What Is HTTPS? How Does It Work? Automate With cert-manager And Let's Encrypt

How do you manage your HTTPS certificates? Do you use cert-manager with Let's Encrypt or something else?

I think since the 3 years I deal with IT THAT is the best and most understandable explaination about the topic I have seen so far.

Hi! I think that would be important to clarify that, unlike the public and private key assymetric system, you can, with the same session key, both encrypt and decrypt data - you encrypt data with the session key, sends to server, and the server decrypt the received data with the same session key.
I was a bit confused with that since its said in the beginning of the video that you can't decrypt data with the same key you encrypted it. Things got clear when i remembered that I read somewhere that you start HTTPs with assymetric keys and then use symetric keys, but at the time I got confused.
Now both the article I read days ago and your video are fully clear.
Thanks for you videos! You really know how to explain complex subjects in a simple and understable way.

I have to read this everytime I start looking for a change, and then I forget or mix up. This is greatly explained. Thanks

wow I am new to IT and you really explained these concepts. Thank you so much

Hi Viktor, thanks for this helpful video. I have used Let's encrypt once in the past but the app wasn't on k8s, so this is a good learning for me on how to do it on k8s.

Great explanation on HTTPS, thanks.

only one word: wonderful explanation.. thank you..

Amazing video as always :D

Very nice video thank you! I have a question. Lets say I have a three node cluster (RKE2) and want to use for my app (rancher UI) an external loadbalancer. Can I use the certmanager when I have an external lb? What I found is that I have to hand some certificates to the nginx.conf of the external lb. How do these two different things work together?

Thanks a lot for this awesome video..Would be great to talk about vpn in later videos

I finally understood how https works. Thank you!
how do you handle with cert-manager requesting internal certificates (services with that are not exposed to internet)?

Things like Nginx Ingress it does able to make reload when things got update
but for other (such like Hashicorp Vault) it might require using 3rd party tools like reloader
when cert/secret get update it tigger the rolling restart the sts
Do cert manager new version solve the issue or Do you find a good way ? But i things it really depend on the Particular Software design
Or we should always put Ingress/Gateway before the Application even itself expose the web page

Slightly off-topic but what kind of impact do you think gRPC would have on k8s in the near future?

4:04 i thought you can decrypt with public key if message was encrypted with private key ?

Can we use mtls ?

you are perfect

Мы используем cert-manager + clusterissuer with LE certs + buyed wildcard SSL для клиентского домена.

With regards to cert-manager I would recommend employing DNS01 over HTTP01 as there can be a case whereby a race condition may develop where ingress attempts to deploy a service to satisfy HTTP01 ACME challenge which competes with the actual underlying service that the cert is being requested for.
This can cause the challenge to spin since the challenge is never satisfied and no cert will be issued. It should also be noted that the request needs to happen on port 80.
I find DNS01 challenges more robust if only slightly more challenging to automate and configure. The trick is granting access / perms to your dns system (AWS Route53) within kind: ClusterIssuer.
DNS01 ACME challenge creates a DNS entry in your DNS for the given domain, be able to create this record satisfies the challenge and the cert is issued.
It should also be noted that while testing use lets-encrypt staging since there are rate limits on lets-encrypt production. letsencrypt.org/docs/rate-limits/