senke/veza

History

senke 1f00fb762a chore(cleanup): untrack docker/haproxy/certs/veza.crt + regen dev keys Follow-up to `98ee449f` — initial scan missed .crt extension (grep was pem\|env only). Also untracking the crt since it pairs with the pem. Index changes: - D docker/haproxy/certs/veza.crt - M .gitignore (+docker/haproxy/certs/*.crt pattern) Working tree (ignored, not in commit): - jwt-private.pem, jwt-public.pem (regen via scripts/generate-jwt-keys.sh) - config/ssl/{cert,key,veza}.pem (regen via scripts/generate-ssl-cert.sh) - docker/haproxy/certs/{veza.pem,veza.crt} (copied from config/ssl/) Dev keys only — no prod secrets rotated here (user confirmed committed creds were dev placeholders). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 10:00:45 +02:00
..
README.md	chore: consolidate CI, E2E, backend and frontend updates	2026-02-17 16:43:21 +01:00

senke 1f00fb762a chore(cleanup): untrack docker/haproxy/certs/veza.crt + regen dev keys

Follow-up to 98ee449f — initial scan missed .crt extension (grep was
pem|env only). Also untracking the crt since it pairs with the pem.

Index changes:
  - D  docker/haproxy/certs/veza.crt
  - M  .gitignore (+docker/haproxy/certs/*.crt pattern)

Working tree (ignored, not in commit):
  - jwt-private.pem, jwt-public.pem       (regen via scripts/generate-jwt-keys.sh)
  - config/ssl/{cert,key,veza}.pem        (regen via scripts/generate-ssl-cert.sh)
  - docker/haproxy/certs/{veza.pem,veza.crt}  (copied from config/ssl/)

Dev keys only — no prod secrets rotated here (user confirmed committed
creds were dev placeholders).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 10:00:45 +02:00

README.md chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00

README.md

HAProxy SSL Certificates

Never commit private keys (.key) or certificate files (.pem) to git.

This directory holds SSL certificates for HAProxy HTTPS. The files are gitignored.

Generating Certificates Locally

Self-Signed (Development/Staging)

From the repository root:

cd docker/haproxy/certs
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout veza.key -out veza.crt -subj "/CN=veza.local"
cat veza.crt veza.key > veza.pem

Or use the project script (creates in config/ssl/ — copy to this dir if needed):

./scripts/generate-ssl-cert.sh veza.local
# Then: cp config/ssl/veza.pem config/ssl/key.pem config/ssl/cert.pem docker/haproxy/certs/

Production (Let's Encrypt)

certbot certonly --standalone -d yourdomain.com
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    /etc/letsencrypt/live/yourdomain.com/privkey.pem > docker/haproxy/certs/veza.pem

Certificate Rotation

If a private key may have been exposed:

Generate new certificate and key (commands above).
Replace veza.pem, veza.key, veza.crt in this directory.
Restart HAProxy.
Document rotation in veza-docs/ if applicable.