Does anyone have any experience on how best to use Let' Encrypt
certificates for an OpenShift Origin cluster?
In once sense this is simple. The Ansible installer can be specified to
use this custom certificate and key to sign all the certificates it
generates, and doing so ensures you don't get the dreaded "This site is
insecure" messages from your browser. And there is a playbook for
updating certificates (which is essential as Let' Encrypt certificates
are short lived) so this must be automated.
But how best to set this up and automate the certificate generation and
renewal?
Let's assume Ansible is being run from a separate machine that is not
part of the cluster and needs to deploy those custom certificates to the
master(s). The certificate needs to be present on the ansible machine
but needs to apply to the master(s) (or load balancer?). So you can't
just generate the certificate on the ansible machine (e.g. usingĀ
--standalone option for certbot) as it would not be for the right machine.
Similarly it doesn't seem right to request and update the certificates
on the master (which master in the case of multiple masters?), and those
certificates need to be present on the ansible machine.
Seems like the answer might be to run a process on the ansible machine
that requests the certificates using the webroot plugin and in doing so
places the magical key that is used to verify ownership of the domain
under the https://your.site.com/.well-known/acme-challenge location? But
how to go about doing this? Ports 80 and 443 seem to be in use on the
cluster, but not serving up any particular content. How to place the
content there?
I'm hoping others have already needed to handle this problem and can
point to some best practice.
Thanks
Tim
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
