K
Q

How to use a let's encrypt ssl key in my spring boot application on kubernetes

9/11/2019

I have a spring boot application running on kubernetes, a client application serving a react app and proxying request to other services.

That client app is avalaible through an Ingress using an Nginx controller. I have a domain name targetting the Nginx controler service and I've been able to generate a valid certificate and key with cert-manager from let's encrypt, also the certificate and key is automaticly updated when it's necessary.

Till now I used self signed certificates generated with keytool to secure the communication between my differents applications (I guess I can still use that tools for internal communications), but for the client app I need to use the let's encrypt generated key.

Now my client app does not use ssl (ssl.enable is false in my bootstrap.yml). So the communication between the Ngix Ingress controller and the client app is not secure I think.

A k8s secret has been created with a certificate and a key during the process so I guess I can use it but what is the best way ? I would also like to provit the automatic update of the certificate if it's possible.

Thanks for your advices

-- Kaizokun
cert-manager
kubernetes
lets-encrypt
nginx-ingress
spring-boot

Similar Questions

Elasticsearch data gets deleted when creating with existing disk using a new kubernetes cluster
docker build throws java.net.AbstractPlainSocketImpl.connect UnknownHostException with jenkins dind slave + kubernetes plugin
Monolith docker application with webpack
Kubectl get pods from remote machine, accessing Minikube single-node cluster on an AWS EC2 Instance
Problem with postgres in kubernetes when using password in configMap or secret

1 Answer

9/11/2019

There are clients out there which re-use the private key used previously (certbot when used with the --reuse-key option and also acme.sh). Unless someone knows a client with such a feature, you should check the clients from the list and see if the client makes importing an existing private key possible. Or at least not very difficult.

Certbot would need an issued certificate first to re-use the key. What could be a working option is:

  • install certbot (see https://certbot.eff.org/ 29)

  • get a certificate issued with certbot without caring about the keys, just get it working.

  • use --staging for test certificates first manually exchange the PEM formatted private key in /etc/letsencrypt/archive/name-of-your-certificate/privkey1.pem with your own PEM formatted private key renew the certificate with certbot renew --reuse-key

  • check if the public key in the renewed certificate corresponds with your own public/private key If the above checks out (with the --staging option for testing), you can remove the test certificate and do the above again, but without --staging to get a real working certificate.

Useful documentations cert-manager, certbot.

-- MaggieO
Source: StackOverflow