I'm looking for advice on how to better manage internal services in our company that require SSL. We have a few services, like Vault for secret management, that we want to keep within our internal network (or VPN) and not accessible from outside. Here's what we currently have set up:
1. External requests go to a dummy Nginx service that returns a 404 for specific URLs.
2. Internal requests use our DNS server to resolve internal URLs to a Kubernetes cluster where the services are deployed.
While this setup works, it's a bit complex and not as automated as I'd like. The part that's challenging is providing HTTPS for these internal services. Some might work on HTTP, but Vault requires HTTPS. Currently, we do the following:
- The dummy Nginx service requests an SSL certificate from Let's Encrypt via cert-manager.
- We manually extract and copy the SSL certificate and key to the internal service so it presents a valid certificate for the URL.
Is there a better way to handle this? I've considered setting up an internal CA for signing certificates, but I'm concerned about the hassle involved in having everyone import that CA as trusted instead of just copying a certificate with a simple script.
3 Answers
You could leverage Vault to automatically manage your certificates and make them available for users. It's designed to work well with Let's Encrypt. However, if the dummy service is just used for certs and not external access, maybe keep it private?!
Setting up an internal CA could be a good solution. If your IT department can push the trust root out through MDM, it would simplify things for everyone using the services. Just a thought!
If you're using AWS, consider creating an IAM role that allows a server to update DNS records in Route 53 for ACME DNS-01 challenges. You can run certbot normally without needing a 404 handler! I've even managed to set a wildcard subdomain like '*.bob.example.com' this way without any issues.
That makes sense! The 404 is there just for the HTTP challenge to get the cert, so I'll think about using Vault to handle this more efficiently. Thanks!