torrust · josecelano · Jul 31, 2025 · Jul 29, 2025 · Jul 29, 2025 · Jul 30, 2025
diff --git a/application/compose.yaml b/application/compose.yaml
@@ -27,9 +27,12 @@ services:
     volumes:
       - /var/lib/torrust/proxy/webroot:/var/www/html
       - /var/lib/torrust/proxy/etc/nginx-conf:/etc/nginx/conf.d
+      - /var/lib/torrust/proxy/certs:/etc/ssl/certs
+      - /var/lib/torrust/proxy/private:/etc/ssl/private
       - /var/lib/torrust/certbot/etc:/etc/letsencrypt
+      - /var/lib/torrust/certbot/webroot:/var/lib/torrust/certbot/webroot
       - /var/lib/torrust/certbot/lib:/var/lib/letsencrypt
-      - /var/lib/torrust/dhparam:/etc/ssl/certs
+      - /var/lib/torrust/dhparam:/etc/ssl/dhparam
     logging:
       options:
         max-size: "10m"

diff --git a/application/docs/deployment.md b/application/docs/deployment.md
@@ -53,7 +53,58 @@ If you need to manually deploy on the server:
    docker compose --env-file /var/lib/torrust/compose/.env up -d
    ```
 
-## 3. Verification and Smoke Testing
+## 3. SSL Certificate Management
+
+### Certificate Generation Strategy
+
+The deployment process generates SSL certificates on each deployment rather than
+reusing certificates. This approach provides several advantages:
+
+#### Why Generate Certificates Per Deployment?
+
+1. **Production Flexibility**: Different environments use different domains:
+
+   - Local testing: `test.local`
+   - Staging: `staging.example.com`
+   - Production: `tracker.torrust-demo.com`
+
+2. **Certificate Validity**: Self-signed certificates are domain-specific and must
+   exactly match the domain being used in each deployment environment.
+
+3. **Security Best Practices**: Fresh certificates for each deployment ensure no
+   stale or leaked credentials are reused.
+
+4. **Workflow Consistency**: The same deployment process works across all
+   environments without manual certificate management or copying certificates
+   between systems.
+
+5. **Zero Configuration**: No need to maintain a certificate store or handle
+   certificate distribution between development and production environments.
+
+#### Certificate Types by Environment
+
+- **Local/Testing**: Self-signed certificates with 10-year validity (for convenience in testing)
+- **Production**: Let's Encrypt certificates (automatically renewed)
+
+#### Implementation Details
+
+The certificate generation happens during the application deployment phase
+(`make app-deploy`) and includes:
+
+1. **Self-signed certificates**: Generated using OpenSSL with domain-specific
+   Subject Alternative Names (SAN)
+2. **Certificate placement**: Stored in `/var/lib/torrust/proxy/certs/` and
+   `/var/lib/torrust/proxy/private/` on the target server
+3. **Container mounting**: Certificates are mounted into nginx container at runtime
+4. **Automatic configuration**: nginx configuration is automatically templated
+   with the correct certificate paths
+
+While it would be possible to reuse certificates for local testing (since we
+always use `test.local`), this approach ensures that the deployment workflow is
+identical between local testing and production, reducing the chance of
+environment-specific issues.
+
+## 4. Verification and Smoke Testing
 
 After deployment, verify that all services are running correctly.
 

diff --git a/application/share/bin/shell-utils.sh b/application/share/bin/shell-utils.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+# Application-specific shell utilities for Torrust Tracker Demo
+# Common logging functions for application scripts
+#
+# Usage:
+#   # Source this file in your script:
+#   source "$(dirname "${BASH_SOURCE[0]}")/shell-utils.sh"
+#
+#   # Use logging functions:
+#   log_info "This is an info message"
+#   log_success "Operation completed successfully"
+#   log_warning "This is a warning"
+#   log_error "This is an error"
+#   log_section "Major Section Title"
+
+# Application shell utilities - can be sourced multiple times safely
+export APP_SHELL_UTILS_LOADED=1
+
+# Colors for output
+export RED='\033[0;31m'
+export GREEN='\033[0;32m'
+export YELLOW='\033[1;33m'
+export BLUE='\033[0;34m'
+export CYAN='\033[0;36m'
+export MAGENTA='\033[0;35m'
+export WHITE='\033[1;37m'
+export NC='\033[0m' # No Color
+
+# Core logging function
+log() {
+    local message="$1"
+    echo -e "${message}"
+}
+
+# Logging functions with standardized prefixes and colors
+log_info() {
+    log "${BLUE}[INFO]${NC} $1"
+}
+
+log_success() {
+    log "${GREEN}[SUCCESS]${NC} $1"
+}
+
+log_warning() {
+    log "${YELLOW}[WARNING]${NC} $1"
+}
+
+log_error() {
+    log "${RED}[ERROR]${NC} $1"
+}
+
+log_debug() {
+    if [[ "${DEBUG:-false}" == "true" ]]; then
+        log "${CYAN}[DEBUG]${NC} $1"
+    fi
+}
+
+# Section header logging - displays a prominent section separator
+log_section() {
+    log ""
+    log "${BLUE}===============================================${NC}"
+    log "${BLUE}$1${NC}"
+    log "${BLUE}===============================================${NC}"
+}
+
+# Check if command exists
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}