Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for SSL certificate generation

See original GitHub issue

Add support to request SSL certificates from Vault’s PKI backend. Certificates can be issued on demand by using a role.

The generated certificate and the issuing CA certificate need to be stored in a Truststore (Keystore) and the private key in a Keystore. Vault should be used as intermediate CA, so the Truststore should contain the Root CA certificate that should be configured along the certificate request properties.

Config parameters for requesting certificates:

  • common-name
  • alt-names
  • ip-sans

Other required parameters:

  • Root certificate

Challenges:

  • Public key pinning: Preserve the generated certificate/key pair during its validity period. This is to prevent multiple apps running behind a common endpoint address to use different certificates.

Issue Analytics

  • State:open
  • Created 7 years ago
  • Reactions:5
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
mp911decommented, Jul 6, 2016
0reactions
bendemcommented, Jun 4, 2021

For the sake of the argument, what is wrong with having multiple upstreams use multiple certificates as long as they are valid?

If you terminate the TLS connection at the loadbalancer, the client never sees the upstream cert and the load balancer has at least one connection (thus one handshake) per upstream, I don’t see a problem here.

If you don’t terminate the TLS connection, I can see the problem happening if you don’t have sticky connections, if you have sticky connections, clients will be just fine so long as the upstream pool doesn’t change too often.

Is the non TLS-terminating loadbalancer without sticky connection a large enough use case that it should prevent other use cases from being met? Also, considering this, the implementation will be much much simpler (start, request certificate, renew, stop[, revoke]).

Maybe I’m missing something obvious here.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Create Your Own SSL Certificate Authority for Local ...
Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open · Go to File >...
Read more >
CSR Creation | Create Certificate Signing Request | DigiCert
Before ordering an SSL certificate, you need to generate a CSR. Find the creation instructions for most web server platforms and software here....
Read more >
Example: SSL Certificate - Generate a Key and CSR - Tableau
Important: This example is intended to provide general guidance to IT professionals who are experienced with SSL requirements and configuration.
Read more >
Secure Sockets Layer (SSL) - Support Center - WP Engine
Log in to the User Portal · Select the environment name you wish to generate a CSR for · Click SSL · Select...
Read more >
How to Install an SSL Certificate - Sucuri
Note · Generate a CSR login to the Plesk admin control panel. · In the Websites and Domains section for the domain name...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Consul Tokens from Spring Vault do not get picked up by Spring Cloud Config Consul

Next page

Unexpected application shutdown