GitHub user daviftorres added a comment to the discussion: SSL - LetsEncrypt the Console Proxy
Dear @asender, I’d like to apologise for having a different view on the certificate strategy for the Console Proxy (and System VMs in general). Since System VMs are ephemeral, they would request new certificates every time they are redeployed. This could quickly hit Let’s Encrypt rate limits ([https://letsencrypt.org/docs/rate-limits/](https://letsencrypt.org/docs/rate-limits/?utm_source=chatgpt.com)). A better approach is to use a dedicated instance (or even a container) to request certificates, for example a wildcard via DNS challenge, about 30 days before expiry. The instance can then push the certs to CloudStack for use by the System VMs. If you’re interested, I can also share how we set this up with HashiCorp Vault to securely store certificates and allow consumers to fetch only the ones they’re permitted to use. GitHub link: https://github.com/apache/cloudstack/discussions/11597#discussioncomment-14340300 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
