OpenUEM - An Open Source Unified Endpoint Manager
Let's Encrypt support for console #5
-
|
I don't see anything in the docs regarding using letsencrypt for the console HTTPS. Would this be possible to do at some point? |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 2 replies
-
|
Hi @formula349, first of all, thanks for reaching me out and evaluating OpenUEM. As many reverse proxies and K8s ingress controllers out there can generate Let’s Encrypt certificates requests to serve HTTPS traffic, it’d be a nice addition to have for serving the console. The problem is that Let’s Encrypt CA cannot be used to generate certificates like those used by OpenUEM components and user authentication, but I’ll think about a way that allows deployment with Let’s Encrypt to get access to the console. |
Beta Was this translation helpful? Give feedback.
-
|
@formula349 I've created issue #8 to keep track of further progress Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
I think that the right approach would be placing the console behind a reverse proxy that can make use of Let’s Encrypt certificate and forward the UI and authentication requests to the console. Is this a valid proposal for you and if so, which proxy or scenario would you like to be tested and documented by me? For example, I may add a reverse proxy container to the docker deployment. Or do you propose that, when the console is installed facing directly to the internet, it requests a certificate from Let’s Encrypt and be used without a reverse proxy? Thanks in advance @formula349 |
Beta Was this translation helpful? Give feedback.
-
|
I agree that the reverse proxy is the right production decision. I was just wanting to play around with it. It would be nice to have the automatic letsencrypt for that scenario, but I don't know that it's more important than your roadmap and other new features. |
Beta Was this translation helpful? Give feedback.
-
|
Right now, I want to make it easy to install and test OpenUEM and I LOVE your suggestion so I think I'll add a proxy to the docker compose that can make use of Let's Encrypt, if you agree that it would benefit prospect users. Thanks a lot for playing with OpenUEM, any feedback is much appreciated. |
Beta Was this translation helpful? Give feedback.
-
|
Yes I agree it would improve the trial experience. I know that MeshCentral has this feature built in if that helps. https://ylianst.github.io/MeshCentral/meshcentral/SSLnletsencrypt/ |
Beta Was this translation helpful? Give feedback.
-
|
After reviewing this discussion, there's a problem with Let's Encrypt. OpenUEM requires that both console and auth service run under the same domain. If the domain has a Let's Encrypt certificate it will secure the connection, but it won't be possible to validate users as clients certificate should be generated by the same CA used by Let's Encrypt. Let's Encrypt ACME CA is not suitable to create mTLS certificates as discussed here: https://community.letsencrypt.org/t/generating-mtls-client-certs/218728/4 In any case issue #8 is still opened if the log in requirements change in the future Closing this discussion. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Hi @formula349. In next releases OpenUEM will try to use OpenID (#183) so that will hopefully open the way to support Let's Encrypt in the console |
Beta Was this translation helpful? Give feedback.
After reviewing this discussion, there's a problem with Let's Encrypt. OpenUEM requires that both console and auth service run under the same domain.
If the domain has a Let's Encrypt certificate it will secure the connection, but it won't be possible to validate users as clients certificate should be generated by the same CA used by Let's Encrypt. Let's Encrypt ACME CA is not suitable to create mTLS certificates as discussed here: https://community.letsencrypt.org/t/generating-mtls-client-certs/218728/4
In any case issue #8 is still opened if the log in requirements change in the future
Closing this discussion. Thanks!