Open hrstoyanov opened 6 years ago
I'm not going to go as far as say plans, but I agree it would be a cool thing to do. I think one reason it hasn't been done in the past is because app servers are often deployed with the SSL being terminated ahead of the application server at which point it wouldn't be useful.
So what is the status of this? This month (July 2018) Chrome starts warning users whe visiting sites that use HTTP. Therefore, if one ones to use OL and the free and awesome letsencrypt.org, she will have to put a letsencrypt-friendly proxy (Apache/NGINX), which is pretty ugly and redundant.
@aguibert , @acdemyers Any hope for this feature? As you know, Google Chrome will mark all HTTP connections as unsafe with the next Chrome release. letsencrypt.org offers a free way to secure web app.
Without built-in support in OL, one has to:
Frontend his/her OL-based web app with Apache or NGINX (which already integrate smoothly with letsencrypt) or even Istio.
Switch back to the old way of purchasing certificates, building key stores, etc.
@hrstoyanov This is still under consideration.
As Alaine mentioned, this support is under consideration. At the moment it's in a prototype stage and the design will begin shortly.
This issue is still being investigated.
This is still be investigated.
Ongoing
Most of the design work on this item is completed and we're starting to evolve the prototype to real implementation. It should be delivered soon (two or three months).
Being worked under #9017
@hrstoyanov We are very close to delivering this support. Any interest in trying this support out pre-GA?
Will try depending on my time, thank you very much!
/Hristo Stoyanov
On Tue, May 5, 2020, 13:17 James Mulvey notifications@github.com wrote:
@hrstoyanov https://github.com/hrstoyanov We are very close to delivering this support. Any interest in trying this support out pre-GA?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenLiberty/open-liberty/issues/2930#issuecomment-624283087, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIURRB4RWQM4H4BRFHIVL3RQBX4JANCNFSM4EYQF5AA .
Has this been completed? Is Automatic certificate management with ACME the result of this work, or is what you want to accomplish here something else?
The very popular letsencrypt.org offers free (relatively short-lived) SSL certificates. It implements ACME (see also ACME4J) protocol to obtain/renew certificates, which would need to be implemented by OL, but is not compatible with the clunky keystore file approach. Any plans to seamlessly integrate with letsencrypt/ACME?