89cd8-j4kgz              1/1     Running   9 (72m ago)    11d
lms-frontend-5bf6c5cd4f-lwk4x          1/1     Running   1 (72m ago)    18h
nats-98fb57859-z85c9                   1/1     Running   9 (72m ago)    11d
postgres-74468b87f6-l82jz              1/1     Running   9 (72m ago)    11d
redis-c78f8d7bd-hxpzq                  1/1     Running   9 (72m ago)    11d

We need a pod with only api-**********-***** in its name. In the example above it is api-5dbf6896d5-vwqp6.

Delete this pod with the command

kubectl -n secuchamp delete pod api-5dbf6896d5-vwqp6 

pod "api-5dbf6896d5-vwqp6" deleted

Wait 30 seconds to a minute and check that the new sub is running:

$ kubectl -n secuchamp get pod

NAME                                   READY   STATUS    RESTARTS       AGE
api-5dbf6896d5-pgdnv                   1/1     Running   0              36s
...
...
...

You can then verify that the certificate is connected to the web interface.

# Adding your own SSL certificate for a domain

# 1. Connecting the domain to the software

# 1.5 Disable existing certificates.

# Adding a certificate.

# Check if the old certificate is available

# Add your own certificate

# Enabling TLS over Database

# Restart the API service to apply the changes