SSL: Inventory¶

Complete inventory of the 23 hosts managed by the cert-server. All certificates are Let's Encrypt, issued via DNS-01/Route53, and renewed automatically every 90 days.

Dev Environment (7 hosts)¶

All dev hosts are Tailscale-only. SSL is terminated directly at the application container.

Host	Domain	Key Type	Service	Reload Command
`gitlab-dev-cwiq-io`	`gitlab.dev.cwiq.io`	ECDSA	GitLab CE	`sudo -u gitlab docker exec gitlab gitlab-ctl hup nginx`
`taiga-dev-cwiq-io`	`taiga.dev.cwiq.io`	ECDSA	Taiga	`sudo -u taiga docker compose -f /data/taiga/docker-compose.yml restart taiga-gateway`
`icinga-dev-cwiq-io`	`icinga.dev.cwiq.io`	ECDSA	Icinga2	`sudo -u icinga docker compose -f /data/icinga/docker-compose.yml restart icingaweb`
`support-dev-cwiq-io`	`support.dev.cwiq.io`	ECDSA	Zammad	`sudo -u zammad docker compose -f /data/zammad/docker-compose.yml restart nginx`
`nexus-dev-cwiq-io`	`nexus.dev.cwiq.io`	ECDSA	Nexus	`sudo -u nexus docker compose -f /data/nexus/docker-compose.yml restart nexus`
`orchestrator-dev-cwiq-io`	`orchestrator.dev.cwiq.io`	ECDSA	Orchestrator	`docker restart orchestrator-nginx`
`open-project-dev-cwiq-io`	`open-project.dev.cwiq.io`	ECDSA	OpenProject	`sudo -u openproject docker compose -f /data/openproject/docker-compose.yml restart nginx`

Dev Certificate Paths on Servers¶

Host	Host Path	Container Mount
`gitlab-dev-cwiq-io`	`/data/ssl/gitlab.dev.cwiq.io/`	`/etc/gitlab/ssl/`
`taiga-dev-cwiq-io`	`/data/ssl/taiga.dev.cwiq.io/`	`/etc/nginx/ssl/`
`icinga-dev-cwiq-io`	`/data/ssl/icinga.dev.cwiq.io/`	Container volume mount
`support-dev-cwiq-io`	`/data/ssl/support.dev.cwiq.io/`	Container volume mount
`nexus-dev-cwiq-io`	`/data/ssl/nexus.dev.cwiq.io/`	Container volume mount
`orchestrator-dev-cwiq-io`	`/data/ssl/orchestrator.dev.cwiq.io/`	`/etc/nginx/ssl/` (orchestrator-nginx)
`open-project-dev-cwiq-io`	`/data/ssl/open-project.dev.cwiq.io/`	Container volume mount

Shared-Services Environment (15 hosts)¶

Shared-services hosts serve a mix of Tailscale-only and public-internet access. Two services — Authentik and GitLab — sit behind ALBs and use ACM instead of direct certificate mounting.

Host	Domain	Key Type	Service	SSL Pattern
`authentik-shared-cwiq-io-1`	`sso.shared.cwiq.io`	RSA	Authentik SSO (HA instance 1)	Direct EC2 + ACM
`authentik-shared-cwiq-io-2`	`sso.shared.cwiq.io`	RSA	Authentik SSO (HA instance 2)	Direct EC2 + ACM
`vault-shared-cwiq-io`	`vault.shared.cwiq.io`	ECDSA	HashiCorp Vault	Direct EC2
`gitlab-shared-cwiq-io`	`gitlab.shared.cwiq.io`	ECDSA	GitLab CE (Production)	ACM only
`nexus-shared-cwiq-io`	`nexus.shared.cwiq.io`	ECDSA	Nexus Repository	Direct EC2
`semaphore-shared-cwiq-io`	`semaphore.shared.cwiq.io`	ECDSA	Semaphore UI	Direct EC2
`grafana-shared-cwiq-io`	`grafana.shared.cwiq.io`	ECDSA	Grafana	Direct EC2
`prometheus-shared-cwiq-io`	`prometheus.shared.cwiq.io`	ECDSA	Prometheus + Alertmanager	Direct EC2
`sonarqube-shared-cwiq-io`	`sonarqube.shared.cwiq.io`	ECDSA	SonarQube	Direct EC2
`icinga-shared-cwiq-io`	`icinga.shared.cwiq.io`	ECDSA	Icinga2 (master)	Direct EC2
`defectdojo-shared-cwiq-io`	`defectdojo.shared.cwiq.io`	ECDSA	DefectDojo	Direct EC2
`reportportal-shared-cwiq-io`	`reportportal.shared.cwiq.io`	ECDSA	ReportPortal	Direct EC2
`openldap-shared-cwiq-io`	`openldap.shared.cwiq.io`	ECDSA	OpenLDAP + phpLDAPadmin	Direct EC2
`langfuse-dev-cwiq-io`	`langfuse.dev.cwiq.io`	ECDSA	LangFuse	Direct EC2

Authentik uses RSA — not ECDSA

sso.shared.cwiq.io is the only domain in the inventory with an RSA key. This is mandatory because AWS Identity Center consumes Authentik as a SAML IdP and requires RSA keys for SAML federation signing. Do not change this to ECDSA.

Authentik: both EC2 and ACM

The Authentik cert is deployed to both HA EC2 instances AND imported to ACM. The ACM cert is used by the Authentik ALB for external sso.shared.cwiq.io access. The EC2 cert is mounted into containers for any internal operations that reference the cert directly.

