Convox Community

Zero downtime SSL migration from v2 to v3 rack

I’m currently running a v2 rack, and I’m migrating to a v3 rack. I think I’ve almost got everything working and ready to migrate, but the last issue is regarding SSL certificates for my domains. I would like to make sure that my new v3 rack is all set up and ready to serve SSL requests on the original domain before I change the DNS records.

What is the LetsEncrypt workflow for issuing SSL certificates? What challenges does cert-manager support (HTTP-01, or DNS-01)?

I will need to use the DNS-01 challenge, because I want to set up an SSL certificate before I change the DNS records. Is there a way to do this, so that it prints the required DNS records in the logs?

It looks like Convox is using cert-manager, and they have a section in the docs about DNS validation: DNS Validation | cert-manager

I’m going to try to set up the cert-manager Cloudflare integration using an API key, so that it can automatically create the DNS records: Cloudflare | cert-manager

I’ve also installed the kubectl plugin: Kubectl plugin | cert-manager
(Be careful if you’re on Mac, the default installation instructions are for Linux.) On Mac:

curl -L -o kubectl-cert-manager.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin

Note: I found out that kubectl get all -A doesn’t list issuers or clusterissuers.

$ kubectl get issuer -A
No resources found

$ kubectl get clusterissuer -A
NAME          READY   AGE
letsencrypt   True    3h25m

kubectl edit clusterissuer/letsencrypt:

      name: letsencrypt
    - http01:
          class: nginx

So it looks like Convox sets up an http01 solver. I should be able to follow these instructions to change this to a dns01 solver and pass in my cloudflare credentials, so it can automatically create the required DNS records.

The only thing I’m concerned about is how this works with terraform. If I update my rack, will that blow away all of the changes I’m making via kubectl? Or is this a persistent change that won’t be affected? (I’ll try to test this out after I’ve got it working, by changing a param and updating the rack.)