Guide to install and configure Cert Warden

Cert Warden is a centralized client ACME (Automated Certificate Management Environment), designed to simplify SSL/TLS certificate management. It is an open-source solution that provides an API for automating the acquisition, renewal, and distribution of certificates across different systems and services. Cert Warden is designed to simplify certificate management in complex infrastructures, where managing a large number of certificates for different domains or devices is required.

Why do we need Cert Warden?

Cert Warden solves the problem of automating certificate management in complex infrastructures, such as Kubernetes clusters, web applications, or IoT devices. Here are the main reasons why it can be useful:

1. Automation:

• Cert Warden automates the acquisition, renewal, and distribution of SSL/TLS certificates, eliminating the need for manual management, which can be time-consuming and prone to errors.
• Supports automatic renewal of certificates before their expiration date, minimizing the risk of downtime due to expired certificates.

2. Centralized Management:

• Instead of configuring separate ACME clients on each server, Cert Warden allows managing all certificates from a single place. This is especially convenient in large infrastructures with multiple servers or domains.

3. Security:

• Cert Warden uses API keys for client authentication, ensuring secure access to certificates.
• Supports working with trusted certificate authorities, such as Let’s Encrypt, ensuring the use of valid and recognized certificates.

Installation and configuration of Cert Warden

Important

We will install Cert Warden on the Remnawave panel server, but you can install it on any other server.

Important

We will use the dns-01 Cloudflare method, but you can use other methods.

1. Create a directory for Cert Warden and create docker-compose.yml

   mkdir /opt/certwarden && cd /opt/certwarden && nano docker-compose.yml

   Insert the following content:

   docker-compose.yml

   services:
     certwarden:
       container_name: certwarden
       image: ghcr.io/gregtwallace/certwarden:latest
       restart: unless-stopped
       ports:
         - '127.0.0.1:4050:4050'
       volumes:
         - ./certwarden-data:/app/data
       networks:
         - remnawave-network
       logging:
         driver: 'json-file'
         options:
           max-size: '30m'
           max-file: '5'
   
   networks:
     remnawave-network:
       name: remnawave-network
       driver: bridge
       external: true

2. Run Cert Warden

   cd /opt/certwarden && docker compose up -d && docker compose logs -f

3. Add Cert Warden to nginx.conf panel Remnawave

   cd /opt/remnawave && nano nginx.conf

   Add upstream section:

   nginx.conf

   upstream certwarden {
       server 127.0.0.1:4050;
   }

   Add server section:

   nginx.conf

   server {
       listen 443 ssl;
       server_name certwarden.yourdomain.com; # Don't forget to add a DNS record in Cloudflare
       http2 on;
   
       ssl_certificate "/etc/nginx/ssl/yourdomain.com/fullchain.pem";
       ssl_certificate_key "/etc/nginx/ssl/yourdomain.com/privkey.pem";
       ssl_trusted_certificate "/etc/nginx/ssl/yourdomain.com/fullchain.pem";
   
       location / {
           proxy_pass http://certwarden;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   }

4. Restart nginx:

   cd /opt/remnawave && docker compose down remnawave-nginx && docker compose up -d remnawave-nginx

5. Open your browser and go to the link

   Important

   Don’t forget to add a DNS record for your domain in Cloudflare

   https://certwarden.yourdomain.com

6. Login to the system using the login admin and password password

   

7. We will be redirected to the main page

   

8. Go to the Settings section and change our current password

Provider Setup

1. Go to the Providers section

2. Click on New Provider

3. Select DNS-01 Cloudflare

4. In the Domains field, enter the domain for which we will be receiving wildcard certificates

5. In the API Access Method field, select API Token. Instructions for creating a token with Zone:Edit permissions can be found in the official Cloudflare documentation

   

6. Click on the Submit button

Private Key Setup

1. Go to the Private Keys section

2. Click on New Key

3. In the Name field, enter the name of the key (for example, ACME)

4. In the Key Generation Algorithm field, select ECDSA P-384 (recommended algorithm for high security and compatibility)

5. Check the Disable API Key box

6. Click on the Submit button

7. A new window will pop up with our Private Key, also click on the Submit button

   

ACME Accounts Setup

1. Go to the ACME Accounts section

2. Click on New Account

3. In the Name field, enter the name of our domain or your own other name

4. In the Contact E-mail Address field, enter the email to which notifications will be sent

5. In the ACME Server field, select Let’s Encrypt

6. In the Private Key field, select your previously created key

7. Check the Accept ACME Server`s Terms of Service box

8. Click on the Submit button

9. A window with account data will pop up

   

