[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Let's Encrypt certificates

Does anyone have any experience on how best to use Let' Encrypt certificates for an OpenShift Origin cluster?

In once sense this is simple. The Ansible installer can be specified to use this custom certificate and key to sign all the certificates it generates, and doing so ensures you don't get the dreaded "This site is insecure" messages from your browser. And there is a playbook for updating certificates (which is essential as Let' Encrypt certificates are short lived) so this must be automated.

But how best to set this up and automate the certificate generation and renewal?

Let's assume Ansible is being run from a separate machine that is not part of the cluster and needs to deploy those custom certificates to the master(s). The certificate needs to be present on the ansible machine but needs to apply to the master(s) (or load balancer?). So you can't just generate the certificate on the ansible machine (e.g. usingĀ  --standalone option for certbot) as it would not be for the right machine.

Similarly it doesn't seem right to request and update the certificates on the master (which master in the case of multiple masters?), and those certificates need to be present on the ansible machine.

Seems like the answer might be to run a process on the ansible machine that requests the certificates using the webroot plugin and in doing so places the magical key that is used to verify ownership of the domain under the https://your.site.com/.well-known/acme-challenge location? But how to go about doing this? Ports 80 and 443 seem to be in use on the cluster, but not serving up any particular content. How to place the content there?

I'm hoping others have already needed to handle this problem and can point to some best practice.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]