Yes sure! If acme servers can't join your routers the HTTP challenge can't
be validated.
Maybe it could be nice to add optional support to this in openshift-ansible:
- deploy openshift-acme
- create a route in front of the kubernetes service with the proper
annotation
Le jeu. 6 sept. 2018 à 08:27, Daniel Comnea a
écrit :
> Very nice Mickael !
>
> Just a minor note (although i'm sure you know already) if others bump into
> this thread, this method works for public domains but it won't work if your
> domain is internal/ dev one (i.e - .local).
>
> Dani
>
> On Wed, Sep 5, 2018 at 4:11 PM Mickaël Canévet
> wrote:
>
>> Thanks a lot Tobias,
>>
>> That helped a lot, it's working fine.
>> Now I have a Let's Encrypt certificate for my web console without using
>> an external reverse proxy \o/
>>
>> Kind regards,
>> Mickaël
>>
>> Le mer. 5 sept. 2018 à 13:17, Tobias Florek a
>> écrit :
>>
>>> Hi!
>>>
>>> It is certainly possible.
>>>
>>> You already have a "kubernetes" service in the default namespace. You
>>> only need to expose that service's https port with Reencrypt TLS-Policy
>>> and set the kubernetes.io/tls-acme=true annotation.
>>>
>>> Your unsuccessful try was missing the reencrypt tls policy.
>>>
>>> Cheers,
>>> Tobias Florek
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>> --
>> « Any society that would give up a little liberty to gain a little
>> security will deserve neither and lose both. »
>> (Benjamin Franklin)
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
--
« Any society that would give up a little liberty to gain a little
security will deserve neither and lose both. »
(Benjamin Franklin)
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users