ZeroSSL is a one-stop solution for SSL certificate creation and management, allowing users to create website security certificates issued by ZeroSSL either using a fast and straightforward user interface, using ACME integrations, or using a full-fledged SSL REST API. ZeroSSL supports single-domain, multi-domain and wildcard certificates with the option of choosing between 90-day as well as 1-year certificate validity.
Prerequisites
Account at https://zerossl.com/ . After that go to developer section and generate
EAB Credentials for ACME Clients
.
Note: We are currently using Ion Mudreac's account.
Why ZeroSSL?
We previously used letsencrypt and the main difference is that ZeroSSL has no rate limits for SSL certificate issuance
and has a GUI based management console for issued SSL certificates
.
EAB secret
Once you will get your credentials first step is to create seed with secrets. They are responsible for authenticating with your ZeroSSL account.
EABHMACKey
located in vault https://vault.cicd.safibank.online/ui/vault/secrets/secret/show/cicd/zerossl
From secret-zerossl.yaml
apiVersion: v1 kind: Secret metadata: name: zerossl-eab stringData: secret: <secret:secret/data/cicd/zerossl~EABHMACKey>
Cluster issuer
Create the ZeroSSL
ClusterIssuer
for the target GCP project. .e.g. safi-dns-safibankonline
From cluster-issuer-zerossl-dns.yaml
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: zerossl-dns spec: acme: server: https://acme.zerossl.com/v2/DV90 externalAccountBinding: keyID: bC96iOYfnz6MHrdgR4iI_w keySecretRef: name: zerossl-eab key: secret privateKeySecretRef: name: zerossl-dns solvers: - dns01: cloudDNS: # The ID of the GCP project project: safi-dns-safibankonline
Requesting Ingress certificate
From advanceai-gateway/values.yaml
kotlin: # others omitted for brevity ingress: enabled: true annotations: cert-manager.io/cluster-issuer: zerossl-dns traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.entrypoints: websecure kubernetes.io/ingress.class: traefik-internal hosts: - host: advanceai-gateway.apps.brave.safibank.online paths: - path: / pathType: ImplementationSpecific tls: - secretName: advanceai-gateway.apps.brave.safibank.online-tls hosts: - advanceai-gateway.apps.brave.safibank.online