daviftorres commented on issue #3141: URL: https://github.com/apache/cloudstack/issues/3141#issuecomment-3253673500
Dear @asender, I’d like to apologise for having a different view on the certificate strategy for the Console Proxy (and System VMs in general). Since System VMs are ephemeral, they would request new certificates every time they are redeployed. This could quickly hit Let’s Encrypt rate limits ([https://letsencrypt.org/docs/rate-limits/](https://letsencrypt.org/docs/rate-limits/?utm_source=chatgpt.com) ). A better approach is to use a dedicated instance (or even a container) to request certificates, for example a wildcard via DNS challenge, about 30 days before expiry. The instance can then push the certs to CloudStack for use by the System VMs. If you’re interested, I can also share how we set this up with HashiCorp Vault to securely store certificates and allow consumers to fetch only the ones they’re permitted to use. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
