✅ SSL Certificates Setup Complete¶

Date: 2026-02-03T19:37:00Z
Status: ✅ PRODUCTION CERTIFICATES ACTIVE

Certificates Issued¶

matrix.capivaraonline.com
mundix.capivaraonline.com

Details¶

Issuer: Let's Encrypt (E7)
Type: ECDSA
Serial: 6807de297957314409c76e0fb87336f077c
Valid From: 2026-02-03 18:39:26 GMT
Valid Until: 2026-05-04 18:39:25 GMT (89 days)
Auto-Renewal: ✅ Enabled (certbot.timer)

File Locations¶

Production Certificates¶

/etc/letsencrypt/live/matrix.capivaraonline.com/
 fullchain.pem  (certificate + chain)
 privkey.pem    (private key)
 cert.pem       (certificate only)
 chain.pem      (CA chain)

Docker Symlinks¶

/opt/mundix/infra/ssl/
 matrix-fullchain.pem -> /etc/letsencrypt/live/matrix.capivaraonline.com/fullchain.pem
 matrix-privkey.pem   -> /etc/letsencrypt/live/matrix.capivaraonline.com/privkey.pem
 README.md

Verification¶

HTTPS Working ✅¶

$ curl -I https://matrix.capivaraonline.com
HTTP/2 301
server: nginx/1.22.1

$ curl -I https://mundix.capivaraonline.com  
HTTP/2 301
server: nginx/1.22.1

Auto-Renewal Active ✅¶

$ systemctl status certbot.timer
Active: active (waiting)
Trigger: Tue 2026-02-03 21:48:05 UTC

Usage in MundiX Project¶

For Synapse (Matrix Server)¶

Mount certificates in infra/core/docker-compose.yml:

synapse:
  volumes:
    - /etc/letsencrypt/live/matrix.capivaraonline.com:/certs:ro
  environment:
    - SYNAPSE_SERVER_NAME=capivaraonline.com
    - SYNAPSE_TLS_CERTIFICATE_PATH=/certs/fullchain.pem
    - SYNAPSE_TLS_PRIVATE_KEY_PATH=/certs/privkey.pem

For Frontend (mundix.capivaraonline.com)¶

Use symlinks in infra/agents/docker-compose.yml:

frontend:
  volumes:
    - /opt/mundix/infra/ssl:/ssl:ro
  environment:
    - SSL_CERT=/ssl/matrix-fullchain.pem
    - SSL_KEY=/ssl/matrix-privkey.pem

For Nginx/Traefik¶

Direct mount:

volumes:
  - /etc/letsencrypt:/etc/letsencrypt:ro

Quick Commands¶

Check Certificate Status¶

certbot certificates

Test Renewal¶

certbot renew --dry-run

Force Renewal (if needed)¶

certbot renew --force-renewal

View Certificate Details¶

openssl x509 -in /etc/letsencrypt/live/matrix.capivaraonline.com/fullchain.pem -noout -text

Auto-Renewal Details¶

Timer: certbot.timer (systemd)
Frequency: Twice daily
Threshold: 30 days before expiry
Next Check: See systemctl status certbot.timer

Post-Renewal Hook (Optional)¶

To restart services after renewal:

cat > /etc/letsencrypt/renewal-hooks/post/restart-mundix.sh << 'HOOK'
#!/bin/bash
docker-compose -f /opt/mundix/infra/core/docker-compose.yml restart synapse
docker-compose -f /opt/mundix/infra/agents/docker-compose.yml restart frontend
systemctl reload nginx
HOOK

chmod +x /etc/letsencrypt/renewal-hooks/post/restart-mundix.sh

Next Steps¶

You can now proceed with:

✅ Deploy Matrix (Synapse) at matrix.capivaraonline.com
Use certificates from /etc/letsencrypt/live/matrix.capivaraonline.com/
✅ Deploy MundiX Frontend at mundix.capivaraonline.com
Use symlinks from /opt/mundix/infra/ssl/
✅ Configure Reverse Proxy (Traefik/Nginx)
Certificates ready for TLS termination

Documentation¶

Full documentation: /opt/mundix/infra/ssl/README.md

Status: ✅ SSL SETUP COMPLETE - READY FOR DEPLOYMENT