10. Click on the REGISTER button and the Account Status should become Valid

11. Click on the Submit button

Certificates Setup

1. Go to the Certificates section

2. Click on New Certificate

3. In the Name field, enter the name of our domain or your own other name

4. In the ACME Account field, select the previously created account

5. In the Subject (and Common Name) field, enter the domain 2 levels, for example example.com

6. Click on the ADD button and in the Alternate Name 1 field enter the already wildcard domain *.example.com

7. Click on the Submit button

   

8. A window with ACME Orders will pop up

   

9. Click on the PLACE NEW ORDER button

10. Now we wait for the certificate to be received, we can track the status in the ACME Queue section, as soon as the domain disappears, the certificate is received

11. Go to the Dashboard section and see that the certificate is received and how many days are left until the expiration date

    

Certwarden Client

Cert Warden Client is a Docker container or application that interacts with the Cert Warden server to automatically acquire and update certificates. It is designed to simplify certificate management on client devices. The client’s main functions include:

• Automatic certificate acquisition: The client makes GET requests to the Cert Warden API using API keys to retrieve keys and certificates.
• Certificate updates: The client monitors certificate updates and automatically loads new versions.
• Docker container restart: If certificates are updated, the client can restart specified Docker containers to pick up the new certificates.

Certwarden Client Installation and Configuration on Remnawave Panel Server

1. Create a directory for Cert Warden Client

   mkdir -p /opt/certwardenclient/certs && cd /opt/certwardenclient && nano docker-compose.yml

   Insert the following content:

   docker-compose.yml

   services:
       certwardenclient:
         image: ghcr.io/gregtwallace/certwarden-client:latest
         container_name: certwardenclient
         restart: unless-stopped
         ports:
           - '127.0.0.1:5055:5055'
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock
           - /opt/certwardenclient/certs:/opt/certwarden/certs
         environment:
           TZ: "Europe/Moscow"
           CW_CLIENT_FILE_UPDATE_TIME_START: "02:00"
           CW_CLIENT_FILE_UPDATE_TIME_END: "03:00"
           CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK: "Mon Tue Wed Thu Fri Sat Sun"
           CW_CLIENT_RESTART_DOCKER_CONTAINER0: "remnawave-nginx"
           CW_CLIENT_AES_KEY_BASE64: "pLZEc_QvSka8syfQtuTfArblalMKU6C6Ke1uIji0E5g"
           CW_CLIENT_SERVER_ADDRESS: "https://certwarden.example.com"
           CW_CLIENT_KEY_NAME: "example.com"
           CW_CLIENT_KEY_APIKEY: "0UkmZEZK7oieQ6hmz9Fta2obMMZRjAuo"
           CW_CLIENT_CERT_NAME: "example.com"
           CW_CLIENT_CERT_APIKEY: "MkYMf7eXO8aB9xiNKqwvNVcDGKJ0Dg6v"
           CW_CLIENT_CERT_PATH: "/opt/certwarden/certs"
           CW_CLIENT_KEY_PEM_FILENAME: "privkey.pem"
           CW_CLIENT_CERTCHAIN_PEM_FILENAME: "fullchain.pem"
         networks:
           - remnawave-network
         logging:
           driver: 'json-file'
           options:
             max-size: '30m'
             max-file: '5'
   
   networks:
       remnawave-network:
         name: remnawave-network
         driver: bridge
         external: true

2. CW_CLIENT_AES_KEY_BASE64 - Specify the key generated in the Certificates -> Post Processing -> Client AES Key section. Click the GENERATE button to obtain the key.

   

3. CW_CLIENT_SERVER_ADDRESS - Specify the address of the Cert Warden server (e.g., https://certwarden.example.com)

4. CW_CLIENT_KEY_NAME - Specify the name of the key created in the Private Keys section.

5. CW_CLIENT_KEY_APIKEY - Specify the API key created in the Private Keys section.

6. CW_CLIENT_CERT_NAME - Specify the name of the certificate created in the Certificates section.

7. CW_CLIENT_CERT_APIKEY - Specify the API key created in the Certificates section.

8. Run Cert Warden Client

   cd /opt/certwardenclient && docker compose up -d && docker compose logs -f

9. In the /opt/certwardenclient/certs folder, the fullchain.pem and privkey.pem files should appear

10. Now we can mount them in our docker-compose.yml in section remnawave-nginx

    cd /opt/remnawave && nano docker-compose.yml

    Add to volumes, do not forget to specify your domain:

    docker-compose.yml

    volumes:
      - /opt/certwardenclient/certs/fullchain.pem:/etc/nginx/ssl/yourdomain.com/fullchain.pem
      - /opt/certwardenclient/certs/privkey.pem:/etc/nginx/ssl/yourdomain.com/privkey.pem

