feat: Add support for custom certificates

[acidtib]

This PR adds support for custom SSL certificates in the proxy configuration, building upon the foundation laid by @kpumuk in PR #969. Users can now securely provide their own SSL certificates and private keys through secrets using the following configuration format:

proxy:
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM

Background

This enhancement addresses scenarios where Let's Encrypt automated certificate management isn't feasible or when users already possess SSL certificates from other Certificate Authorities. The implementation maintains compatibility with existing SSL options:

• Enable SSL with Let's Encrypt (unchanged)

proxy:
  ssl: true

• Disable SSL (unchanged)

proxy:
  ssl: false

• Enable custom SSL with provided certificates

proxy:
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM

The feature allows for a more flexible SSL setup while maintaining security best practices by using secrets for certificate management.

Site documentation PR: basecamp/kamal-site#174

[sobanakram]

Hi @acidtib, Looks neat,
I am testing this and getting this error

ERROR (Kamal::ConfigurationError): proxy/ssl: should be a boolean

[rajraj]

Hi @acidtib, Looks neat, I am testing this and getting this error

ERROR (Kamal::ConfigurationError): proxy/ssl: should be a boolean

try adding this to your Gemfile and bundle install

gem "kamal", "~> 2.5", github: "acidtib/kamal", branch: "feat/custom-ssl"

and then try

bundle exec kamal deploy

[sobanakram]

Hi @acidtib, Looks neat, I am testing this and getting this error

ERROR (Kamal::ConfigurationError): proxy/ssl: should be a boolean

try adding this to your Gemfile and bundle install

gem "kamal", "~> 2.5", github: "acidtib/kamal", branch: "feat/custom-ssl"

and then try

bundle exec kamal deploy

@rajraj Have you tested it?

[rajraj]

@sobanakram hi yes, i have.

I have my certificate and private key in config/credentials/ and in the .kamal/secrets i have

# .kamal/secrets
CERTIFICATE_PEM=$(cat config/certificates/cert.pem)
PRIVATE_KEY_PEM=$(cat config/certificates/private.key)

make sure to gitignore and dockerignore these files.

# deply.yml
servers:
  web:
    - 127.0.0.1

proxy:
  forward_headers: true
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM
  hosts:
    - app-01.example.com
    - app-02.example.com
   ...

I have Cloudflare as WAF and all traffic is proxied via Cloudflare.

[acidtib]

@sobanakram this feature is currently deployed on a few production servers, serving up custom cloudflare origin certs, if you need help setting it up feel free to ping me, im always available on the Kamal Discord server

@rajraj thank you for testing it!!

# .kamal/secrets.production
CERTIFICATE_PEM=$(kamal secrets extract CERTIFICATE_PEM $SECRETS)
PRIVATE_KEY_PEM=$(kamal secrets extract PRIVATE_KEY_PEM $SECRETS)

# config/deploy.production.yml
servers:
  web:
    hosts:
      - 127.0.0.1
    options:
      memory: 3g
      cpus: 0.8
      
proxy:
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM
  hosts:
    - app.domain.com

[rajraj]

@acidtib thanks for the PR. It was dead simple to setup once I figured out how to load the secrets. We have deployed to prod as well using cloudflare origin certificates.

[netikular]

I've also tested this in production, it works super well. Easy to configure and now I don't need to terminate my SSL with an Nginx instance in front of my Kamal deployments.

[Gambitboy]

I've also just deployed this into production and is working.
Hada special case where the server is running on-prem and lives behind a VPN with a custom certificate for all subdomains of the client. So I couldn't rely on Let's Encrypt.