SSL/TLS Certificate Management
Current Certificate
| Field | Value |
|---|---|
| Domain | www.hypersdk.cloud + hypersdk.cloud (SAN) |
| CA | Sectigo (via ClickSSL / PositiveSSL DV) |
| CA Order | 2966406867 |
| Valid Until | 2026-10-26 |
| Key Type | RSA |
| Validation | FILE (HTTP DCV) |
File Locations
In this repository (ssl/)
| File | Description |
|---|---|
ssl/fullchain.crt | Combined chain (server + intermediates + root) |
ssl/www_hypersdk_cloud.crt | Server certificate only |
ssl/www_hypersdk_cloud.zip | Original zip from Sectigo |
ssl/README.md | Detailed cert info and renewal steps |
On the server (185.165.240.5)
| File | Path |
|---|---|
| Private Key | /etc/ssl/hypersdk/hypersdk.cloud.key |
| CSR | /etc/ssl/hypersdk/hypersdk.cloud.csr |
The private key is not stored in this repository.
How Deployment Works
The deploy script handles SSL automatically:
REMOTE_USER=sus ./scripts/deploy.sh 185.165.240.5
- If
ssl/fullchain.crtexists locally, it's synced to the remote server - The private key is copied from
/etc/ssl/hypersdk/hypersdk.cloud.keyon the server - Both are baked into the container image at
/etc/nginx/ssl/ - If no real cert exists, a self-signed cert is generated as fallback
No manual volume mounting or cert copying needed.
DCV Validation
The Domain Control Validation file is at:
static/.well-known/pki-validation/7B0417071935E3110C64D313E9BFCE9F.txt
Nginx serves .well-known/ over HTTP (no HTTPS redirect) so the CA can validate:
location /.well-known/ {
root /usr/share/nginx/html;
}
Certificate Renewal
When the certificate expires (2026-10-26):
- Order a new certificate from ClickSSL (same domain, same or new CSR)
- If new CSR needed:
ssh sus@185.165.240.5
sudo openssl req -new -newkey rsa:4096 -nodes \
-keyout /etc/ssl/hypersdk/hypersdk.cloud.key \
-out /etc/ssl/hypersdk/hypersdk.cloud.csr \
-subj '/CN=www.hypersdk.cloud'
cat /etc/ssl/hypersdk/hypersdk.cloud.csr - Place the new DCV file in
static/.well-known/pki-validation/ - Deploy to make it accessible:
REMOTE_USER=sus ./scripts/deploy.sh 185.165.240.5 - Complete FILE validation on the ClickSSL portal
- Download the new certificate zip
- Extract and rebuild the fullchain:
Note: intermediate CA names may change on renewal — use whatever files are in the zip, in order: server cert first, then intermediates, then root.
cd ssl/
unzip www_hypersdk_cloud.zip
cat www_hypersdk_cloud.crt \
SSL2BUYEMEARSADomainValidationSecureServerCA.crt \
SectigoPublicServerAuthenticationRootR46_USERTrust.crt \
USERTrustRSACertificationAuthority.crt > fullchain.crt - Redeploy:
REMOTE_USER=sus ./scripts/deploy.sh 185.165.240.5 - Verify:
echo | openssl s_client -connect hypersdk.cloud:443 -servername hypersdk.cloud 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
Server Details
- IP: 185.165.240.5
- OS: AlmaLinux 9
- Container Runtime: Podman (rootful)
- Web Server: nginx (inside container)
- Network Mode:
--network host