Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's Encrypt without DNS setup - add to the Documentation - works on-prem no need for custom dns #1417

Open
zoltanpesko opened this issue Aug 16, 2024 · 3 comments
Open

Let's Encrypt without DNS setup - add to the Documentation - works on-prem no need for custom dns #1417

zoltanpesko opened this issue Aug 16, 2024 · 3 comments
Labels
Enhancement New feature or request

Comments

@zoltanpesko
Copy link

zoltanpesko commented Aug 16, 2024
edited
Loading

Feature and motivation

There is a way to use Let's Encrypt without a CIS or Cloudflare, and you used the "one-click" method for installation.

The steps are quite easy.

Let’s Encrypt setup:

 
If you don’t want a custom DNS, just a Let’s Encrypt certificate.
 
Check you clusterIssuer 

**Installed Operators » cert-manager-operator » Cluster issuer.**

The letsencrypt-prod this one is without custom DNS.
 
Maybe yours is different!
(if you already had Cloudflare for example)
Like this: {{ mas_instance_id }}-cloudflare-le-prod

image

Certificate setup:
CustomResourceDefinition  search for Suite go to the instances (inst1).
Edit the YAML:

image 
spec:
  certManagerNamespace: cert-manager
  certificateIssuer:
    duration: 8760h0m0s
    name: letsencrypt-prod
    renewBefore: 720h0m0s

Delete the finalizer to force reconciliation! (Row 173-174, save.)
 
Wait for a couple of minutes for the reconciliation.
If it is not updating, double-check your certificate issuer name!

Usage example

Many customers want to enable Let's Encrypt after the installation.
This documentation could help
@zoltanpesko zoltanpesko added the Enhancement New feature or request label Aug 16, 2024
@zoltanpesko
Copy link
Author

zoltanpesko commented Aug 16, 2024
edited
Loading

Also, there is a BUG in IoT
The MAS Monitor will give you an error something like this:
Login error, please contact your administrator! Error message
 
The inst1-public-tls is not updated by itself.
 
Check the Owner of the secret!
 
Change the inst1 YAML in spec
manualCertMgmt: false

@zoltanpesko zoltanpesko changed the title Let's encrypt without DNS setup add to the Documentation Let's Encrypt without DNS setup - add to the Documentation - works on-prem no need for custom dns Aug 16, 2024
@durera
Copy link
Contributor

durera commented Aug 23, 2024
edited
Loading

I've been wanting to do something to improve our default install that falls into this area:

We should be able to set up LetsEncrypt using a ClusterIssuer as such:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: {{ uds contact email }}
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          ingressClassName: openshift-default

The use of the HTTP solver will allow use of LE for cert signing in the widest possible supported configurations without any requirement to set up anything in any DNS.

For a non-airgap install, this should become the default when you install MAS using ansible/cli - rather than self-signed as it is today.

@GuilhermeFAC
Copy link

GuilhermeFAC commented Sep 16, 2024
edited
Loading

@durera, would it be possible for me to create a second let's encrypt for a private loadbalancer for my cluster?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jonquark @durera @JonahLuckett @zoltanpesko @GuilhermeFAC