# SSL Certificates for HAProxy

This directory holds SSL certificates for HTTPS in production. **Never commit certificates or private keys** (see `.gitignore`).

## Required for Production HTTPS

HAProxy expects a single combined PEM file: **`veza.pem`** containing certificate + private key (concatenated). The config uses `crt /etc/ssl/veza/veza.pem` to avoid loading non-cert files (e.g. README.md).

## Obtaining Certificates

### Option 1: Let's Encrypt (Production)

```bash
# Standalone mode (stop HAProxy first)
certbot certonly --standalone -d yourdomain.com

# Copy to config
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    /etc/letsencrypt/live/yourdomain.com/privkey.pem > config/ssl/veza.pem
```

### Option 2: Self-Signed (Development/Staging)

```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout config/ssl/key.pem -out config/ssl/cert.pem \
  -subj "/CN=veza.local"

cat config/ssl/cert.pem config/ssl/key.pem > config/ssl/veza.pem
```

## Docker Volume

`docker-compose.prod.yml` mounts this directory to `/etc/ssl/veza` in the HAProxy container. **You must create `veza.pem` before starting production** — the HAProxy healthcheck will fail otherwise.

## Quick Start (First-Time Setup)

Run from repo root:

```bash
./scripts/generate-ssl-cert.sh
```

This creates a self-signed certificate for `veza.local`. For production, replace with Let's Encrypt or your CA.