Let's Encrypt ACME v2 API: free wildcards certificates and OpenShift

March 15, 2018
let's encrypt openshift wildcard acme free certificates letsencrypt acme.sh

This is an update from my previous blog post around the same topic. Let’s Encrypt wildcards certificates support is now GA

Wildcards can be requested using the ACME v2 compatible clients. For this post, I have used an ACME v2 compatible shell script, acme.sh.

There is still a limitation right now (this is a limitation on acme.sh script side) on the ability to request wildcards certificated directly using ‘*.domain.com’. It must contain both domain.com and *.domain.com at least. Hopefully, this will be solved soon, or you can just use another ACME v2 supported client.

Use the following steps to request a wildcard certificate:

  1. Clone acme.sh repository master branch.

    $ git clone https://github.com/Neilpang/acme.sh.git
    $ cd acme.sh
    
  2. Add DNS API keys to the corresponding provider on ./dnsapi directory (using CloudFlare on this example). acme.sh currently supports the following list of DNS providers.

    $ egrep 'CF_Key|CF_Email' dnsapi/dns_cf.sh | head -2
      CF_Key="xxxxxxxxxxxxxxxxxxxxxxxxx"
      CF_Email="xxxxxxxxxxxxxxx"
    
  3. Request the wildcard certificate with the required Subject Alternative Names (on the example I’m requesting 2 DNS Names, one for the OpenShift API and another one for the SSL application endpoints running on my OpenShift Cluster).

    $ ./acme.sh --issue -d console.v37.maklog.xyz -d *.apps.v37.maklog.xyz --dns dns_cf
    
    $ $ ./acme.sh --issue -d console.v37.maklog.xyz -d *.apps.v37.maklog.xyz --dns dns_cf
    [Thu 15 Mar 15:18:19 EET 2018] Creating domain key
    [Thu 15 Mar 15:18:19 EET 2018] The domain key is here: /home/mak/.acme.sh/console.v37.maklog.xyz/console.v37.maklog.xyz.key
    [Thu 15 Mar 15:18:19 EET 2018] Multi domain='DNS:console.v37.maklog.xyz,DNS:*.apps.v37.maklog.xyz'
    [Thu 15 Mar 15:18:19 EET 2018] Getting domain auth token for each domain
    [Thu 15 Mar 15:18:24 EET 2018] Getting webroot for domain='console.v37.maklog.xyz'
    [Thu 15 Mar 15:18:25 EET 2018] Getting webroot for domain='*.apps.v37.maklog.xyz'
    [Thu 15 Mar 15:18:25 EET 2018] console.v37.maklog.xyz is already verified, skip dns-01.
    [Thu 15 Mar 15:18:25 EET 2018] *.apps.v37.maklog.xyz is already verified, skip dns-01.
    [Thu 15 Mar 15:18:25 EET 2018] Verify finished, start to sign.
    [Thu 15 Mar 15:18:28 EET 2018] Cert success.
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ...
    ...
    ...
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    [Thu 15 Mar 15:18:28 EET 2018] Your cert is in  /home/mak/.acme.sh/console.v37.maklog.xyz/console.v37.maklog.xyz.cer
    [Thu 15 Mar 15:18:28 EET 2018] Your cert key is in  /home/mak/.acme.sh/console.v37.maklog.xyz/console.v37.maklog.xyz.key
    [Thu 15 Mar 15:18:28 EET 2018] The intermediate CA cert is in  /home/mak/.acme.sh/console.v37.maklog.xyz/ca.cer
    [Thu 15 Mar 15:18:28 EET 2018] And the full chain certs is there:  /home/mak/.acme.sh/console.v37.maklog.xyz/fullchain.cer
    
  4. Copy generated certs to your preferred location. Certificates will be created under ~/.acme.sh/yourdomain directory

Your wildcard is now ready to be used. Follow the documentation to deploy or redeploy custom named certificates for your OpenShift public API, and custom wildcard certificates for your router.

Once you have deployed the certificates on your OpenShift Cluster, you will see valid certificates for both the public OpenShift API and any application deployed using the router Edge termination.

Public Master API

Router Certs

Router Certs

The Unrecognized Platform

November 30, 2018
openshift kubernetes paas containers

Is your code ready for Continuous Delivery?

January 8, 2018
techmaturity openshift CD Continuous Delivery Cloud Native

Creating snapshots in AWS for OpenShift Persistent Volumes

November 24, 2017
aws openshift pv pvc snapshot backup
comments powered by Disqus