Subj : Re: Cloudflare
To   : poindexter FORTRAN
From : lynx769
Date : Thu Apr 22 2021 16:20:00

 pF> I'm new to the cert game. I assumed that LetsEncrypt couldn't do wildcards
 pF> If they did, I could replace all of the standalone LE instances with the 
 pF> reverse proxy server I want to build. But, then I wouldn't need the proxy 
 pF> server, as it's going to be there to allow my internal hosts to renew thei
 pF> LE certificates.  :)

I should clarify that I'm referring to wilcard DNS records, not wilcard
certs. However, you can do wilcard certs with DNS challenge. There is a certbot
cloudflare dns plugin that you might want to check out, but I haven't used it.

What I do instead is use an A record for the root domain pointing to my
external IP. Then a * CNAME  which resolves to the root domain. I am using
the nginx-ingress for kubernetes with letencrypt cluster issues.

What that means is that when I deploy an app (e.g. my blog) on the cluster, I
can specify the hostname in the manifest that I want the app to respond to and
it will resolve to my external IP. The ports are forwarded to the node
running nginx as reverse proxy which then routes requests internally to the
correct node and pod. The letsencrypt issuer takes care of setting up the
HTTP letsencrypt challenge and renews certificates automatically.

It all takes less than 5 minutes to deploy a new app or scale it up to more
nodes. My blog goes into more details about my set up if you are interested. I
started it as a way to document what doing as I was learning about "cloud
native" technologies and gitops.

Lachlan

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
 * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net

.