search

pivotal / cf-onboarding

Iterating on Onboarding Week with lightning speed and cunning
MIT License
36 stars 69 forks source link

Considering using Let's Encrypt instead of OpenSSL #182

Open professor opened 6 years ago

professor commented 6 years ago

On my team, I've noticed that we use OpenSSL which results in alot of Chrome clicking past "Get me back to safety" links. I wonder if CF as a whole should be using Let's Encrypt more.

dsabeti commented 6 years ago

Hey @professor. We've gotten similar feedback recently. When we originally wrote these stories, Let's Encrypt didn't support wildcard certificates -- a dealbreaker for CF deployment. Now that Let's Encrypt has started supporting wildcard certificates, I'm totally open to adding that into the onboarding repo, although I have a few nuanced thoughts about it.

Most actual Pivotal dev teams still use self-signed certificates. It seems like it's worth explaining/teaching that in the onboarding course so that participants can understand what their team is currently doing. However, this could also be an opportunity to teach folks a better way. What do you think of a story to "upgrade" from a self-signed certificate to valid certificate from Let's Encrypt? Would you be open to submitting a PR?

professor commented 6 years ago

@dsabeti thanks for the feedback. In working through the onboarding materials, I briefly tried Let's Encrypt, it's new technology for me. It looks like it wants DNS setup for the subdomain before it will issue a certificate as part of its authorization process. Currently the stories setup the cert, then setup the DNS. I'll need to dig into this some more.

dsabeti commented 6 years ago

@professor, thinking this through a little now. bbl expects LB certs as an input, and then creates the appropriate DNS record; Let's Encrypt requires the DNS record to exist in order to issue the cert. Sounds like deadlock.

Maybe we can reframe this as a story to replace your original self-signed certs with a publicly issued certificate after setting up your load balancers?

Also, cc @evanfarrar, in case he's interested in smoothing out the integration between bbl and Let's Encrypt.

crhntr commented 5 years ago

I've played around with lets-encrypt before and work on BBL so I might explore implementing this sometime during flex-hours (this or next week).

crhntr commented 5 years ago

I just started working on this.

WIP: https://github.com/crhntr/certbot-dns-google-concourse-tasks/