Closed c0c0n3 closed 1 year ago
@karikolehmainen instead of getting a new cert ourselves and pay for it, we could instead deploy Certificate Manager and configure it to automatically get free certs from Let's Encrypt and automatically renew them on expiry.
@karikolehmainen: Hard deadline. Please follow up the ticket
New certs have been uploaded to the server to folder /etc/cert/cert_2023
I will update the kubernetes certs ASAP, but I will try to test those first on an other machine.
certs have to be recreated by deleting the old istio-gw-cert and creating a new oen with command:
kubectl create -n istio-system secret tls istio-gw-cert --key=/etc/certs/server.key --cert=/etc/certs/server.crt
Finally new certs have been created to the platform. Problem was the user was not added correctly to microk8s group and kubectl config was off. Old certs deleted with command kubectl delete -n istio-system secret istio-gw-cert and new ones created with: kubectl create -n istio-system secret tls istio-gw-cert --key=/etc/certs/server.key --cert=/etc/certs/server.crt
@karikolehmainen awesome job!
@karikolehmainen so I've recreated the Istio GW secret with this command
$ kubectl create -n istio-system secret tls istio-gw-cert --key=server.key --cert=fullchain.crt
where the key and cert files are the new ones you put together with the full cert CA chain in /etc/certs/
.
Everything seems to work fine now and if I validate our TLS setup with
it tells me everything is hunky-dory and that the certificate chain is complete.
happy days!
Describe the bug
The current TLS certificate we've got for
kitt4sme.collab-cloud.eu
is expiring on May the 2nd, 2023. Since review day is May 12th, we've got to replace it with a fresh one ASAP. Also, the current cert is for*.collab-cloud.eu
and it might be better to have one more specific, i.e. forkitt4sme.collab-cloud.eu
, if other unrelated sites run on collab cloud. Finally, the CA that signed it (SSL.com RSA SSL subCA) is an intermediate CA that's not always included in popular trust stores. This means some clients might fail to connect tokitt4sme.collab-cloud.eu
over HTTPs.To Reproduce
Steps to reproduce the behavior:
kitt4sme.collab-cloud.eu
and443
in the URL and port fields, respectively.To see how this could be a problem for clients trying to connect to
kitt4sme.collab-cloud.eu
, get a shell on the Argo CD's server pod. It's an Ubuntu22.04.2
LTS image which doesn't include "SSL.com RSA SSL subCA" in its trust store. Then useopenssl
to connect tokitt4sme.collab-cloud.eu:443
and see validation fail.Expected behavior
We get a new TLS certificate that's valid from 01 May 2023 to at least 30 Jul 2023. Replace the old cert and key on kitt4sme.collab-cloud.eu (
/etc/certs
) with the new ones, reinstall the new cert in the Istio gateway and add it to the Argo CD config too.Additional context
207
230