Our current wildcard certificate expires on September 3rd. Our current provider (DigiCert) has increased their pricing and we're looking to move away from them.
After reviewing and testing Let's Encrypt devices compatibility, we have made the decision to integrate ACME in our infrastructure and switch to LE.
Google Trust Services has also put a public ACME service in place. They offer a similar service to Let's Encrypt, except the compatibility is as good as a root certificate from 1998 gets. Using GTS enables us to retain the same compatibility that osu! users are used to. This service is in free public beta. It is not impossible that this service will become paid at the end of the beta phase, but as they both use ACME we can switch back-and-forth with these providers in just a few minutes, so the plan is to roll with GTS for now.
[x] Kubernetes clusters SSL migration
Our Kubernetes clusters will issue certificates using cert-manager, an ACME client by jetstack built for Kubernetes.
[X] Staging cluster (http01 validation only)
[x] Production cluster (dns01 & http01 validation)
[x] Individual droplets SSL migration
Most of the work goes here as there are dozens of droplets to migrate - or rather, create an SSL infrastructure for. As we used to renew with DigiCert every 3 years, no automated process has been put in place. LE/GTS deliver certificates for only up to 90 days, so we must switch to an automated solution.
Our individual droplets run on a huge variety of different operating systems. Managing ACME clients on each would be a huge overhead, and we'd rather not share our CloudFlare API token with every droplets that need wildcard certificates.
Therefore, we will rely on the cert-manager in our production Kubernetes cluster to issue and renew all the certificates we need. All our droplets will fetch these certificates on a regular basis using small bash/curl scripts, via a custom-made HTTPS service that will be running inside the production cluster. Droplets will be authenticated using client-side certificates authentication.
[x] Certificates serving back-end development
[x] Certificates serving back-end deployment
[x] Certificates fetching script development
[x] Certificates fetching script deployment across all ~15 droplets/nodes that need them..
[x] Automatically refresh our custom edge certificate on Cloudflare
Our current wildcard certificate expires on September 3rd. Our current provider (DigiCert) has increased their pricing and we're looking to move away from them.
After reviewing and testing Let's Encrypt devices compatibility, we have made the decision to integrate ACME in our infrastructure and switch to LE.
Google Trust Services has also put a public ACME service in place. They offer a similar service to Let's Encrypt, except the compatibility is as good as a root certificate from 1998 gets. Using GTS enables us to retain the same compatibility that osu! users are used to. This service is in free public beta. It is not impossible that this service will become paid at the end of the beta phase, but as they both use ACME we can switch back-and-forth with these providers in just a few minutes, so the plan is to roll with GTS for now.
[x] Kubernetes clusters SSL migration Our Kubernetes clusters will issue certificates using cert-manager, an ACME client by jetstack built for Kubernetes.
[x] Individual droplets SSL migration Most of the work goes here as there are dozens of droplets to migrate - or rather, create an SSL infrastructure for. As we used to renew with DigiCert every 3 years, no automated process has been put in place. LE/GTS deliver certificates for only up to 90 days, so we must switch to an automated solution.
Our individual droplets run on a huge variety of different operating systems. Managing ACME clients on each would be a huge overhead, and we'd rather not share our CloudFlare API token with every droplets that need wildcard certificates.
Therefore, we will rely on the cert-manager in our production Kubernetes cluster to issue and renew all the certificates we need. All our droplets will fetch these certificates on a regular basis using small bash/curl scripts, via a custom-made HTTPS service that will be running inside the production cluster. Droplets will be authenticated using client-side certificates authentication.
[x] Automatically refresh our custom edge certificate on Cloudflare