Using letsencrypt wildcard certs with OpenShift

Categories: devops howto

Earlier this year Let's Encrypt added support for wildcard SSL certs. A wildcard cert can be added to your openshift router, and used for all the applications handled by that router. These are brief instructions on how to create the certificate and upload it to your OpenShift cluster

Create the certs

This creates the cert using the certbot docker image. This command uses certbot’s DNS challenge method to verify control of the domain for which certificates are being requested. When using this DNS challenge method, a TXT record will have to be added (and changed) in the domain that you are requesting.

MYDOMAIN=example.martinmurphy.tech
mkdir workdir
cd workdir
docker run -it --rm --name certbot \
       -v "$PWD/etc_letsencrypt:/etc/letsencrypt" \
       -v "$PWD/var_lib_letsencrypt:/var/lib/letsencrypt" \
       certbot/certbot \
       certonly --manual --preferred-challenges dns \
       -d *.${MYDOMAIN} -d ${MYDOMAIN}

Let's Encrypt require that you enter your email address and agree to their terms of service.

Verify that you control the domain

You’ll then have to set a TXT record in dns, give your DNS provider time to save the changes before pressing enter (in my case it was about 30 seconds). If you are using AWS Route 53, you can use the Test Record Set option to test that the record has been updated.

Please deploy a DNS TXT record under the name
_acme-challenge.example.martinmurphy.tech with the following value:

VtnvNfD-2d9Y8CV4fvlPfUSGmDvrfQwb__USd08bK80

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

When the first TXT value has been verified, you will be asked to change it to a different value (again I left about 30 seconds for the change to be saved)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.martinmurphy.tech with the following value:

LVrCz4rFRDDzex9kFGqpgvjZH0rfNnYzDckQ6hzpw3Y

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

If all goes well, you should see the congratulations message. (If it failed, then try the command again, but allow more time for the DNS values to be saved by your DNS provider.)

As, part of the success message, you are shown a path for the private key and certificate chain files. These paths are within the context of the docker container that was used. You can access the files under ./etc_letsencrypt/live/${MYDOMAIN}

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.martinmurphy.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.martinmurphy.tech/privkey.pem
   Your cert will expire on 2018-10-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Deploy the certificate to OpenShift

Once the certificates have been created, they can be deployed to your OpenShift router

cd etc_letsencrypt/live/${MYDOMAIN}
oc project default
oc secrets new router-certs tls.crt=fullchain.pem tls.key=privkey.pem \
   -o json --type='kubernetes.io/tls' --confirm | oc replace -f -
oc rollout latest router

Verify that it works

Once the updated router has deloyed, verify that the wildcard certificate has been deployed correctly with curl or your favourite browser

curl -v --head https://test.${MYDOMAIN}

Certificates from Let's Encrypt are only valid for 90 days. So within 90 days, the certs you just created should be renewed.