- 📞 [Traefik](https://traefik.io) como proxy reverso / balanceador de carga.
- 🚢 Instruções de _deployment_ usando Docker Compose, incluindo como configurar um proxy frontend com Traefik para gerenciar automaticamente certificados HTTPS.

- 📞 [Traefik](https://traefik.io) como proxy inverso / load balancer.
- 🚢 Instrucciones de despliegue usando Docker Compose, incluyendo cómo configurar un proxy Traefik frontend para manejar certificados HTTPS automáticos.

 */
fun String.decodeCertificatePem(): X509Certificate {
  try {
    val certificateFactory = CertificateFactory.getInstance("X.509")
    val certificates =
      certificateFactory
        .generateCertificates(
          Buffer().writeUtf8(this).inputStream(),
        )

    return certificates.single() as X509Certificate
  } catch (nsee: NoSuchElementException) {
    throw IllegalArgumentException("failed to decode certificate", nsee)

to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The
int specifies how many intermediate certificates are allowed beneath it in the chain.

```java
HeldCertificate rootCertificate = new HeldCertificate.Builder()
    .certificateAuthority(1)
    .build();

 *  * The client's handshake certificates must include a set of trusted root certificates. They will
 *    be used to authenticate the server's certificate chain. Typically this is a set of well-known
 *    root certificates that is distributed with the HTTP client or its platform. It may be
 *    augmented by certificates private to an organization or service.
 *
 * ### Client Authentication
 *

    val heldCertificates = chainOfLength(10)
    val certificates: MutableList<Certificate> = ArrayList()
    for (heldCertificate in heldCertificates) {
      certificates.add(heldCertificate.certificate)
    }
    val root = heldCertificates[heldCertificates.size - 1].certificate
    val cleaner = get(root)
    assertThat(cleaner.clean(certificates, "hostname")).isEqualTo(certificates)

import java.security.cert.X509Certificate;
import okhttp3.Headers;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.tls.Certificates;
import okhttp3.tls.HandshakeCertificates;

public final class CustomTrust {
  // PEM files for root certificates of Comodo and Entrust. These two CAs are sufficient to view
  // https://publicobject.com (Comodo) and https://squareup.com (Entrust). But they aren't

Maintenant, du point de vue d'un développeur, voici plusieurs choses à avoir en tête en pensant au HTTPS :

* Pour le HTTPS, le serveur a besoin de "certificats" générés par une tierce partie.
    * Ces certificats sont en fait acquis auprès de la tierce partie, et non "générés".
* Les certificats ont une durée de vie.
    * Ils expirent.
    * Puis ils doivent être renouvelés et acquis à nouveau auprès de la tierce partie.

  @Suppress("UNCHECKED_CAST")
  @Throws(SSLPeerUnverifiedException::class)
  override fun getPeerCertificates(): Array<Certificate> =
    if (certificates.isEmpty()) {
      throw SSLPeerUnverifiedException("peer not authenticated")
    } else {
      certificates as Array<Certificate>
    }

  @Throws(
    SSLPeerUnverifiedException::class,
  )

    val certificates =
      HandshakeCertificates
        .Builder()
        .addTrustedCertificate(letsEncryptCertificateAuthority)
        .addTrustedCertificate(entrustRootCertificateAuthority)
        .addTrustedCertificate(comodoRsaCertificationAuthority)
        // Uncomment if standard certificates are also required.
        // .addPlatformTrustedCertificates()