Hi! I have the following working setup:
c.JupyterHub.internal_ssl = True
c.JupyterHub.external_ssl_authorities = {
'custom-ca': {
'key': '/etc/jupyterhub/ssl/tls.key',
'cert': '/etc/jupyterhub/ssl/tls.crt',
'ca': '/etc/jupyterhub/certs/ca-bundle.crt'
}
}
c.JupyterHub.trusted_alt_names = [
<names>
]
c.JupyterHub.recreate_internal_certs = True
c.JupyterHub.internal_certs_location = "<local storage>"
c.KubeSpawner.secret_name_template = 'jupyterhub-internal-certs'
c.KubeSpawner.ssl_alt_names_include_local = True
c.JupyterHub.ssl_key = '/etc/jupyterhub/ssl/tls.key'
c.JupyterHub.ssl_cert = '/etc/jupyterhub/ssl/tls.crt'
Now, in order to keep certificates around in the case of hub restarts, I’d like to switch recreate_internal_certs=False. This however gives me the following error:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/jupyterhub/app.py", line 2971, in launch_instance_async
await self.initialize(argv)
File "/usr/local/lib/python3.8/site-packages/jupyterhub/app.py", line 2504, in initialize
self.init_internal_ssl()
File "/usr/local/lib/python3.8/site-packages/jupyterhub/app.py", line 1620, in init_internal_ssl
certipy.store.add_record(authority, is_ca=True, files=files)
File "/usr/local/lib/python3.8/site-packages/certipy/certipy.py", line 348, in add_record
raise CertExistsError(
certipy.certipy.CertExistsError: Certificate custom-ca already exists! Set overwrite=True to force add.
The problem to me seems to be that the call to add_record doesn’t have an overwrite=True set in the case of internal_certs_location being a permanent storage. Which means you cannot have any internal or external authorities set.
The code having been there 3 years, that doesn’t sound very plausible to me, so if anyone can help me with this, that’d be appreciated!