veza/docker/haproxy/certs/README.md

# HAProxy SSL Certificates

**Never commit private keys (`.key`) or certificate files (`.pem`) to git.**

This directory holds SSL certificates for HAProxy HTTPS. The files are gitignored.

## Generating Certificates Locally

### Self-Signed (Development/Staging)

From the repository root:

```bash
cd docker/haproxy/certs
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout veza.key -out veza.crt -subj "/CN=veza.local"
cat veza.crt veza.key > veza.pem
```

Or use the project script (creates in `config/ssl/` — copy to this dir if needed):

```bash
./scripts/generate-ssl-cert.sh veza.local
# Then: cp config/ssl/veza.pem config/ssl/key.pem config/ssl/cert.pem docker/haproxy/certs/
```

### Production (Let's Encrypt)

```bash
certbot certonly --standalone -d yourdomain.com
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    /etc/letsencrypt/live/yourdomain.com/privkey.pem > docker/haproxy/certs/veza.pem
```

## Certificate Rotation

If a private key may have been exposed:

1. Generate new certificate and key (commands above).
2. Replace `veza.pem`, `veza.key`, `veza.crt` in this directory.
3. Restart HAProxy.
4. Document rotation in `veza-docs/` if applicable.
chore: consolidate CI, E2E, backend and frontend updates - CI: workflows updates (cd, ci), remove playwright.yml - E2E: global-setup, auth/playlists/profile specs - Remove playwright-report and test-results artifacts from tracking - Backend: auth, handlers, services, workers, migrations - Frontend: components, features, vite config - Add e2e-results.json to gitignore - Docs: REMEDIATION_PROGRESS, audit archive - Rust: chat-server, stream-server updates 2026-02-17 15:43:21 +00:00			`# HAProxy SSL Certificates`

			Never commit private keys (`.key`) or certificate files (`.pem`) to git.

			`This directory holds SSL certificates for HAProxy HTTPS. The files are gitignored.`

			`## Generating Certificates Locally`

			`### Self-Signed (Development/Staging)`

			`From the repository root:`

			```bash
			`cd docker/haproxy/certs`
			`openssl req -x509 -nodes -days 365 -newkey rsa:4096 \`
			`-keyout veza.key -out veza.crt -subj "/CN=veza.local"`
			`cat veza.crt veza.key > veza.pem`
			```

			Or use the project script (creates in `config/ssl/` — copy to this dir if needed):

			```bash
			`./scripts/generate-ssl-cert.sh veza.local`
			`# Then: cp config/ssl/veza.pem config/ssl/key.pem config/ssl/cert.pem docker/haproxy/certs/`
			```

			`### Production (Let's Encrypt)`

			```bash
			`certbot certonly --standalone -d yourdomain.com`
			`cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \`
			`/etc/letsencrypt/live/yourdomain.com/privkey.pem > docker/haproxy/certs/veza.pem`
			```

			`## Certificate Rotation`

			`If a private key may have been exposed:`

			`1. Generate new certificate and key (commands above).`
			2. Replace `veza.pem`, `veza.key`, `veza.crt` in this directory.
			`3. Restart HAProxy.`
			4. Document rotation in `veza-docs/` if applicable.