SSL/TLS Certificates

SSL/TLS Certificates#

By default, the Xsolla Backend engine enables SSL/TLS for all HTTP traffic and utilizes HTTP Strict Transport Security (HSTS). While support for SSL and HSTS can be disabled it is strongly recommended not to.

SSL certificates can be installed from any certificate authority, including self-signed, for use by the platform. However, for simplicity and security Xsolla Backend comes with native support for Let’s Encrypt certificates.

To utilize a Let’s Encrypt certificate cert-manager is recommended to be installed on the Kubernetes cluster.

Cert Manager#

Cert manager is a great tool for generating SSL/TLS certificates from a variety of certificate authorities, including Let’s Encrypt.

The following commands can be used to install cert-manager with a default configuration for Let’s Encrypt:

Installation#

 1helm repo add jetstack https://charts.jetstack.io
 2helm repo update
 3helm install cert-manager jetstack/cert-manager \
 4    --namespace cert-manager \
 5    --create-namespace \
 6    --set crds.enabled=true \
 7    --set ingressShim.defaultIssuerName=letsencrypt-prod \
 8    --set ingressShim.defaultIssuerKind=ClusterIssuer
 9
10cat << EOF | kubectl apply -f -
11apiVersion: cert-manager.io/v1
12kind: ClusterIssuer
13metadata:
14    name: letsencrypt-prod
15spec:
16    acme:
17        server: https://acme-v02.api.letsencrypt.org/directory
18        email: <EMAIL>
19        privateKeySecretRef:
20            name: letsencrypt-prod
21        solvers:
22        - http01:
23            ingress:
24                class: nginx
25EOF

The above command will install cert-manager to the Kubernetes cluster and define a default cluster wide certificate issuer that uses the default HTTP domain validation method. Make sure to replace the <DOMAIN> and <EMAIL> with appropriate values for your situation.