[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Let's Encrypt certificates

Hi Tim,

there is a controller to take care about generating and renewing Let's
Encrypt certificates for you.


That said it won't generate it for masters but you can expose master
API using Route and certificate for that Route would be fully managed
by openshift-acme.

Further integrations might be possible in future but this is how you
can get it done now.


On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote:
> Does anyone have any experience on how best to use Let' Encrypt 
> certificates for an OpenShift Origin cluster?
> In once sense this is simple. The Ansible installer can be specified
> to 
> use this custom certificate and key to sign all the certificates it 
> generates, and doing so ensures you don't get the dreaded "This site
> is 
> insecure" messages from your browser. And there is a playbook for 
> updating certificates (which is essential as Let' Encrypt
> certificates 
> are short lived) so this must be automated.
> But how best to set this up and automate the certificate generation
> and 
> renewal?
> Let's assume Ansible is being run from a separate machine that is
> not 
> part of the cluster and needs to deploy those custom certificates to
> the 
> master(s). The certificate needs to be present on the ansible
> machine 
> but needs to apply to the master(s) (or load balancer?). So you
> can't 
> just generate the certificate on the ansible machine (e.g. using  
> --standalone option for certbot) as it would not be for the right
> machine.
> Similarly it doesn't seem right to request and update the
> certificates 
> on the master (which master in the case of multiple masters?), and
> those 
> certificates need to be present on the ansible machine.
> Seems like the answer might be to run a process on the ansible
> machine 
> that requests the certificates using the webroot plugin and in doing
> so 
> places the magical key that is used to verify ownership of the
> domain 
> under the https://your.site.com/.well-known/acme-challenge location?
> But 
> how to go about doing this? Ports 80 and 443 seem to be in use on
> the 
> cluster, but not serving up any particular content. How to place the 
> content there?
> I'm hoping others have already needed to handle this problem and can 
> point to some best practice.
> Thanks
> Tim
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]