Certbot DNS 01 and apply certs to OCP

ACME cert bot

OPENSHIFT
CONFIG, SSL/TLS
Content

Use certbot to generate certificate

A Domain Name consisting of a single asterisk character followed by a single full stop character (*.) followed by a Fully-Qualified Domain Name. For each apps subdomain we need to define cert. Not posible to use (*.*.*.sudlice.org)

sudo certbot -d "*.apps.poshi4.sudlice.org"   --manual --preferred-challenges dns certonly
sudo certbot -d "*.apps.oshi43.sudlice.org"   --manual --preferred-challenges dns certonly

  Please deploy a DNS TXT record under the name to your DNS
test:
dig _acme-challenge.apps.toshi44.sudlice.org txt 

 #check certificate
openssl x509 -noout -text -in fullchain.pem

Replacing default ingress certificate

  • You must have a wildcard certificate and its private key, both in the PEM format, for use.
  • The certificate must have a subjectAltName extension of *.apps...

in case of using clusterwide proxy (not neccessary)

 #config map for CA
oc create configmap custom-ca \
     --from-file=ca-bundle.crt=ca.crt \
     -n openshift-config
 oc patch proxy/cluster \
     --type=merge \
     --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

all ingress routes:

oc create secret tls letsencrypt --cert=fullchain.pem --key privkey.pem -n openshift-ingress
 # or replace
oc create secret tls letsencrypt --cert=fullchain.pem --key privkey.pem -n openshift-ingress --dry-run -o yaml|oc replace -f -
oc patch ingresscontroller.operator default \
       --type=merge -p \
       '{"spec":{"defaultCertificate": {"name": "letsencrypt"}}}' \
       -n openshift-ingress-operator
 # or force recreate
for i in $(oc get pods -n openshift-ingress -o name)
do
oc delete $i -n openshift-ingress
done