Getting full chain in certificate #70
Comments
|
Yes, they're intended only for services proxied by Cloudflare. The feature request is still valid: the issuer doesn't set |
|
Maybe no API, but there are 2 static endpoints that might serve as source of Origin CA. I believe using a flag to include Origin CA would be nice. This is because Cloudflare can work without it and reliability of methods to get latest CA may vary. Maybe few methods of getting Origin CA to think about:
I think having all of this options would allow cloud operators to choose the one that properly suits their needs. How would you implement, would one method auto fall back to another and how it should be configured in CRD, I'll leave up to you :) I can share few thoughts if discussion starts going in implementation details direction. Appreciate the interest in topic. Not to mention how awesome it'd be if Cloudflare was similar to Let's Encrypt — having certificates issued and being recognized by majority of clients because of embedded CA. |
|
After a discussion with the team that operates the Origin CA, I'm going to embed the CAs into the binary and begin including them in response to cert-manager's requests, so that they get added as |
Hi,
do you think if it would make sense to offer a CRD flag to include full chain in auto-created certificate?
I noticed issues by serving created certificates to clients:
curl: (60) SSL certificate problem: unable to get local issuer certificate. I guess because there is no full chain included.Cheers!
Edit: If those are certificates used only to work behind CF proxies, then I probably missed the point. We are trying to use them for internal networking, not going over CF. Domains are, of course, managed in CF. Well, I think I've missed this: "You'll be able to use this certificate on servers proxied behind Cloudflare." — CF blog.
The text was updated successfully, but these errors were encountered: