Some time ago I sketched out an epic to add support for multiple certs to
gorouter, configured via BOSH manifest property, but these stories have
languished in the icebox while we've addressed more urgent work.

I would like to hear from the community whether an operator managed
feature would be of value, as it would be relatively cheap.

I have also heard requests for user self-service management of certs for
private domains, as Carlo described. This would be a much more complex
feature to deliver, but I can certainly see the value.

Tell me about the pain of managing TLS certificates. How are you dealing
with this today? Which of these approaches would be more helpful in
enabling your developers? Which of these features would you be more
disappointed to hear would not be delivered?

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

I have a question about the SSL termination epic[1], whose goal IIUC is
to provide the ability for operators to have multiple TLS certificates: it
seems only shared domains are being considered (because the stories talk
about *operators* setting up multiple certs); are there no plans for
private domains? Put otherwise: are there plans for allowing *users* to
provide the cert for a domain they registered in their org?

[1] https://www.pivotaltracker.com/epic/show/2135866

(I originally posted the question on slack but got no reply, so
crossposting here)

For us we handle all ssl termination in our FLB (Frontend Load Balancer).
If a customer adds a custom domain then my team needs to add a vip and
associated cert for that domain. This is something I don't think CF could
do for us because we are using our FLB. So, FWIW this isn't a feature we
would use since we use or FLB to manage this instead.

Mike

On Mon, Sep 19, 2016 at 11:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Some time ago I sketched out an epic to add support for multiple certs to
gorouter, configured via BOSH manifest property, but these stories have
languished in the icebox while we've addressed more urgent work.

I would like to hear from the community whether an operator managed
feature would be of value, as it would be relatively cheap.

I have also heard requests for user self-service management of certs for
private domains, as Carlo described. This would be a much more complex
feature to deliver, but I can certainly see the value.

Tell me about the pain of managing TLS certificates. How are you dealing
with this today? Which of these approaches would be more helpful in
enabling your developers? Which of these features would you be more
disappointed to hear would not be delivered?

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

I have a question about the SSL termination epic[1], whose goal IIUC is
to provide the ability for operators to have multiple TLS certificates: it
seems only shared domains are being considered (because the stories talk
about *operators* setting up multiple certs); are there no plans for
private domains? Put otherwise: are there plans for allowing *users* to
provide the cert for a domain they registered in their org?

[1] https://www.pivotaltracker.com/epic/show/2135866

(I originally posted the question on slack but got no reply, so
crossposting here)

Mike,

What if the way the gorouters were configured with user-provided certs was
a point of extension that could also be used to configure your FLB?

How often do you have to manage certs on your LB? Is this of low value?

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 12:43 PM, Mike Youngstrom <youngm(a)gmail.com>
wrote:

For us we handle all ssl termination in our FLB (Frontend Load
Balancer). If a customer adds a custom domain then my team needs to add a
vip and associated cert for that domain. This is something I don't think
CF could do for us because we are using our FLB. So, FWIW this isn't a
feature we would use since we use or FLB to manage this instead.

Mike

On Mon, Sep 19, 2016 at 11:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Some time ago I sketched out an epic to add support for multiple certs
to gorouter, configured via BOSH manifest property, but these stories have
languished in the icebox while we've addressed more urgent work.

I would like to hear from the community whether an operator managed
feature would be of value, as it would be relatively cheap.

I have also heard requests for user self-service management of certs for
private domains, as Carlo described. This would be a much more complex
feature to deliver, but I can certainly see the value.

Tell me about the pain of managing TLS certificates. How are you dealing
with this today? Which of these approaches would be more helpful in
enabling your developers? Which of these features would you be more
disappointed to hear would not be delivered?

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Sep 19, 2016 at 6:11 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

I have a question about the SSL termination epic[1], whose goal IIUC is
to provide the ability for operators to have multiple TLS certificates: it
seems only shared domains are being considered (because the stories talk
about *operators* setting up multiple certs); are there no plans for
private domains? Put otherwise: are there plans for allowing *users* to
provide the cert for a domain they registered in their org?

[1] https://www.pivotaltracker.com/epic/show/2135866

(I originally posted the question on slack but got no reply, so
crossposting here)

On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris <carlo.ferraris(a)rakuten.com> wrote:
Mike,
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar to the one described by Mike. We sit behind a bunch of SLBs that handle termination for us. The main difference is that we're moving out of the "one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a choice we made exactly to keep options open when it comes to automating this process.
The biggest pain comes from the fact that the SLB in our organization is handled by a different team and that therefore every cert add/update/delete operation requires a manual operation spanning three teams (application team, our team, SLB team); in the worst cases such operations can take days. We may be different in this from other CF operators, but this situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to dynamically apply certificates specified by the users (and operators) we would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using either nginx or a custom-built TLS terminator for this very purpose (the main reason we're considering something custom built is because it's somewhat hard to get session ticket key rotation right with nginx when you have multiple servers) - but if something functionally equivalent were to appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you may have.

Thanks for looking into this!

Carlo

Mike,
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar
to the one described by Mike. We sit behind a bunch of SLBs that handle
termination for us. The main difference is that we're moving out of the
"one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a
choice we made exactly to keep options open when it comes to automating
this process.
The biggest pain comes from the fact that the SLB in our organization is
handled by a different team and that therefore every cert add/update/delete
operation requires a manual operation spanning three teams (application
team, our team, SLB team); in the worst cases such operations can take
days. We may be different in this from other CF operators, but this
situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to
dynamically apply certificates specified by the users (and operators) we
would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using
either nginx or a custom-built TLS terminator for this very purpose (the
main reason we're considering something custom built is because it's
somewhat hard to get session ticket key rotation right with nginx when you
have multiple servers) - but if something functionally equivalent were to
appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you
may have.

Thanks for looking into this!

Carlo

It sounds like we are in a similar situation to Carlo, i.e.


- We have an external pair of LBs
- These are used for SSL termination
- We upload SSL certificates to the LBs for various domains, which
point to the same VIP


If something became available that would easily allow app developers /
users to upload their own certificates, I too would happily move SSL
termination from the LBs to gorouter, as it would mean one less automation
workflow for us :-)


On 21 September 2016 at 02:04:48, Shannon Coen (scoen(a)pivotal.io) wrote:

Carlo, Mike, others,

Do you store certs in the LB config itself, or federate/offload TLS
termination to some secure store? I'm thinking about storing user-provided
certs in the Routing API and offering them to routers/LBs from there. Would
we instead have to send the certs to some other proprietary system from
where the router/LB would have to pull from?

I've heard a few requests for integrating with systems that store the
certs so that the routers don't have access to the keys.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

Mike,
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar
to the one described by Mike. We sit behind a bunch of SLBs that handle
termination for us. The main difference is that we're moving out of the
"one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a
choice we made exactly to keep options open when it comes to automating
this process.
The biggest pain comes from the fact that the SLB in our organization is
handled by a different team and that therefore every cert add/update/delete
operation requires a manual operation spanning three teams (application
team, our team, SLB team); in the worst cases such operations can take
days. We may be different in this from other CF operators, but this
situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to
dynamically apply certificates specified by the users (and operators) we
would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using
either nginx or a custom-built TLS terminator for this very purpose (the
main reason we're considering something custom built is because it's
somewhat hard to get session ticket key rotation right with nginx when you
have multiple servers) - but if something functionally equivalent were to
appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you
may have.

Thanks for looking into this!

Carlo

While we're talking about TLS, but this is only partially related, it
would be awesome if we were to implement (or some hooks were provided to be
able to complete) either the http or tls ACME challenges. That would be the
ultimate dream. :D