kube-lego
kube-lego copied to clipboard
Better docs why we not default to production (yet)
LEGO_URL
like nearly all ACME clients should default to Let's Encrypt production backend by default. Lego itself does that. However the YML given as example should override it with the staging environment.
This not only is desirable to make it consistent but also because it's easy to find Let's Encrypt staging URL, harder to find their production URL (as it's considered the default on all clients).
I disagree. This software is not quite stable yet and i've had it go into a loop requesting certificates and locking me out of the service due to ratelimiting.
It's really easy to find the production URL's and even easier to set them. It's a minor hassle really.
Edited to add: i do think it should be easier to swap to production after the fact. Maybe through some flag in the secret so it's clear the credentials belong to the staging/prod environment.
I agree with start with staging environment, but just want to make this explicit rather than implicit. I'd rather have in https://github.com/jetstack/kube-lego/blob/master/examples/gce/50-kube-lego-deployment.yaml:
env:
name: LEGO_URL
# Use staging environment until you tested your domains.
value: https://acme-staging.api.letsencrypt.org/directory
That way it's a lot easier to switch. You say production URL is easy to find? Find it on letsencrypt.org, I bet you'll get the staging URL way earlier. The main reason is really consistency with most clients, including the official one.
Related to that, I agree that there are issues when switching environments as well (shouldn't be part of this ticket but good to have an overview):
- Switching URL requires deleting secrets #21
- When testing in staging it should make so that http:// isn't redirected to https:// (yes HSTS will be cached so it's good to start in staging environment first)
Will make it more explicit in the docs/yaml and try to check the origin of a user cert before using it. (a.k.a. auto delete of non matching user key/cert after URL change)