origin icon indicating copy to clipboard operation
origin copied to clipboard

Published 20 hours ago verified publisher icon openshift

Integrate the use of Let's encrypt

Open ctron opened this issue 8 years ago • 11 comments

Let's encrypt [1] provides a great way to get SSL certificates which are accepted by browsers.

When it comes to OpenShift there are two downsides using Let's encrypt. Certificates are only valid for 90 days and they don't offer wildcard certificates. So you either need one for each domain or your can use server aliases to include more.

However there is an API for automating this process [2], which could be included into OpenShift in order to automate this process out of the box.

Of course you can find some way to fiddle around with some shell scripts and the router templates to DIY, but it would be cool to have this support out of the box for front-facing HTTPS access.

[1] https://letsencrypt.org/ [2] https://ietf-wg-acme.github.io/acme/

Version

oc v1.4.1+3f9807a kubernetes v1.4.0+776c994 features: Basic-Auth GSSAPI Kerberos SPNEGO

Steps To Reproduce
  1. Use OpenShift
  2. Create router
Current Result

Not supported

Expected Result

Out of the box support for Let's encrypt.

ctron avatar Mar 16 '17 10:03 ctron

@tnozicka FYI (I think you was building something related)

mfojtik avatar Mar 16 '17 11:03 mfojtik

@ctron Take a look at https://github.com/tnozicka/openshift-acme

tnozicka avatar Mar 20 '17 09:03 tnozicka

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Feb 22 '18 11:02 openshift-bot

@enj Any updates on this matter? :innocent:

Peque avatar Feb 22 '18 11:02 Peque

/assign @tnozicka The plan is to adpot https://github.com/tnozicka/openshift-acme/pull/48 when that merges.

Now has its trello card https://trello.com/c/nmh6J8ly/1140-adopt-openshift-acme

tnozicka avatar Feb 22 '18 11:02 tnozicka

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Mar 24 '18 17:03 openshift-bot

@ctron & @tnozicka,

I ve tested this and it worked great! Really cool stuff, thanks...and funny to meet my old friend @ctron in this issue. Made lets encrypt cert management so smooth and easy. Any plans how the trello card will continue?

BR Mehmet

marziman avatar Mar 26 '18 22:03 marziman

@marziman thx.

Any plans how the trello card will continue?

I'd like us to be able to provide certificates for masters and for the router. Also for the purposes of multitenancy we need to have internal rate limits.

tnozicka avatar Mar 28 '18 19:03 tnozicka

about openshift-acme, it is working great for routes, not sure how to configure it for console as well, any ideas?

bevinhex avatar Apr 21 '18 15:04 bevinhex

https://github.com/tnozicka/openshift-acme works great! It would just be cool to have this work with the click of a "Get Certificate!" button built into OpenShift, just to save a long night of reading up and searching to understand what to look for and ultimately find this... :smiley:

vorburger avatar Oct 01 '18 15:10 vorburger

/unassign

@stlaz @sttts @mfojtik

enj avatar Oct 16 '19 15:10 enj