|
|
|
|
|
|
by samgranieri
2118 days ago
|
|
|
I thought about that but passed because I didn't feel like telling all my browsers to trust that new CA. Yes, that's incredibly lazy. I bought a real domain name, told my UBNT USG that was the domain for my network, set up the dns servers to use digital ocean, used jetstack's cert-manager [0] to acquire the a wildcart cert using DNS01 instead of HTTP01, and use kubed [1] to synchronize the TLS cert across namespaces. One key thing to consider is that you really should ensure that you use the staging let's encrypt server to test out issuance and see your browser complain about warnings before you switch to production let's encrypt. Honestly, I don't mind that the cert requests for my domain show up in a CT log. [0] https://cert-manager.io/ [1] https://cert-manager.io/docs/faq/kubed/ |
|
|