Setup custom certificates for a site

We already take care of the certificate management, but if you want to use your own certificates you can do so by configuring them manually.

There is a one-to-one relationship between a certificate and a site. The certificates are managed by Cert Manager and are signed using Let’s Encrypt , a free certificate provider.

NOTE

For now this feature is only available from the command line, so go ahead and connect to your cluster .

To make things easier, let’s define some helpful constants that will simplify our commands: The Project Namespace and the Site Name. Both can be found in the Bitpoke App on the Runtime page of the site.

PROJECT_NS=<your_namespace>
SITE_NAME=<your_site_name>

How to use custom certificates

In order to use a custom certificate, you need to do the following steps:

1. Upload the certificates

The certificate should include all the Domain names from the Routing section.

You should have 2 files: one containing the private key (tls.key) and one containing the certificates bundle (tls.crt).

Both should be in PEM format. In other words, your certificate should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- and your key file should begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

Let’s name the new certificate (any name is good):

CERTIFICATE_NAME=$SITE_NAME-custom-tls

Create it.

kubectl -n $PROJECT_NS create secret tls $CERTIFICATE_NAME --cert=tls.crt --key=tls.key

2. Disable the certificate automatic management

In order to set a custom certificate, you have to tell Cert Manager that you don’t want to generate a certificate for your site.

kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate=""

3. Set the new certificate

Once the certificate is uploaded, you can set it to be used by the site.

kubectl -n $PROJECT_NS patch wp $SITE_NAME --type=merge -p "{\"spec\": { \"tlsSecretRef\": \"$CERTIFICATE_NAME\"}}"

4. Optional: Force ingress-nginx to reload certificates

In some cases, the certificate is not used right away by ingress-nginx and you have to reset the ingress controller.

How to re-enable the managed certificates

If you want to use again the managed certificates by Cert Manager , run the following command to remove the mark from your site:

kubectl -n $PROJECT_NS annotate wp $SITE_NAME site.presslabs.com/custom-certificate-

← Previous Setup Auth0 Authentication

Next Setup sub-directories Multisite →

What's on this Page

How to use custom certificates
How to re-enable the managed certificates

App for WordPress

MySQL Operator

Stack