现有主机名的 letsencrypt SSL 证书是否可行?
[英]Is letsencrypt SSL certificate for existing hostname possible?
问题描述
I am trying to figure out how to do a migration of a website/server from a digitalocean droplet to Azure (AKS) without disruption to the users / customers.
我想弄清楚如何在不中断用户/客户的情况下将网站/服务器从 digitalocean droplet 迁移到 Azure (AKS)。
The digitalocean configuration has the SSL certificate served by letsencrypt (managed through serverpilot) for the hostname foo.example.com . digitalocean 配置具有由 letsencrypt(通过 serverpilot 管理)为主机名foo.example.com提供的 SSL 证书。
In the new configuration:在新配置中:
-
ClusterIssuerinstalled (cert-manager.io/v1)安装ClusterIssuer(cert-manager.io/v1) - Issuing of SSL certificates automatically for ingress resources are working ok为入口资源自动颁发 SSL 证书工作正常
What I am not sure about is whether I will be able to (indirectly via the ClusterIssuer in AKS) ask for a new certificate for an existing hostname ( foo.example.com ) when there is already a certificate issued to the same host in the digitalocean droplet?我ClusterIssuer的是,当已经有一个证书foo.example.com给同一主机数字海洋液滴?
My gut feeling is telling me no, as all that is required then to make a complete hostile takeover is to get a hold of our DNS configuration and setup a cert for the domain... I am trying to figure out a way to test / verify this but any wisdom on this is much appreciated.我的直觉告诉我不,因为要进行完全的敌意收购,所需要做的就是获取我们的 DNS 配置并为域设置证书...我正在尝试找出一种方法来测试/验证这一点,但非常感谢对此的任何智慧。
2 个解决方案
解决方案1
1 2022-03-22 11:05:50
You will be able to configure with cert-manager, and it is ok even if you have an existing certificate available in digital Ocean droplet.您将能够使用 cert-manager 进行配置,即使您在 digital Ocean droplet 中有可用的现有证书也可以。 I did a similar excersie when I migrated my website from godaddy to aks.当我将我的网站从 godaddy 迁移到 aks 时,我做了类似的练习。
you can refer this link你可以参考这个链接
And if you want to use your existing certificate till it expires, you can still do that if you have the certificate pem file and crt.如果你想使用你现有的证书直到它过期,你仍然可以这样做,如果你有证书 pem 文件和 crt。
kubectl create secret generic domain-tls \
--from-file=tls.key=<your domain.pem> \
--from-file=tls.crt=<your domain.crt>
解决方案2
1 2022-03-23 20:29:39
I can also confirm, that having two certificates for the same domain works just fine from my experience, but also from the fact, that rfc5280 has superseded as fourth reason to revoke a certificate.我还可以确认,根据我的经验,同一域拥有两个证书效果很好,但事实上, rfc5280已superseded成为撤销证书的第四个原因。 Having this reason would not make any sense if that would already happen automatically.如果这已经自动发生,那么有这个理由就没有任何意义。
Also if you think about your certificate authority as a provider of a high-available cluster, you may wonder how long even letsencrypt needs to verify a domain.此外,如果您将证书颁发机构视为高可用集群的提供者,您可能想知道 letsencrypt 验证域需要多长时间。 If you were to expire a certificate, which had been replaced and/or used by you or a third party for the first time, even if you could, the authority would still have to expire the certificate on all of their cluster nodes and from requesting certificates, you can approximately say how long such a distribution takes: Much too long for your high-available service.如果您要使您或第三方首次更换和/或使用的证书过期,即使您可以,该机构仍然必须在其所有集群节点上使证书过期并且无法请求证书,您可以大致说出这样的分发需要多长时间:对于您的高可用性服务来说太长了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.