11. Restart nginx

    cd /opt/remnawave && docker compose down remnawave-nginx && docker compose up -d remnawave-nginx

Certwarden Client Installation and Configuration on Remnawave Node Server

Note

Analogously, it is installed on node remnawave servers that will receive certificates

1. Create a directory for Cert Warden Client

   mkdir -p /opt/certwardenclient/certs && cd /opt/certwardenclient && nano docker-compose.yml

   Insert the following content:

   docker-compose.yml

   services:
       certwardenclient:
         image: ghcr.io/gregtwallace/certwarden-client:latest
         container_name: certwardenclient
         restart: unless-stopped
         ports:
           - '127.0.0.1:5055:5055'
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock
           - /opt/certwardenclient/certs:/opt/certwarden/certs
         environment:
           TZ: "Europe/Moscow"
           CW_CLIENT_FILE_UPDATE_TIME_START: "02:00"
           CW_CLIENT_FILE_UPDATE_TIME_END: "03:00"
           CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK: "Mon Tue Wed Thu Fri Sat Sun"
           CW_CLIENT_RESTART_DOCKER_CONTAINER0: "remnawave-nginx"
           CW_CLIENT_AES_KEY_BASE64: "pLZEc_QvSka8syfQtuTfArblalMKU6C6Ke1uIji0E5g"
           CW_CLIENT_SERVER_ADDRESS: "https://certwarden.example.com"
           CW_CLIENT_KEY_NAME: "example.com"
           CW_CLIENT_KEY_APIKEY: "0UkmZEZK7oieQ6hmz9Fta2obMMZRjAuo"
           CW_CLIENT_CERT_NAME: "example.com"
           CW_CLIENT_CERT_APIKEY: "MkYMf7eXO8aB9xiNKqwvNVcDGKJ0Dg6v"
           CW_CLIENT_CERT_PATH: "/opt/certwarden/certs"
           CW_CLIENT_KEY_PEM_FILENAME: "privkey.pem"
           CW_CLIENT_CERTCHAIN_PEM_FILENAME: "fullchain.pem"
         logging:
           driver: 'json-file'
           options:
             max-size: '30m'
             max-file: '5'

2. CW_CLIENT_AES_KEY_BASE64 - Specify the key generated in the Certificates -> Post Processing -> Client AES Key section. Click the GENERATE button to obtain the key.

   

3. CW_CLIENT_SERVER_ADDRESS - Specify the address of the Cert Warden server (e.g., https://certwarden.example.com)

4. CW_CLIENT_KEY_NAME - Specify the name of the key created in the Private Keys section.

5. CW_CLIENT_KEY_APIKEY - Specify the API key created in the Private Keys section.

6. CW_CLIENT_CERT_NAME - Specify the name of the certificate created in the Certificates section.

7. CW_CLIENT_CERT_APIKEY - Specify the API key created in the Certificates section.

8. Run Cert Warden Client

   cd /opt/certwardenclient && docker compose up -d && docker compose logs -f

9. In the /opt/certwardenclient/certs folder, the fullchain.pem and privkey.pem files should appear

10. Now we can mount them in our docker-compose.yml in section remnawave-nginx

    cd /opt/remnawave && nano docker-compose.yml

    Add to volumes, do not forget to specify your domain:

    docker-compose.yml

    volumes:
      - /opt/certwardenclient/certs/fullchain.pem:/etc/nginx/ssl/yourdomain.com/fullchain.pem
      - /opt/certwardenclient/certs/privkey.pem:/etc/nginx/ssl/yourdomain.com/privkey.pem

11. Restart nginx

    cd /opt/remnawave && docker compose down remnawave-nginx && docker compose up -d remnawave-nginx

Closing access to Certwarden with Netbird

Note

If you want to close access to Certwarden with Netbird, follow these steps

1. Add the Cert Warden server to Netbird, as its installation can be seen here

2. In the Cloudflare control panel for your domain certwarden.yourdomain.com, specify the IP address of the Cert Warden server in the Netbird network

   

3. Now, to access the Cert Warden page, you will need to connect to your network on your computer through the Netbird application