kube-lego icon indicating copy to clipboard operation
kube-lego copied to clipboard

Published 20 hours ago verified publisher icon jetstack

Better docs why we not default to production (yet)

Open wernight opened this issue 7 years ago • 3 comments

LEGO_URL like nearly all ACME clients should default to Let's Encrypt production backend by default. Lego itself does that. However the YML given as example should override it with the staging environment.

This not only is desirable to make it consistent but also because it's easy to find Let's Encrypt staging URL, harder to find their production URL (as it's considered the default on all clients).

wernight avatar Aug 31 '16 12:08 wernight

I disagree. This software is not quite stable yet and i've had it go into a loop requesting certificates and locking me out of the service due to ratelimiting.

It's really easy to find the production URL's and even easier to set them. It's a minor hassle really.

Edited to add: i do think it should be easier to swap to production after the fact. Maybe through some flag in the secret so it's clear the credentials belong to the staging/prod environment.

pieterlange avatar Sep 01 '16 06:09 pieterlange

I agree with start with staging environment, but just want to make this explicit rather than implicit. I'd rather have in https://github.com/jetstack/kube-lego/blob/master/examples/gce/50-kube-lego-deployment.yaml:

env:
  name: LEGO_URL
  # Use staging environment until you tested your domains.
  value: https://acme-staging.api.letsencrypt.org/directory

That way it's a lot easier to switch. You say production URL is easy to find? Find it on letsencrypt.org, I bet you'll get the staging URL way earlier. The main reason is really consistency with most clients, including the official one.

Related to that, I agree that there are issues when switching environments as well (shouldn't be part of this ticket but good to have an overview):

  • Switching URL requires deleting secrets #21
  • When testing in staging it should make so that http:// isn't redirected to https:// (yes HSTS will be cached so it's good to start in staging environment first)

wernight avatar Sep 01 '16 07:09 wernight

Will make it more explicit in the docs/yaml and try to check the origin of a user cert before using it. (a.k.a. auto delete of non matching user key/cert after URL change)

simonswine avatar Sep 29 '16 12:09 simonswine