Re: Let's Encrypt certificates

[Tim Dudgeon]

Seems right to me, but having 2 different mechanisms to maintain 
certificates seems messy.

Presumably this has already been solved a number of times - would be 
great to hear how do people mange this on production systems.

Tim

On 25/08/2017 21:46, Judd Maltin wrote:
I'm very interested in this as well, as I'd like to use it in classes 
I'm teaching on OpenShift.

Let's keep a very strict separation between types of traffic.  There's 
the traffic between nodes (kubelet,) master API servers, and 
components such as logging and metrics. That's on the *.internal 
domain managed by the SkyDNS server on the masters.  The ansible 
variables openshift_master_ca_certificates, and the playbooks 
redeploy-openshift-cajust updates the CA certs on the masters, while 
redeploy-certificates.yml updates everything, event the routers. So 
great care must be taken in using ansible to manage your routers.  I 
think "Let's Encrypt" is less useful for all this private traffic, as 
OpenShift will accept self-signed certs, as long as it can sign them 
itself or with a provided CA or intermediary key.

Then there's public traffic managed under different DNS services for 
the API, Routers, and other possible apps.  THOSE are the places were 
I think we'd be most interested in Let's Encrypt.

Further thoughts?

On Fri, Aug 25, 2017 at 1:26 PM, Tim Dudgeon <tdudgeon...@gmail.com 
<mailto:tdudgeon...@gmail.com>> wrote:

    That's interesting, and a very different approach to what I was
    anticipating using the Ansible playbooks.

    Any thoughts from anyone on what is the best approach for this?
    Any other approaches/experiences on how to handle this important
    issue?

    Tim



    On 25/08/2017 17:09, Tomas Nozicka wrote:

        Hi Tim,

        there is a controller to take care about generating and
        renewing Let's
        Encrypt certificates for you.

        https://github.com/tnozicka/openshift-acme
        <https://github.com/tnozicka/openshift-acme>

        That said it won't generate it for masters but you can expose
        master
        API using Route and certificate for that Route would be fully
        managed
        by openshift-acme.

        Further integrations might be possible in future but this is
        how you
        can get it done now.

        Regards,
        Tomas


        On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote:

            Does anyone have any experience on how best to use Let'
            Encrypt
            certificates for an OpenShift Origin cluster?

            In once sense this is simple. The Ansible installer can be
            specified
            to
            use this custom certificate and key to sign all the
            certificates it
            generates, and doing so ensures you don't get the dreaded
            "This site
            is
            insecure" messages from your browser. And there is a
            playbook for
            updating certificates (which is essential as Let' Encrypt
            certificates
            are short lived) so this must be automated.

            But how best to set this up and automate the certificate
            generation
            and
            renewal?

            Let's assume Ansible is being run from a separate machine
            that is
            not
            part of the cluster and needs to deploy those custom
            certificates to
            the
            master(s). The certificate needs to be present on the ansible
            machine
            but needs to apply to the master(s) (or load balancer?).
            So you
            can't
            just generate the certificate on the ansible machine (e.g.
            using
            --standalone option for certbot) as it would not be for
            the right
            machine.

            Similarly it doesn't seem right to request and update the
            certificates
            on the master (which master in the case of multiple
            masters?), and
            those
            certificates need to be present on the ansible machine.

            Seems like the answer might be to run a process on the ansible
            machine
            that requests the certificates using the webroot plugin
            and in doing
            so
            places the magical key that is used to verify ownership of the
            domain
            under the https://your.site.com/.well-known/acme-challenge
            <https://your.site.com/.well-known/acme-challenge> location?
            But
            how to go about doing this? Ports 80 and 443 seem to be in
            use on
            the
            cluster, but not serving up any particular content. How to
            place the
            content there?

            I'm hoping others have already needed to handle this
            problem and can
            point to some best practice.

            Thanks
            Tim


            _______________________________________________
            users mailing list
            users@lists.openshift.redhat.com
            <mailto:users@lists.openshift.redhat.com>
            http://lists.openshift.redhat.com/openshiftmm/listinfo/users
            <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>


    _______________________________________________
    users mailing list
    users@lists.openshift.redhat.com
    <mailto:users@lists.openshift.redhat.com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users
    <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>




--
Judd Maltin
T: 917-882-1270
Of Life immense in passion, pulse, and power,   
Cheerful—for freest action form’d, under the laws divine,       
The Modern Man I sing. -Walt Whitman



_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users