The default installation of Banzai Cloud Pipeline generates a self-signed server certificate to start serving HTTPS requests as soon as possible. This setup, however, causes a warning in web browsers, which can be accepted during evaluation, but it’s not production-ready.

To obtain a TLS certificate you should either let your local certificate authority issue it, or acquire it from a public CA.

You may want to set the final domain name of the deployment before configuring TLS.

Custom certificates

To set up a certificate, prepare the certificate and the private key in PEM format. Your certificate authority should explain you all the steps needed for this.

You should check the common name (CN) field of the subject, and the subject alternative name (SAN) records with the openssl x509 -text -in cert.pem command. If you have a certificate chain, append that to the end of the certificate.

Encode the PEM formatted certificate and key to a single-line base64 string with the base64 command (base64 -w0 with the GNU version), and use the following snippet in your values.yaml file:

traefik:
  ssl:
    defaultKey: aabbccdd
    defaultCert: AABBCCDD
    generateTLS: false

To update the deployment, run banzai pipeline up [--workspace=default].