Shared-Services Reload Commands¶

Host	Reload Command
`authentik-shared-cwiq-io-1`	`sudo -u authentik docker compose -f /data/authentik/docker-compose.yml restart server`
`authentik-shared-cwiq-io-2`	`sudo -u authentik docker compose -f /data/authentik/docker-compose.yml restart server`
`vault-shared-cwiq-io`	`sudo -u vault docker compose -f /data/vault/docker-compose.yml restart`
`gitlab-shared-cwiq-io`	`sudo -u gitlab docker exec gitlab gitlab-ctl hup nginx`
`nexus-shared-cwiq-io`	`sudo -u nexus docker compose -f /data/nexus/docker-compose.yml restart nginx`
`semaphore-shared-cwiq-io`	`sudo -u semaphore docker compose -f /data/semaphore/docker-compose.yml restart nginx`
`grafana-shared-cwiq-io`	`docker restart grafana-nginx`
`prometheus-shared-cwiq-io`	`docker restart prometheus-nginx`
`sonarqube-shared-cwiq-io`	`docker restart sonarqube-nginx`
`defectdojo-shared-cwiq-io`	`docker restart defectdojo-nginx`
`reportportal-shared-cwiq-io`	`docker restart reportportal-nginx`
`openldap-shared-cwiq-io`	`docker restart openldap-nginx`

Shared-Services Certificate Paths¶

Host	Host Path	Container Mount
`authentik-shared-cwiq-io-1/2`	`/data/ssl/sso.shared.cwiq.io/`	Container volume mount
`vault-shared-cwiq-io`	`/data/ssl/vault.shared.cwiq.io/`	Container volume mount
`gitlab-shared-cwiq-io`	`/data/ssl/gitlab.shared.cwiq.io/`	`/etc/gitlab/ssl/`
`nexus-shared-cwiq-io`	`/data/ssl/nexus.shared.cwiq.io/`	Container volume mount
`semaphore-shared-cwiq-io`	`/data/ssl/semaphore.shared.cwiq.io/`	Container volume mount
`grafana-shared-cwiq-io`	`/data/ssl/grafana.shared.cwiq.io/`	`/etc/nginx/ssl/` (grafana-nginx)
`prometheus-shared-cwiq-io`	`/data/ssl/prometheus.shared.cwiq.io/`	`/etc/nginx/ssl/` (prometheus-nginx)
`openldap-shared-cwiq-io`	`/data/ssl/openldap.shared.cwiq.io/`	`/etc/nginx/ssl/` (openldap-nginx)

Demo Environment (1 host)¶

Host	Domain	Key Type	Service	Reload Command
`orchestrator-demo-cwiq-io`	`orchestrator.demo.cwiq.io`	ECDSA	Orchestrator (Demo)	`docker restart orchestrator-nginx`

ACM-Managed Certificates¶

Two domains are imported to AWS ACM for ALB SSL termination in addition to (or instead of) EC2 deployment:

Domain	Key Type	ALB	AWS Account	Region
`sso.shared.cwiq.io`	RSA	Authentik ALB	shared-services (308188966547)	us-west-2
`gitlab.shared.cwiq.io`	ECDSA	GitLab ALB	shared-services (308188966547)	us-west-2

ACM certificates are tagged with ManagedBy=cert-server for identification. See SSL: ACM Import for the import procedure.

Source Paths on Cert-Server¶

All certificates live at /etc/letsencrypt/live/<domain>/ on ansible-shared-cwiq-io:

/etc/letsencrypt/live/
├── gitlab.dev.cwiq.io/
├── taiga.dev.cwiq.io/
├── icinga.dev.cwiq.io/
├── support.dev.cwiq.io/
├── nexus.dev.cwiq.io/
├── orchestrator.dev.cwiq.io/
├── open-project.dev.cwiq.io/
├── sso.shared.cwiq.io/          ← RSA key type
├── vault.shared.cwiq.io/
├── gitlab.shared.cwiq.io/
├── nexus.shared.cwiq.io/
├── semaphore.shared.cwiq.io/
├── grafana.shared.cwiq.io/
├── prometheus.shared.cwiq.io/
├── sonarqube.shared.cwiq.io/
├── icinga.shared.cwiq.io/
├── defectdojo.shared.cwiq.io/
├── reportportal.shared.cwiq.io/
├── openldap.shared.cwiq.io/
├── langfuse.dev.cwiq.io/
└── orchestrator.demo.cwiq.io/

Inventory Summary¶

Environment	Hosts	Domains	Key Types
Dev	7	7	All ECDSA
Shared-Services	13 EC2 hosts (14 entries — Authentik x2)	13 unique	1 RSA (`sso.shared.cwiq.io`), 12 ECDSA
Demo	1	1	ECDSA
Total	21 EC2 hosts	21 unique domains

Note: The "23 hosts" count includes both Authentik HA instances (authentik-shared-cwiq-io-1 and authentik-shared-cwiq-io-2) as separate deployment targets sharing the same sso.shared.cwiq.io domain.

SSL: Architecture — How cert-server manages all certificates centrally
SSL: Renewal and Deployment — Automated renewal and per-service deploy playbooks
SSL: ACM Import — ACM pattern for Authentik and GitLab Shared
Authentik: Architecture — Authentik HA and dual SSL configuration