Hi Tim, there is a controller to take care about generating and renewing Let's Encrypt certificates for you.
https://github.com/tnozicka/openshift-acme That said it won't generate it for masters but you can expose master API using Route and certificate for that Route would be fully managed by openshift-acme. Further integrations might be possible in future but this is how you can get it done now. Regards, Tomas On Fri, 2017-08-25 at 16:27 +0100, Tim Dudgeon wrote: > Does anyone have any experience on how best to use Let' Encrypt > certificates for an OpenShift Origin cluster? > > In once sense this is simple. The Ansible installer can be specified > to > use this custom certificate and key to sign all the certificates it > generates, and doing so ensures you don't get the dreaded "This site > is > insecure" messages from your browser. And there is a playbook for > updating certificates (which is essential as Let' Encrypt > certificates > are short lived) so this must be automated. > > But how best to set this up and automate the certificate generation > and > renewal? > > Let's assume Ansible is being run from a separate machine that is > not > part of the cluster and needs to deploy those custom certificates to > the > master(s). The certificate needs to be present on the ansible > machine > but needs to apply to the master(s) (or load balancer?). So you > can't > just generate the certificate on the ansible machine (e.g. using > --standalone option for certbot) as it would not be for the right > machine. > > Similarly it doesn't seem right to request and update the > certificates > on the master (which master in the case of multiple masters?), and > those > certificates need to be present on the ansible machine. > > Seems like the answer might be to run a process on the ansible > machine > that requests the certificates using the webroot plugin and in doing > so > places the magical key that is used to verify ownership of the > domain > under the https://your.site.com/.well-known/acme-challenge location? > But > how to go about doing this? Ports 80 and 443 seem to be in use on > the > cluster, but not serving up any particular content. How to place the > content there? > > I'm hoping others have already needed to handle this problem and can > point to some best practice. > > Thanks > Tim > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
