Skip to main content
This guide covers the complete process of renewing SSL certificates using Let’s Encrypt and deploying them through Docker Traefik services.

Prerequisites

Before starting the renewal process, ensure you have:

Repository Access

Access to the infrastructure Git repositoryRepository: https://git.wthr.ws/devops/infrastructure

SSH Access

SSH access configured to swarm cluster servers (check ~/.ssh/config)

Docker Registry

Access to push images to the Docker registryRegistry: registry.docker.devops.arabiaweather.com

Managed Domains

The following domains are included in the SSL certificate renewal process: 
LETS_ENCRYPT_CERTS=(
  'api.mobile.devops.arabiaweather.com'
  'media.devops.arabiaweather.com'
  'meteoweather.global'
  'forum.arabiaweather.com'
  'safi-app.com'
  'ard.co'
  'internal.ard.co'
  'devops.arabiaweather.com'
  'arabiaweather.com'
)

Renewal Process

1

Access the Infrastructure Repository

Clone or navigate to the infrastructure repository:
git clone https://git.wthr.ws/devops/infrastructure
cd infrastructure
If you already have the repository cloned, navigate to it and pull the latest changes.
2

Run the Renewal Script

Execute the renew.sh script to generate new certificates:
./renew.sh
The script will:
  • Generate new Let’s Encrypt certificates for all domains in LETS_ENCRYPT_CERTS
  • Create a Docker Traefik image containing the updated certificates
  • Prepare the image for deployment
Ensure you have sufficient disk space and network connectivity before running the script. The process may take several minutes.
3

Tag the Docker Image

After the script completes, tag the generated Traefik image with an appropriate version tag:
docker tag <generated-image> registry.docker.devops.arabiaweather.com/traefik:2025.11.01-2
Replace 2025.11.01-2 with the current date and version number. The format is typically YYYY.MM.DD-V where V is a version number.
4

Push to Docker Registry

Push the tagged image to the Docker registry:
docker push registry.docker.devops.arabiaweather.com/traefik:2025.11.01-2
5

Connect to Swarm Cluster

SSH to one of the swarm cluster servers. Based on your SSH config, use:
ssh swarm-n01
# or
ssh swarm-n02
# or
ssh swarm-n03
The swarm cluster servers are configured in ~/.ssh/config:
  • swarm-n01 → 94.130.164.122
  • swarm-n02 → 94.130.205.92
  • swarm-n03 → 46.4.20.188
6

Update Docker Services

Update both Traefik services with the new image:
docker service update --image=registry.docker.devops.arabiaweather.com/traefik:2025.11.01-2 infra-traefik_traefik_init

docker service update --image=registry.docker.devops.arabiaweather.com/traefik:2025.11.01-2 infra-traefik_traefik
The service update will cause a brief interruption. Monitor the service status to ensure it restarts successfully.
7

Verify Deployment

Verify that the services are running with the new image:
docker service ps infra-traefik_traefik_init
docker service ps infra-traefik_traefik
Check that the image version matches the one you deployed.

Next Steps

After completing the Docker service updates, you need to synchronize certificates across additional platforms:
Upload certificates to multiple Bunny CDN hostnames.View Bunny CDN Guide →