We have 2 molecule nodes and want to enable ssl for both of them on port 9093. As I see we can map one certificate for a port? We have two certificate for two nodes. What is best way to achieve this?
Any help would be appreciated.
I would really like this feature to be a "thing". We transmit sensitive data between the load balancer and the node and it would be great for it to be SSL all the way through, not just unwrapped at the LB.
In the meantime, we are going to try Subject Alternative Name on a certificate that works for all boxes in a molecule. We'll see how it goes.
You can vote for your idea here:
Hi Stephen Olander-Waters,,
Interesting scenario. Not sure I've come across that personally--the vast majority of customers I've encountered chose to terminate SSL at the LB for a variety of reasons (trust their internal network, more performant, single point of SSL attack patches)--but one thought would be could you use a wildcard certificate that would match the root domain used across nodes?
A few other questions about your requirement for my own curiosity:
Thanks for getting back with me, Adam!
As a member of InCommon, we get infinite SSL certificates. Our Puppet master node automatically requests them via API from InCommon for any node it knows about. So, yeah, they're real certificates. By default, they are only for each node.
I am working on getting a single certificate with Subject Alternative Name (SAN) for each node in the molecule. This is outside the automated process I mentioned above. We try to avoid wildcard certs because Java clients sometimes barf on them.
Most traffic should be through the load balancer, but I can envision a scenario where we only wanted it going to a single node in the molecule. Of course this could be done via load balancer configuration. It's just way easier to point an internal service at a different hostname than it is to reconfigure the load balancer.
Lastly, yes, the LB decrypts and reencrypts. I know this seems silly, but it's nice to tell auditors that our FERPA/HIPAA data is transport secure from browser to service. In cases where this is impossible, we use iptables to drop all traffic except whitelisted IPs.
If the SAN solution works, I will close my Idea and politely request that you mention SSL certs with Subject Alternative Name in the molecule documentation. If it fails for some reason, I'll leave the Idea open.
Thanks for the additional info Stephen. I'll be curious to know how it works out for you.
As far as I can tell, the Subject Alternative Name certificates seem to have worked. Yay. I'll update my Idea and close it.
thanks for the feedback!
Retrieving data ...