First we need to setup an acme instance to run the SSL certificate renewal against Let's encrypt nightly. To do that, the acme instance must be behind the load balancer with the SSL certificate associated with it. On top of that, we only want Let's Encrypt traffic reaching this instance. To achive this, we use Path Route Sets.
Add Backend Set Add Backends Add Path Route Sets Assign Path Route Sets to the Load Balancer SSL listenerAt this point, only the Let's Encrypt traffic will be routed to the acme instance. Normal traffic will not be affected.
acme.sh is probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let's Encrypt. On the acme instance, we will do the followings
Install acme.sh Issue SSL Certificate Install SSL Certificate Create and Install pkcs8 private key Set notificationsAt this point, we have setup acme.sh to renewal the cetificate automatically for us and we will put the new certifcate in /opt/oracle/ords/config/ords/standalone
The following bash script will take the new certificate in /opt/oracle/ords/config/ords/standalone and add it to the load balancer and update the listener to use it.
renew_lb_certs.shWe still need to manually update the certificate between load balancer and instances in private subnet
No comments:
Post a Comment