I have a spring boot application running on kubernetes, a client application serving a react app and proxying request to other services.
That client app is avalaible through an Ingress using an Nginx controller. I have a domain name targetting the Nginx controler service and I've been able to generate a valid certificate and key with cert-manager from let's encrypt, also the certificate and key is automaticly updated when it's necessary.
Till now I used self signed certificates generated with keytool to secure the communication between my differents applications (I guess I can still use that tools for internal communications), but for the client app I need to use the let's encrypt generated key.
Now my client app does not use ssl (ssl.enable is false in my bootstrap.yml). So the communication between the Ngix Ingress controller and the client app is not secure I think.
A k8s secret has been created with a certificate and a key during the process so I guess I can use it but what is the best way ? I would also like to provit the automatic update of the certificate if it's possible.
Thanks for your advices
There are clients out there which re-use the private key used previously (certbot when used with the --reuse-key option and also acme.sh). Unless someone knows a client with such a feature, you should check the clients from the list and see if the client makes importing an existing private key possible. Or at least not very difficult.
Certbot would need an issued certificate first to re-use the key. What could be a working option is:
get a certificate issued with certbot without caring about the keys, just get it working.
use --staging for test certificates first manually exchange the PEM formatted private key in /etc/letsencrypt/archive/name-of-your-certificate/privkey1.pem with your own PEM formatted private key renew the certificate with certbot renew --reuse-key
check if the public key in the renewed certificate corresponds with your own public/private key If the above checks out (with the --staging option for testing), you can remove the test certificate and do the above again, but without --staging to get a real working certificate.
Useful documentations cert-manager, certbot.