4

we use bluemix-letsencrypt for generating SSL certificates (as mentioned for example here).

When you run the script, at the end of the process, there is mentioned a limitation - you're not able to update existing certificate without downtime. You need to delete the old certificate first and then upload a new one. But this procedure means unacceptable downtime.

The mentioned solution is that we should use IBM Cloud console where should be possible to upload new SSL certs over the old ones, it means without downtime. This solution worked recently (2-3 months ago), but not anymore.

A few days ago I wanted to do the same as I did four times over the last 12 months (every 3 months), but the design of the console has been changed and now it's impossible to do that.

This is really bad. While we use HTTPS Strict Transport Security, any downtime of SSL certificate is critical for us.

Anyone who knows how we could solve this issue?

Thank you.

BPDESILVA
  • 2,040
  • 5
  • 15
  • 35
Zdeněk
  • 323
  • 2
  • 9
  • Have you tested scripting it with the `bx` CLI? https://console.bluemix.net/docs/cli/reference/bluemix_cli/bx_cli.html#bluemix_app_domain_cert – nitind Apr 23 '18 at 21:38
  • @nitind yes, we actually use a script that runs `bx app domain-cert-remove` and then `bx app domain-cert-add` immediately but still... we can't replace cert without removing the old one first - so downtime (even if small) is still there. – Zdeněk May 10 '18 at 14:39
  • Have you tried a design with multiple SSL certificates for the same domain from different CAs? For eg: Comodo, Entrust and LetsEncrypt. Then you can keep the old IP address and host and update the certificates in sequence. When the Comodo cert is updated with the one pointing to the new IP, the other two are still pointing to the old IP. When you have updated all three certs, you can then decommission your old IP. This will also offer resiliency across CAs since you mention tight uptimes as a design constraint. – vvg Jun 05 '19 at 22:29

0 Answers0