mskyttner
commented
6 years ago Should we have the "develop" branch with SSL and a "demo" branch without?
A development box will sometimes not be able to reach out to the Internet to get LE certs or equivalent...
A demo server would as it can be expected to run on-line. A "demo"-branch with a production setup would be different also in other ways (using a leaner base stack, no dev tools, no need to make/build etc)...
Inviting for ideas and comments here from @shahmanash @umeldt...
Using commercial certs is different from using self-signed certs. It seems that some of the Java based services may not trust the ca.pem-file for the CA "test-ca" we use by default - but the trust chain would be there if using a commercial cert (which we have been doing internally so far).
So we may need to install the CA cert into some truststores first for getting this to work on initial startup.... pretty annoying.... Let's Encrypt certs doesn't seem to be an option. It would be nice to have https with self-signed certs from the get-go...
Ideas?
Some of these links may provide more detail:
https://rootsquash.com/2016/05/02/inserting-certificates-into-java-keystore-via-dockerfile/ https://thomas-leister.de/en/how-to-import-ca-root-certificate/ https://stackoverflow.com/questions/46923699/ssl-client-certs-with-docker-container https://github.com/anapsix/docker-alpine-java/issues/27