Automatically update TLS Certificates on OpenShift Routes
- Using https://letsencrypt.org/ for issuing certificates
- Using https://certbot.eff.org/ for managing (create/renew) certificates
- Run inside OpenShift
- Create a OpenShift
CronJob
which will run on a regular schedule for renewing TLS certificate if required.- The
CronJob
will manage a set of requiredService
andRoute
s objects. - The
CronJob
manages certificates of all routes with a labelcertbot-managed=true
- One certificate will be issued/renewed for all the managed hosts/domains.
- The
- If a cert is created/renewed, apply the new certificate to the related routes
-
Point to the appropriate namespace (usually tools)
export NAMESPACE=<YOURNAMESPACE> oc project $NAMESPACE
-
Install
certbot.bc.yaml
to create the required build objects. Note: If the build fails, make sure your namespace contains an NSP allowing '@app:k8s:serviceaccountname=builder' (OCP builders) to access 'ext:network=any' (egress internet)This template accepts the following parameters (add with -p to the
oc process
command):Parameter Default Value Description BASE_IMAGE
registry.access.redhat.com/ubi8:8.3-227
Base Image to build from GIT_REF
master
Git Pull Request or Branch Reference (i.e. 'pull/CHANGE_ID/head') GIT_URL
https://github.com/BCDevOps/certbot.git
Git Repository URL oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.bc.yaml" | oc apply -n $NAMESPACE -f -
-
Install
certbot.dc.yaml
to create the CronJob and supporting objects (NSP, ServiceAccount, RoleBinding, PVC, etc). This template accepts the following parameters (add with -p to theoc process
command):Parameter Default Value Description CERTBOT_CRON_SCHEDULE
0 */12 * * *
Cronjob Schedule CERTBOT_STAGING
false
Self-signed cert renewals CERTBOT_SUSPEND_CRON
false
Suspend cronjob CERTBOT_SERVER
https://acme-v02.api.letsencrypt.org/directory
ACME Certbot endpoint DRYRUN
false
Run without executing DEBUG
false
Debug mode DELETE_ACME_ROUTES
true
Self cleanup temporary ACME routes when done EMAIL
Email where CSR requests are sent to NAMESPACE
Openshift Namespace IMAGE_REGISTRY
image-registry.openshift-image-registry.svc:5000
Openshift Image Registry SOURCE_IMAGE_NAME
certbot
Image Name TAG_NAME
latest
Image Tag - For non-prod environments, you may set
CERTBOT_STAGING=true
, so you don't hit any service limits at Let's Encrypt. - By default, this template will use Let's Encrypt for certificate generation. If you are just testing, you may use Let's Encrypt testing endpoint
https://acme-staging-v02.api.letsencrypt.org/directory
to avoid being rate limited. - For your production applications, we strongly recommend NOT using Let's Encrypt certificates. Contact your ministry/department to determine best practices for production SSL/TLS certificate management.
export CERTBOT_SERVER=<YOURCERTBOTSERVER> export EMAIL=<[email protected]> oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.dc.yaml" -p EMAIL=$EMAIL -p NAMESPACE=$NAMESPACE -p CERTBOT_SERVER=$CERTBOT_SERVER | oc apply -n $NAMESPACE -f -
PS: You MUST supply a valid email address!
- For non-prod environments, you may set
To include this cronjob in your pipeline, it is recommended that you copy certbot.bc.yaml
and certbot.dc.yaml
to your appliciton project. The build config will point back to this repo to include the latest changes to the contents of the docker folder. Note: If you are using BCDK, there is a bug in it that requires you to have a "docker" folder in your repo.
If you need to run the CronJob manually, you can do that by running:
# Delete any previous manual Jobs created
# Note: When there are no jobs to delete, you will get an error for oc delete.
oc get job -n $NAMESPACE -o name | grep -F -e '-manual-' | xargs oc delete -n $NAMESPACE
# Create a Job
oc create job -n $NAMESPACE "certbot-manual-$(date +%s)" --from=cronjob/certbot
To remove certbot from your namespace, run the following commands. All build related manifests will have a build=certbot
label, and all cronjob application related manifests will have an app=certbot
label.
export NAMESPACE=<YOURNAMESPACE>
# Delete all manifests generated by certbot.dc.yaml
oc delete all,cronjob,nsp,pvc,rolebinding,sa -n $NAMESPACE --selector app=certbot
# Delete all manifests generated by certbot.dc.yaml
oc delete all -n $NAMESPACE --selector build=certbot
-
If you are going to setup automatic cert renewals for the first time, backup "Certficate", "Private Key" and "CA Certificate" contents from your route.
-
List your cron jobs
export NAMESPACE=<YOURNAMESPACE> oc get -n $NAMESPACE cronjob
-
To describe your cron job
export NAMESPACE=<YOURNAMESPACE> oc describe -n $NAMESPACE cronjob/certbot
-
To see your cron jobs in Openshift GUI: Resources > Other Resources > Job
-
To access the logs for cron jobs in Openshift GUI: Monitoring > Uncheck "Hide older resources". You will see recently terminated certbot that would have terminated based on your schedule.
-
If you are seeing errors in the logs and need to troubleshoot, you can use optional parameters DEBUG and DELETE_ACME_ROUTES.
export CERTBOT_SERVER=<YOURCERTBOTSERVER> export EMAIL=<[email protected]> export NAMESPACE=<YOURNAMESPACE> oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.dc.yaml" -p EMAIL=$EMAIL -p NAMESPACE=$NAMESPACE -p CERTBOT_SERVER=$CERTBOT_SERVER -p CERTBOT_STAGING=false -p DEBUG=true -p DELETE_ACME_ROUTES=false | oc apply -n $NAMESPACE -f -
PS: Ensure that you manually delete the ACME Route and Service after you are done troubleshooting and redeploy without the DEBUG and DELETE_ACME_ROUTES options!
-
If you end up running the setup process multiple times, ensure that you have deleted all the duplicate copies of those cron jobs and only keep the latest one. Or to delete all the certbot jobs and start fresh you can use the below.
export NAMESPACE=<YOURNAMESPACE> oc get job -n $NAMESPACE -o name | grep -F -e 'certbot' | xargs oc delete oc get cronjob -n $NAMESPACE -o name | grep -F -e 'certbot' | xargs oc delete
-
To suspend a cronjob in your namespace, you can use the below patch command.
export NAMESPACE=<YOURNAMESPACE> oc patch cronjob -n $NAMESPACE certbot -p '{"spec" : {"suspend" : false }}'
-
To resume a cronjob in your namespace, you can use the below patch command.
export NAMESPACE=<YOURNAMESPACE> oc patch cronjob -n $NAMESPACE certbot -p '{"spec" : {"suspend" : true }}'
- https://certbot.eff.org/docs/using.html#webroot
- https://certbot.eff.org/docs/using.html#renewing-certificates
- https://letsencrypt.org/
- https://letsencrypt.org/how-it-works/
- https://certbot.eff.org/
- certbot/certbot#2697 (comment)
- https://www.entrust.net/knowledge-base/technote.cfm?tn=70882
Copyright 2018 Province of British Columbia
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.