Reputation: 728
Should TLS certs from LetsEncrypt be on all containers?
I am trying to make my dockerized app be HTTPS enabled in production. I can find loads and loads of tutorials on self signed certificates. All of them fall short on the production stuff. They pretty much end with, "Yeah just use Let's Encrypt". This doesn't really clarify for me what the industry standard is for a load balanced situation in production.
To provide some context I created a dotnet core app with this command:
dotnet new react -au Individual
I followed example documentation on creating a Dockerfile for my container:
FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
WORKDIR /app
# copy csproj and restore as distinct layers
COPY *.sln .
COPY aspnetapp/*.csproj ./aspnetapp/
RUN dotnet restore
# copy everything else and build app
COPY aspnetapp/. ./aspnetapp/
WORKDIR /app/aspnetapp
RUN dotnet publish -c Release -o out
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS runtime
WORKDIR /app
COPY --from=build /app/aspnetapp/out ./
ENTRYPOINT ["dotnet", "aspnetapp.dll"]
This part caused a lot of headaches, since the app is being published, it's going into production mode and expecting a valid certificate. Either way, I tried pushing forward and testing in production. This brought up a lot of questions around certs. After I installed Certbot and got a signed cert. I am left with these four files:
- cert.pem - I think this has to be turned into a .pfx
- chain.pem - I know what this is but not sure who needs it.
- fullchain.pem - Same for this file.
- privkey.pem - I think this is used to help create my .pfx file.
My primary question is, in a load balanced situation. Would certbot be installed on each container and are the certs supposed to be generated on each container?
I'm thinking it should only be created once, then each application server would get the same cert and key that was generated. That begs the question of where should certbot be installed.
I have seen some setups saying that nginx would be in front of these containers and play the role of a load balancer. Then nginx would handle the https traffic. That doesn't sound right to me, not only would your traffic from nginx to the app servers be unencrypted, but I think IdentityServer won't let my app run without a valid cert.
Any guidance on what the industry standard is in this department would be welcome.
Upvotes: 2
Views: 255
Answers (2)
Reputation: 1523
You can use the Kubernetes certificate management controller cert-manager. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self-signed.
It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
Upvotes: 1
Reputation: 2310
The answer for that question is simple, if you're using https, you need to have valid certificate on every container that communicate throught the protocol https. To handle certicate propagation inside your container you can use service mesh tools like Linkerd or Istio the one used by google.
Upvotes: 1
Related Questions
- How to Configure LetsEncrypt-Cerbot in a Standalone Container
- Why run certbot in a docker container?
- How to add SSL cert to asp.net core docker swarm + letsencrypt?
- Adding Let's Encrypt certificates to debian:9 docker image
- .NET Core Docker with Automated SSL
- How to configure Let's encrypt certificates for nginx inside a docker image?
- What is the best way to manage cert/key for Docker containers that must talk TLS
- Letsencrypt + Docker + Nginx
- Is it good practice to have my sites cert.key and cert.pem in a Nginx Docker container?
- Docker: LetsEncrypt for development of "Https everywhere"