GitHub user daviftorres added a comment to the discussion: SSL - LetsEncrypt the Console Proxy
@DaanHoogland , here is my take on all of this. We currently have 4x ACS environments. 1x Prod and 3x Non-Prods. All MS and SysVMs have a real but long-expired wildcard SSL/TLS certificate. The trick is that SSL/TLS is terminated at the edge on a cluster of NGINX servers. By default, NGINX does not check backend cert validity, and this check can be disabled if enabled. Updating certificates on NGINX causes no downtime. It’s a millisecond operation that reloads the new certs into runtime. We don’t update the certs on the backend side (MS and SysVMs) because doing so restarts them, causing 1~3 minutes of downtime (interrupting noVNC sessions, failing ISO/template transfers, logging out WebUI users, and stopping API responses). While some of these issues can be minimized, some interruptions are unavoidable. In summary, I don’t recommend changing how ACS handles certificates, since managing their lifecycle on the reverse proxy (NGINX) is simpler and causes no downtime. One thing I missed when starting with ACS was the lack of documentation on setting up a reverse proxy. It’s mentioned in discussions and conference talks, but the method is never demonstrated. GitHub link: https://github.com/apache/cloudstack/discussions/11597#discussioncomment-14403699 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
