-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting full chain in certificate #70
Comments
Yes, they're intended only for services proxied by Cloudflare. The feature request is still valid: the issuer doesn't set |
Maybe no API, but there are 2 static endpoints that might serve as source of Origin CA. I believe using a flag to include Origin CA would be nice. This is because Cloudflare can work without it and reliability of methods to get latest CA may vary. Maybe few methods of getting Origin CA to think about:
I think having all of this options would allow cloud operators to choose the one that properly suits their needs. How would you implement, would one method auto fall back to another and how it should be configured in CRD, I'll leave up to you :) I can share few thoughts if discussion starts going in implementation details direction. Appreciate the interest in topic. Not to mention how awesome it'd be if Cloudflare was similar to Let's Encrypt — having certificates issued and being recognized by majority of clients because of embedded CA. |
After a discussion with the team that operates the Origin CA, I'm going to embed the CAs into the binary and begin including them in response to cert-manager's requests, so that they get added as |
Some applications require a CA certificate to serve a certificate signed by an untrusted root. To support these applications begin populating the "ca.crt" field on managed Secret resources. This changeset embeds the current Origin CA root certificates, while waiting for them to be surfaced via the Cloudflare API. A future change will migrate to using those returned CAs. Bug: #70
Some applications require a CA certificate to serve a certificate signed by an untrusted root. To support these applications begin populating the "ca.crt" field on managed Secret resources. This changeset embeds the current Origin CA root certificates, while waiting for them to be surfaced via the Cloudflare API. A future change will migrate to using CAs returned by the API. Bug: #70
Some applications require a CA certificate to serve a certificate signed by an untrusted root. To support these applications begin populating the "ca.crt" field on managed Secret resources. This changeset embeds the current Origin CA root certificates, while waiting for them to be surfaced via the Cloudflare API. A future change will migrate to using CAs returned by the API. Bug: #70
Hi,
do you think if it would make sense to offer a CRD flag to include full chain in auto-created certificate?
I noticed issues by serving created certificates to clients:
curl: (60) SSL certificate problem: unable to get local issuer certificate
. I guess because there is no full chain included.Cheers!
Edit: If those are certificates used only to work behind CF proxies, then I probably missed the point. We are trying to use them for internal networking, not going over CF. Domains are, of course, managed in CF. Well, I think I've missed this: "You'll be able to use this certificate on servers proxied behind Cloudflare." — CF blog.
The text was updated successfully, but these errors were encountered: