I use acme.sh all the time for generating Lets Encrypt certs, its easy and fast. The only downside is its also a bit of manual labour.
-
Create caa.your-domain entries in your two Route53 hosted zones.
Enter this as the Record name
caa
Enter this as the Value
0 issuewild "letsencrypt.org;" -
On the command line, export your AWS credentials.
export AWS_ACCESS_KEY_ID=<aws key id> export AWS_SECRET_ACCESS_KEY=<aws secret access key>
-
Grab the cluster api and wildcard domain and export them as environment variables. We will create a Let's Encrypt cert with Subject Alternate names for these domains.
export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././') export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
-
Clone the fabulous acme.sh git repo to your local machine.
cd ~/git git clone https://github.com/Neilpang/acme.sh.git
-
Now run the acme shell script to create your certificate requests.
~/git/acme.sh/acme.sh --issue --dns dns_aws -d ${LE_API} -d *.${LE_WILDCARD} --dnssleep 100 --force --insecure
-
Once complete, your certificates will be downloaded and available in your home directory.
-
We can now configure the default OpenShift ingress router to use them.
oc -n openshift-ingress delete secret router-certs oc -n openshift-ingress create secret tls router-certs --cert=/home/$USER/.acme.sh/${LE_API}/fullchain.cer --key=/home/$USER/.acme.sh/${LE_API}/${LE_API}.key oc -n openshift-ingress-operator patch ingresscontroller default --patch '{"spec": { "defaultCertificate": { "name": "router-certs"}}}' --type=merge