...
Code Block |
---|
$ git clone https://github.com/certbot/certbot
$ cd certbot
$ docker run -v `pwd`:/certbot -it python bash
# cd /certbot
# python setup.py install
|
Since Google Domains doesn't have an API, need to use the manual feature:
Code Block |
---|
$ certbot certonly --manual -d *.globuswhatever.ndslabs.org --agree-tos --no-bootstrap --server https://acme-v02.api.letsencrypt.org/directory ... Please deploy a DNS TXT record under the name _acme-challenge.whatever.ndslabs.org with the following value: XXuXXmIvjuvCNa-cXXoX4Xy0c2VDkbQrNnp3V4qrnXo Before continuing, verify the record is deployed. |
...
In the certbot window, Press Enter to Continue. This will create the certificate in /etc/letsencrypt/live/domain.
Code Block |
---|
cp -r /etc/letsencrypy/archive/domain . |
Exit the container
Code Block |
---|
cd domain
kubectl create secret generic ndslabs-tls-secret --from-file=tls.crt=fullchain1.pem --from-file=tls.key=privkey1.pem --namespace=default |
A few things to note:
- Certificates are only valid for 90 days (https://community.letsencrypt.org/t/lets-encrypt-in-numbers-limits-restrictions-features/37113)
- Certbot can be used to automate certificate renewal
- cert-manager – successor to kube-lego – added support with https://github.com/jetstack/cert-manager/pull/309
- Merged 2 days ago!
- In theory, we could use cert-manager to generate and maintain wildcard certs via letsencrypt