Skip to main content

DNS & SSL Configuration

Configure DNS records and automatic TLS certificate management for ORISO Platform. TLS certificates are automatically managed by cert-manager with Let’s Encrypt.
ORISO Platform v3.0.0 uses cert-manager for automatic TLS certificate management. No manual certificate installation is required.
1

Configure DNS Records

Point DNS records to your server IP for all required subdomains.
# Get server IP
SERVER_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[?(@.type=='InternalIP')].address}")
echo "Server IP: $SERVER_IP"
Required DNS Records:In your DNS provider, create the following A records:
SubdomainPoints ToPurpose
api.oriso-dev.site$SERVER_IPBackend API
app.oriso-dev.site$SERVER_IPFrontend application
admin.oriso-dev.site$SERVER_IPAdmin panel
auth.oriso-dev.site$SERVER_IPKeycloak authentication
matrix.oriso-dev.site$SERVER_IPMatrix Synapse
element.oriso-dev.site$SERVER_IPElement.io client (optional)
status.oriso.site$SERVER_IPStatus page (optional)
Replace oriso-dev.site with your actual domain. DNS propagation may take a few minutes to hours.
Verify DNS resolution:
dig api.oriso-dev.site
nslookup app.oriso-dev.site
Both should return your server IP.
2

Verify Cert-Manager Setup

Ensure cert-manager and ClusterIssuer are configured.
# Check cert-manager pods
kubectl get pods -n cert-manager

# Check ClusterIssuer
kubectl get clusterissuer letsencrypt-prod

# Verify ClusterIssuer is ready
kubectl describe clusterissuer letsencrypt-prod
  • cert-manager pods should be Running
  • ClusterIssuer should show Ready=True
If ClusterIssuer is not configured, see Setup Kubernetes.
3

Deploy Ingress Resources

Deploy Ingress resources with TLS annotations. Certificates will be issued automatically.
cd ~/online-beratung/caritas-workspace/ORISO-Kubernetes/ingress

# Deploy all Ingress resources
kubectl apply -f .

# Check Ingress resources
kubectl get ingress -n caritas

# Check certificate requests
kubectl get certificaterequest -n caritas
When Ingress resources are created with cert-manager.io/cluster-issuer: letsencrypt-prod annotation, cert-manager automatically:
  1. Creates CertificateRequest
  2. Issues certificate via Let’s Encrypt HTTP-01 challenge
  3. Stores certificate in Kubernetes Secret
  4. Ingress uses certificate for TLS
After a few minutes, certificates should be issued:
kubectl get certificate -n caritas
All certificates should show Ready=True.
4

Verify TLS Certificates

Verify certificates are issued and working.
# Check certificates
kubectl get certificate -n caritas

# Check certificate details
kubectl describe certificate <cert-name> -n caritas

# Test HTTPS endpoints
curl -I https://app.oriso-dev.site
curl -I https://api.oriso-dev.site
curl -I https://auth.oriso-dev.site

# Check certificate validity
echo | openssl s_client -servername app.oriso-dev.site -connect app.oriso-dev.site:443 2>/dev/null | openssl x509 -noout -dates
  • Certificates should be Ready=True
  • HTTPS endpoints should return HTTP 200
  • Certificate should be valid (not expired)

TLS Certificate Management

Automatic Issuance

Cert-manager automatically issues certificates when:
  1. Ingress resource is created with cert-manager.io/cluster-issuer annotation
  2. DNS records point to server IP
  3. HTTP-01 challenge can be completed (port 80 accessible)

Certificate Renewal

Certificates are automatically renewed by cert-manager before expiration:
  • Renewal: 30 days before expiration
  • Automatic: No manual intervention required
  • Monitoring: Check certificate status regularly

Certificate Status

# Check all certificates
kubectl get certificate -n caritas

# Check certificate age
kubectl get certificate -n caritas -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.notAfter}{"\n"}{end}'

# Check certificate requests
kubectl get certificaterequest -n caritas

Troubleshooting

DNS Not Resolving

# Test DNS resolution
dig api.oriso-dev.site
nslookup app.oriso-dev.site

# Check DNS propagation
# Use online tools: https://dnschecker.org

# Verify DNS points to correct IP
curl -I http://api.oriso-dev.site

Certificate Not Issued

# Check certificate request
kubectl get certificaterequest -n caritas
kubectl describe certificaterequest <name> -n caritas

# Check cert-manager logs
kubectl logs -n cert-manager -l app=cert-manager

# Check ClusterIssuer
kubectl describe clusterissuer letsencrypt-prod

# Verify HTTP-01 challenge
curl http://api.oriso-dev.site/.well-known/acme-challenge/test

Certificate Expired

# Check certificate expiration
kubectl get certificate -n caritas -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.notAfter}{"\n"}{end}'

# Force renewal (delete certificate, cert-manager will recreate)
kubectl delete certificate <cert-name> -n caritas
kubectl get certificate -n caritas  # Should recreate automatically

HTTPS Not Working

# Check Ingress TLS configuration
kubectl get ingress -n caritas -o yaml | grep -A 5 tls

# Check certificate secret
kubectl get secret -n caritas | grep tls

# Check Ingress Controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller | grep tls

DNS Configuration Examples

Cloudflare

  1. Add A records in Cloudflare DNS
  2. Set proxy status (orange cloud) if using Cloudflare proxy
  3. SSL/TLS mode: Full (strict) for HTTPS

Route53

  1. Create A records in Route53 hosted zone
  2. Point to server IP
  3. TTL: 300 seconds (5 minutes)

Other Providers

  1. Add A records pointing to server IP
  2. Wait for DNS propagation
  3. Verify with dig or nslookup

Next Steps