If you’re leveraging a development appliance or platform (e.g. ServiceNow Developer Instances, OpenShift Online, etc.) you may not have access (or the time required) to distribute internal/self-signed CA certs and ensure outside systems trust your internet-facing services. This is especially true in lab situations. A concrete example:
- I’m evaluating Ansible Tower & its API needs to be accesed by a ServiceNow Developer instance provided & hosted by ServiceNow, presumably from AWS
- I’ve established appropriate port forwarding rules to allow external access to the VM hosting Tower (in my home lab)
- I’m already leveraging Cloudflare DNS to dynamically update an A Record (“DNS Only” as DDNS updates are incompatible with records set for “DNS and HTTP proxy (CDN)”)
- I’m already leveraging Universal SSL for my primary website
- Create a new CNAME record in Cloudflare’s “DNS” Management console
- Ensure the CNAME record is configured for “DNS and HTTP proxy (CDN)”
- An alias will ensure DDNS record(s) continue to receive updates in the event of home IP changes, while the CNAME will enable Universal SSL
- From Cloudflare’s “Crypto” Management coonsole, ensure “Universal SSL” is enabled for your domain
- From the same console, ensure “SSL” is set to Flexible or Full, but not Full (Strict) unless you’re leveraging Origin Certificates that have been distributed/installed to your managed services
- From Cloudflare’s “Firewall” Management console, click the “Web Application Firewall” button. Ensure “Web Application Firewall” is Off
- This setting may be optional, but I encountered Error 1010 issues when left enabled and testing outbound REST API requests from ServiceNow to Ansible Tower
- Test your API/service endpoint access using the new CNAME
If everything is properly configured you should be able to curl any given endpoint with a valid Universal SSL certificate provided by Cloudflare.
Now that your local service or API endpoints can be accessed securely with a valid SSL cert, why not try integrating a couple of products, like ServiceNow and Ansible Tower?