jonathan-sturges
commented
4 years ago Limitations/comments:
- Let's Encrypt only allows 50 per domain, per day. Use wildcard certs?
- Need control of DNS for domain
Closed jonathan-sturges closed 3 years ago
jonathan-sturges
commented
4 years ago Limitations/comments:
calvingsmith
commented
4 years ago Could we get wildcard SSL cert to match *.redhatgov.io ?
On Wed, Aug 12, 2020 at 2:33 PM jonathan-sturges notifications@github.com wrote:
Limitations/comments:
- Let's Encrypt only allows 50 per domain, per day.
- Need control of DNS for domain
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/RedHatGov/redhatgov.workshops/issues/104#issuecomment-673040299, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAV4GTBXEQBY7E4YLZDAQ3SALN75ANCNFSM4PU3Y5HQ .
-- Calvin Smith | Senior Solutions Architect Public Sector Division | Red Hat calvin@redhat.com
RED HAT | TRIED. TESTED. TRUSTED. Every single executive department in the U.S. federal government runs Red Hat in their datacenters. Find out why at Trusted | Red Hat http://www.redhat.com/en/about/trusted
dmc5179
commented
4 years ago Wildcard cert on *.redhatgov.io would probably be too broad. The pattern for DNS names in the workshop should probably be updated and then a wildcard used. If the name of the workshop is "mycompany" then I get hosts called:
It is a weird naming convention by itself but for wildcard certs we could just switch it to make the company name a subdomain like:
The wildcard cert can then be issued on *.mycompany.redhatgov.io The naming convention is also much easier to understand IMHO.
mshoger
commented
4 years ago Just ran a RHEL8 workshop where this was an issue. Several students from corporate networks that don't allow invalid certs. Letsencrypt would be a great way to mitigate this.
jonathan-sturges
commented
4 years ago Wildcard cert on *.redhatgov.io would probably be too broad. The pattern for DNS names in the workshop should probably be updated and then a wildcard used. If the name of the workshop is "mycompany" then I get hosts called:
- mycompany.node.#.redhatgov.io
- mycompany.tower.#.redhatgov.io
It is a weird naming convention by itself but for wildcard certs we could just switch it to make the company name a subdomain like:
- node.#.mycompany.redhatgov.io
- tower.#.mycompany.redhatgov.io
The wildcard cert can then be issued on *.mycompany.redhatgov.io The naming convention is also much easier to understand IMHO.
I like this approach, and it looks like it should be compatible with this module for per-host certs. That would make deployment pretty seamless for smaller workshops straight up, but we'd have to test if it also works for wildcard certs.
jonathan-sturges
commented
4 years ago I think this approach continues to have merit. If we create per-workshop sub-domains, we should be able to use a DNS-01 challenge from Let's Encrypt to get a wildcard cert. ref: https://letsencrypt.org/docs/challenge-types/
I'll work on testing this out.
ajacocks
commented
3 years ago Closed by #166
This addresses 2 problems we encounter during workshop delivery: 1) New browsers may reject self-signed certs 2) Managed browser policies are more prevalent and students with corporate laptops are prevented from accessing workshops with self-signed certs.