ibm-mas
Let's Encrypt without DNS setup - add to the Documentation - works on-prem no need for custom dns
Feature and motivation
There is a way to use Let's Encrypt without a CIS or Cloudflare, and you used the "one-click" method for installation.
The steps are quite easy.
Let’s Encrypt setup:
If you don’t want a custom DNS, just a Let’s Encrypt certificate. Check you clusterIssuer Installed Operators » cert-manager-operator » Cluster issuer. The letsencrypt-prod this one is without custom DNS. Maybe yours is different! (if you already had Cloudflare for example) Like this: {{ mas_instance_id }}-cloudflare-le-prod
Certificate setup: CustomResourceDefinition search for Suite go to the instances (inst1). Edit the YAML:
spec:
certManagerNamespace: cert-manager
certificateIssuer:
duration: 8760h0m0s
name: letsencrypt-prod
renewBefore: 720h0m0s
Delete the finalizer to force reconciliation! (Row 173-174, save.) Wait for a couple of minutes for the reconciliation. If it is not updating, double-check your certificate issuer name!
Usage example
Many customers want to enable Let's Encrypt after the installation. This documentation could help
Also, there is a BUG in IoT The MAS Monitor will give you an error something like this: Login error, please contact your administrator! Error message The inst1-public-tls is not updated by itself. Check the Owner of the secret! Change the inst1 YAML in spec manualCertMgmt: false
I've been wanting to do something to improve our default install that falls into this area:
We should be able to set up LetsEncrypt using a ClusterIssuer as such:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: {{ uds contact email }}
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: openshift-default
The use of the HTTP solver will allow use of LE for cert signing in the widest possible supported configurations without any requirement to set up anything in any DNS.
For a non-airgap install, this should become the default when you install MAS using ansible/cli - rather than self-signed as it is today.
@durera, would it be possible for me to create a second let's encrypt for a private loadbalancer for my cluster?
I've been looking into this, and I'm not sure how you exactly configured you system @zoltanpesko , but I can't see any way to make LE work with MAS without a DNS integration enabled.
There are two options for solvers: HTTP01 and DNS01:
- HTTP01 allows us to configure cert-manager to automatically set up an ingress to serve the challenge secret, but a HTTP solver can't support subdomain wildcards (which MAS uses)
- DNS01 requires integration with the DNS provider to add the appropraite TXT record into the DNS to prove ownership of the domain
There's no way with the current MAS usage of subdomains to configure LE to automatically issue certificates through Certificate-Manager without the use of integration to a DNS provider so that Cert-Manager can add the necessary DNS challenge records.
If you feel I've missed something (obvious or non-obvious) here, let me know, otherwise I think we unfortunately have to close this as not possible to implement; as much as I liked the idea of LE out of the box by default with minimal configuration.
Hi,
I used the standard one-click installation. After the pure (not disconnected way) I only did the following steps:
Certificate setup: CustomResourceDefinition search for Suite go to the instances (inst1). Edit the YAML:
spec: certManagerNamespace: cert-manager certificateIssuer: duration: 8760h0m0s name: letsencrypt-prod renewBefore: 720h0m0s delete the finalizer to force reconciliation! Row 173-174, save. Wait for a couple of minutes for the reconciliation. If it is not updating, double-check your certificate issuer name! or delete the routes manually.
To enhance the initial experience of MAS installations, I propose that the standard One-Click Core Installer should, by default, use Let's Encrypt certificates whenever an internet connection is available. Currently, the initial impression of MAS can be undermined if users encounter a certificate error upon installation. Leveraging Let's Encrypt will address this, providing a seamless and secure setup experience from the outset.
First impressions are critical, and minimizing security warnings helps establish immediate trust and professionalism in the solution.
The latest MAS core installer (one.click) doesn't generate the Let's Encrypt cluster issuer anymore, so this workaround doesn't work anymore :(
Even with the letsencrypt issuer, how are you getting the certificate requests approved via cert-manager? Without integration to a DNS provider it can't use the dns01 solver, and the http01 solver doesn't work for the wildcard certificates that MAS uses today - this is why we can only support LE when user enables the DNS integration so we can configure the dns01 solver in Cert-Manager.