search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Better docs why we not default to production (yet) #20

Open wernight opened 8 years ago

wernight commented 8 years ago

LEGO_URL like nearly all ACME clients should default to Let's Encrypt production backend by default. Lego itself does that. However the YML given as example should override it with the staging environment.

This not only is desirable to make it consistent but also because it's easy to find Let's Encrypt staging URL, harder to find their production URL (as it's considered the default on all clients).

pieterlange commented 8 years ago

I disagree. This software is not quite stable yet and i've had it go into a loop requesting certificates and locking me out of the service due to ratelimiting.

It's really easy to find the production URL's and even easier to set them. It's a minor hassle really.

Edited to add: i do think it should be easier to swap to production after the fact. Maybe through some flag in the secret so it's clear the credentials belong to the staging/prod environment.

wernight commented 8 years ago

I agree with start with staging environment, but just want to make this explicit rather than implicit. I'd rather have in https://github.com/jetstack/kube-lego/blob/master/examples/gce/50-kube-lego-deployment.yaml:

env:
  name: LEGO_URL
  # Use staging environment until you tested your domains.
  value: https://acme-staging.api.letsencrypt.org/directory

That way it's a lot easier to switch. You say production URL is easy to find? Find it on letsencrypt.org, I bet you'll get the staging URL way earlier. The main reason is really consistency with most clients, including the official one.

Related to that, I agree that there are issues when switching environments as well (shouldn't be part of this ticket but good to have an overview):

simonswine commented 8 years ago

Will make it more explicit in the docs/yaml and try to check the origin of a user cert before using it. (a.k.a. auto delete of non matching user key/cert after URL change)