[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Let's Encrypt certificates



Hi Tim,

there is a controller to take care about generating and renewing Let's
Encrypt certificates for you.

https://github.com/tnozicka/openshift-acme

That said it won't generate it for masters but you can expose master
API using Route and certificate for that Route would be fully managed
by openshift-acme.

Further integrations might be possible in future but this is how you
can get it done now.

Regards,
Tomas


On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote:
> Does anyone have any experience on how best to use Let' Encrypt 
> certificates for an OpenShift Origin cluster?
> 
> In once sense this is simple. The Ansible installer can be specified
> to 
> use this custom certificate and key to sign all the certificates it 
> generates, and doing so ensures you don't get the dreaded "This site
> is 
> insecure" messages from your browser. And there is a playbook for 
> updating certificates (which is essential as Let' Encrypt
> certificates 
> are short lived) so this must be automated.
> 
> But how best to set this up and automate the certificate generation
> and 
> renewal?
> 
> Let's assume Ansible is being run from a separate machine that is
> not 
> part of the cluster and needs to deploy those custom certificates to
> the 
> master(s). The certificate needs to be present on the ansible
> machine 
> but needs to apply to the master(s) (or load balancer?). So you
> can't 
> just generate the certificate on the ansible machine (e.g. using  
> --standalone option for certbot) as it would not be for the right
> machine.
> 
> Similarly it doesn't seem right to request and update the
> certificates 
> on the master (which master in the case of multiple masters?), and
> those 
> certificates need to be present on the ansible machine.
> 
> Seems like the answer might be to run a process on the ansible
> machine 
> that requests the certificates using the webroot plugin and in doing
> so 
> places the magical key that is used to verify ownership of the
> domain 
> under the https://your.site.com/.well-known/acme-challenge location?
> But 
> how to go about doing this? Ports 80 and 443 seem to be in use on
> the 
> cluster, but not serving up any particular content. How to place the 
> content there?
> 
> I'm hoping others have already needed to handle this problem and can 
> point to some best practice.
> 
> Thanks
> Tim
> 
> 
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]