Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20370

Add notes about http01-solver cluster envs prerequisite for users

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.14, 4.15
    • Documentation / CFE
    • None
    • Important
    • No
    • 2
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Document URL:

      https://docs.openshift.com/container-platform/4.13/security/cert_manager_operator/cert-manager-operator-issuer-acme.html#cert-manager-acme-challenges-types_cert-manager-operator-issuer-acme 

      Describe the issue:

      Make a note about: HTTP-01 solver requires the letsencrypt server can access the cluster's route to issue certificate.
      It means: 
      1 If users are using company internal/private clusters which are behind proxy to access, users should know it is expected that http01 would fail to issue the Certificate.
      2 Port 80 must be allowed for the cluster. See https://letsencrypt.org/docs/challenge-types/#http-01-challenge: "The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard."

      Suggestions for improvement:

      Make note as above description with explanations.

            rhn-support-stk Subhashini T K
            rh-ee-yuewu Yuedong Wu
            Yuedong Wu Yuedong Wu
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: