SSL Certificates

Certificate Sources

Domain	Provider	Validity	Auto-Renewal
`tiny-agents.kovacova.ca` (frontend)	AWS ACM	~13 months	AWS managed
`api.tiny-agents.kovacova.ca`	Let’s Encrypt	90 days	Traefik
`auth.tiny-agents.kovacova.ca`	Let’s Encrypt	90 days	Traefik

How Auto-Renewal Works

Frontend (ACM): Fully managed by AWS, zero action required.

Backend (Traefik + Let’s Encrypt):

Traefik requests cert via ACME HTTP challenge
Checks daily, renews when < 30 days remaining
Certs stored in Docker volume (traefik-certs:/letsencrypt)

Monitoring

SRE Dashboard shows SSL status (green/yellow/red)
Manual check:

echo | openssl s_client -servername api.tiny-agents.kovacova.ca \
  -connect api.tiny-agents.kovacova.ca:443 2>/dev/null | \
  openssl x509 -noout -dates

Troubleshooting

Cert not renewing: Check docker compose logs traefik | grep -i acme
Traefik crash during renewal: docker compose up -d traefik
Rate limits: 50 certs/domain/week. Use staging CA for testing.