TLS Settings for HTTPS
There are three options for configuring TLS for web services hosted in a SHIPOPS cluster:
TLS Managed by ShipOps
- Generate a self-signed certificate
- Upload an external certificate
- Obtain a certificate from Let's Encrypt using the HTTP-01 protocol
Self-Signed Certificate
In this case, SHIPOPS creates a self-signed certificate, which is not trusted but allows HTTPS to be used without external services or additional software. The browser will always show a warning. This option is suitable for test services or service clusters.
External Certificate
In this case, you need to upload a certificate and private key in PEM format into the SHIPOPS form. If the key is encrypted with a password, enter the password. The scope of this approach depends on the uploaded certificate. A certificate signed by a trusted certificate authority is also suitable for production services.
Let's Encrypt Certificate
In this case, software is installed in the cluster that uses the HTTP-01 protocol to obtain a trusted certificate for your services, provided that the root domain is public, that is, the local VPC domain is overridden. If the cluster domain cannot be accessed from outside, the result will be the same as when using a self-signed certificate.
HTTPS can also be provided by external services instead of SHIPOPS.
TLS Managed by External Services
Cloudflare
If the Cloudflare Type entry point type is used for the cluster, HTTPS can be configured using Cloudflare services: Universal Certificates, which is available for free, or Advanced Certificate, which is paid.
The free Universal Certificates option has limitations. For details, see Limitations.
VPC Provider
If the External Type entry point type is used for the cluster, HTTPS can use the capabilities of the provider from which the cluster servers are rented (see Example DigitalOcean Load Balancer Setup).