How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?

  • @fine_sandy_bottom
    link
    English
    13 months ago

    This is me.

    In public dns, configure *.home.example.com as an A record pointing to the local IP for my traefik container.

    Traefik then manages all certificates. It sets a TXT record with my dns providers API like privatesercice.home.lebowheatcroft.com, requests the cert from letsencrypt, then deletes that TXT record.

    Yes the local IP of my server is leaked, but names of services are not.