Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to change validity time of the local CA #230

Merged
merged 1 commit into from
Mar 4, 2024
Merged

Conversation

JonasAlfredsson
Copy link
Owner

A request to be able to more easily change this validity time was raised when it came to deploying this container behind a CDN and making it easy to set up an encrypted connection to the origin server.

Through LOCAL_CA_ROOT_CERT_VALIDITY it should now be possible to set it to any number of days desired, but we hide this information inside the advanced documentation so we do falunt with it and force users to read before blindly applying this in production.

A request to be able to more easily change this validity time was
raised when it came to deploying this container behind a CDN and
making it easy to set up an encrypted connection to the origin
server.

Through LOCAL_CA_ROOT_CERT_VALIDITY it should now be possible to
set it to any number of days desired, but we hide this information
inside the advanced documentation so we do falunt with it and
force users to read before blindly applying this in production.
@chreniuc
Copy link

Looks good to me, but I still have a curiosity, why enforce the 90 days for certificate renewal and not allow the user to override that value? Why not allow the same as for local CA? I noticed that you added a comment about Let's encrypt(for 90 days), but that's valid for public certificates. For example, if the self certificate is used internal(as is in most cases), I do not see a problem for allowing that value to be as high as possible.

@JonasAlfredsson
Copy link
Owner Author

My thought here is if the leaf certificate can have an arbitrary lifetime then you don't need this container. Then you would just create your own self signed certificate with 50 yeah lifetime and just skip all the renewal nonsense going on here :P

This tries to mimic let's encrypt, which is why I like the idea of keeping the lifetime equal :)

@chreniuc
Copy link

chreniuc commented Mar 1, 2024

I understand, that sounds good. From my point of view, you can merge it

@JonasAlfredsson JonasAlfredsson merged commit 4f7532d into master Mar 4, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants