 Hi, everyone. Welcome to another CNCF webinar. Today, we're going to be talking about how we can secure web services using lesson script, serve manager, and all that in Kubernetes. Before we get started, where am I? My name is Enya Ramirez. I'm the CEO of Quenby. But I'm also founder of the Hispanic Foundation for Cloud Native, which is a place where we share all the knowledge about Cloud Native and Kubernetes in the Spanish community. I'm also part of the advisory board member of the deaf network. I am also a technical advisor to some startups. And of course, I'm a certified administrator and I'm part of the team that also curated some exams for the Lino Foundation and the CNCF. Something that I do enjoy a lot is traveling the world with my favorite person in the world, which is my wife. But that's not enough about me. So let's get started with today's agenda. So what are we going to be doing today? Before we get into the demo, which I'm pretty sure that everyone is looking forward to, we might need to work through a couple of the concepts that we need to understand first. One of the first things that we're going to be looking into is what's HTTPS and HTTP, what is SSL, TLS? Especially, let's try to cover that topic for the rest of us, people that might not be super experts on the encryption and that kind of stuff. We're also going to talk about Less Encrypt, which is one of the main topics on this webinar. And then we're going to see what's said monitor and we're just going to put all that together into a nice demo, hoping that the demo gods will allow us to have this smooth and nicely. So let's get started. First, HTTP and HTTPS. The best way that I found, to be honest, to explain what is the difference between HTTP and HTTPS is to basically using this nice image, which is when we're doing all our browsing, when you open the browser, wherever browser you use and you navigate to a site, you have to wait to do it. Our first one is HTTP and then you will see that all your information, all your traffic is going to be completely in plain text. So what that means is if you put in your username, your password, and sort of a website, that's just going to go from your computer to the server in plain text. Everyone will be able to see it. And the difference is when you're using HTTPS, which is definitely the way to do it, but it's the secure version of HTTP, then all that information that you send from your browser to your server back and forth is encrypted, meaning that instead of seeing your username and password, they all just see a random set of characters that they cannot decrypt or understand. So that's the best way that I found how to explain HTTP and HTTPS. But then you might say, well, Angel, you say HTTP, HTTPS, and then you're bringing up SSL and TLS, what that even means. So the SSL, as you can see in the bottom right of the image, is now in both the certificate. But to get more in deep on what that means is, so the SSL is a still widely used word for describing the security around the HTTP and HTTPS traffic. However, currently, it's TLS, the one that has been used. Just to try to summarize it in a way that it doesn't get too complicated, TLS is just the newest version of SSL that is a lot more secure and, of course, have more features. But the word that I see is just an evolution of SSL. But everywhere, you can still say SSL in TLS intentionally is not wrong, it's just fine. Here's some history of how they were created. One of them was created by, SSL was created by Nescape initially. That was the one that was used by the time. And then TLS came after that by the internet engineering task force. And that's the one that we currently use, which does have a lot more features. The curiosity is that the SSL 3.1 basically is what became then TLS 1.0 at that time. So that's where the transition started. But the interesting part about how these SSL and TLS works is that now both devices, in this case, the client and the browser, have that certificate that they use to interchange information. And that's what they use to then, using a set of key pairs like private and public keys, they encrypt all the information and messages that come during that connection. So a little more about it is what's involved in this SSL and TLS process is basically there is three main things that needs to happen. One is that you have to be an encryption, of course. That's what we're all looking for, making sure that everything is secure. You have to also have another indication, and that has to be all with integrity. So what that matters, well, in the process, which we're going to be seeing in a little bit, we have to make sure that there's a version that we agree upon between the client and the server. And the reason why is because right now TLS has three versions. We are hopefully in 1.3, but still those are three versions. So the first thing that happened is they just established that connection saying, OK, well, let's talk in TLS 1.0, 1.1, 1.3, whichever is the one chosen for that communication. And then the encryption happens, which is established the whole surface suite. Which one we're going to be using? Let's use x, y, and c. OK, cool. And that way, we're going to establish that connection. Now we know that the encryption is set. What's happening next is now they need to authenticate. They need to make sure that the identity server is the one that it's supposed to be. Because one thing is establishing an encrypted connection, but the server is not the one that it means to be for the browser, for the client to talk to. Then the encryption release, you have an encryption encrypted messaging with the wrong server. At the end, they will still be able to decrypt that information. So that's where the authentication happens using that certificate. And last but not least is the generation of the session's keys. That's what I relate to the integrity. That's the way that now you can make sure that everything subsequently to that will happen in a secure way. And you're actually talking to the right server. So that's why integrity is important there. So now, what is the TLS handshake? So basically, the TLS handshake is what I just described a few seconds ago. But here you can see a nice graphic how that happened. So the part here interesting to clarify is the different versions, which is why it's important to make sure that the version of the TLS established is the one that you want. For example, in the TLS 1.0, you can see there's more steps versus the 1.3. In the 1.3, basically what they did, they just encapsulated more information and exchange in just one roundtip. So you don't have to basically go and do seven steps. So you might say, well, that's how that important. Well, you basically reduce the amount of roundtip. So you have less millisecond that you need to use in that process. I mean, maybe some systems, the millisecond might not be relevant, but in all the platforms and the steward system, the millisecond actually counts. So that actually is one of the reasons. So that being said, the TLS is always going to add latency to your system. Now it's more about deciding how you can afford and which one way you can afford. So it makes sense to always be on the latest TLS, not only because you have more security and more features, also because they're working very hard to reduce that amount of latency that the TLS in this case add. But now that doesn't mean that it stops there because there's all the technologies that are being implemented to reduce that latency. One of them is being full star, which allows the servers and the client to talk to each other before the whole process starts. I mean, of course, the one I can argue, like do I want to do that? Do I want to have my server talking to my client and vice versa without having the whole process of mind shake established? Well, it's a case by case. There's no way we can all say that it's one side piece all. But it's good to mention the data knowledge that does that. Same happened with the session resumption, which if a server and a client already had a previous communication and established that encryption, well, you can speed that up because you already have that trust established. That also helps reducing the milliseconds that a handshake had to happen. So once again, this is kind of like a one on one for SSL and TLS. I'm pretty sure that there's experts out there that say, well, did you missing a lot of coins? Well, yes, definitely. But that's probably going to be a topic for a different conversation. But for right now, just to summarize the HTTP and HTTPS, basically the difference is one is secure, the other one is not secure. Strongly advised to use this secure all the time. And then that secure is basically being provided by the protocol SSL or TLS. They are completely intentional in terms of concept. But we shouldn't assume that they are entirely the same. It's just an evolution. TLS is the evolution of SSL, meaning that we should be speaking TLS, hopefully everyone should be using TLS for now. And the other thing is that the TLS involves a handshake. The handshake is the process, how they make sure that there is encryption, there's authentication, and everything in the process. So those are the three main areas that TLS covers. So like I said, that's kind of the summarize version for the rest of us. And actually, that's more than enough to then go to the next topic, which is less encrypted. So what is less encrypted? Well, if you recall what I was saying that the TLS involves a certificate and a certificate have to make sure that the server that you're talking to is the one that you supposed to be talking to, well, that's coming from something called the Certificate Authority, which is an entity trusted by the browsers and the clients that we know, yes, whoever has a certificate coming from this authority is someone that we can trust, someone that definitely knows what they're doing and everything is good. Before we get into the features, what usually happens is they're using any other provider, DG cert or whichever you're using, it doesn't really matter. The process is a little more manual. In a sense, you need to create the key pairs, you submit them, and then they give you back an authority, and then you get all that information. And then you can just done, and then you can just set it up in your Enginix, and you have past your web server, whichever you're using. And that's how the process used to be. And every time you need to do a renewal, you just do the process again. So what's less encrypted than doing here? Well, definitely, this is doing a lot. And that's what I'm going to do now, kind of walk you through the main features of less encrypted, which is one is, it's free to everyone who owns the domain. I have to make sure that we understand that, because not because you're using less encrypted, you can just use someone else's domain. So you need to own the domain, because in the process which we're going to describe later, you need to prove that. The second is, it's automatic. Definitely, I agree, it's super painless. The process is very smooth. All you have to make sure is that you configure your agents, because there's an agent involved there. And that said, you can do that process very automatically. And there's a lot of even CLRs that you can use, these projects that are the third bot, for example, is one of the most known projects that you can use. And it makes your life a lot easier creating, issuing, configuring, and renewing the certificates. It's very secure, as we were talking about, about TLS, which is why it was important for me to explain a little bit more what TLS means, because they use the best and latest practice of TLS. They use very advanced techniques there. And they make sure that what they're doing is actually always compliant with the most advanced techniques. It's transparent. When I was learning about less encrypted, this is something that actually it was a price for me, because everything is an issue and a remote process. Both they are keeping in a public record. So everyone can see that what's happening. So not to get into the blockchain world, but basically the transparency that everyone having accounted for, accountability of everyone, it does make it a lot more transparent. So it's something that is surprising and I liked it. The other one is that it's open. Basically, the protocol is considered an open standard, and we're going to talk about the ACME protocol later. But it's very open, the system, and they cooperate, meaning that it's a joint effort of the community, which is definitely something that I'm pretty sure that everyone watching here love. So a little more about less encrypted, so how it works. There is two process that is involved in the initial validation. As I was mentioning, the ACME protocol is the one that it helps to obtain, trust the certificate for the browsers. And that's done through a management agent. I mentioned one a couple of seconds ago. Serbot is one of them. But there's a lot of them out there. If you go to the website, you will see that there's basically a lot of agents built in different languages, libraries, if you want to build your own. So definitely something that is not tied to one thing, but the process is the same to all the solutions out there. The first thing that you need to do, you need to prove the ownership, which is what I was referring to in the previous slide. So if you look at the top image, so basically the web server, in this case, yours, had to make sure to let it, you could not ask, listen, hey, I want to claim the ownership, or I want to basically say, confirm that I'm the owner for this domain. Listen, maybe we'll get back to the agent and say, OK, well, let's do it, prove it. You have two ways to do it. And here are the ways that you can prove to me that you own the domain. So there are two ways. One could be DNS record. HTTP, a result of all underwear known URI. So I mean, this is very similar to a process that if you go with any other way, any other certificate authority, you just need to provide those two, right? So let's say that once the lesson group goes back to the, in this case, the agent says, OK, you prove to me in this, I did this two way, and then, no, let's do it. So we ask the agent, OK, I'm going to prove it to you. Let me, for example, use a well-known URI, which is very simple to do, by the way. So once we do that and we sign it, we send it back to lesson group. Lesson group, we'll receive it that and we'll validate. But if I, of course, using that knowns that he gave me before, because if you look in the top image, there's a knowns that this sends us back, and that's the one that we use to do the second part of the process. We do that, we sign it, we send it to him, he gets it verified, and then we just put it out there for the lesson group to then be able to download it. So once the lesson group is able to download it, then everything looks good. And say, OK, well, you prove to me that you're the owner of the domain. So go ahead and you can start issuing certificates, which is the next part of the process. So to issue certificates is even more simple. So once you do that, you do the PKCS certificate signing request, same process. We all have to understand that in every process, we have to tell the lesson group what we want to do, but everything has to be signed and everything has to be validated by the lesson group using those key pairs. So in this process, we sign that petition of the certificate, we want the certificate for example.com, send it back to the lesson group, and the lesson group will say, OK, I believe you, I compare it and everything looks good, so let me give you back the certificate after the verification happened. And for revoking the certificate, it's actually the same process just in the other way. In this case, all we're saying is, I want to revoke the certificate that you gave me. I have to sign it, send it to the lesson group, the lesson group validates that and say, OK, this looks good, you revoke the certificate and let me then notify the CRL and all the all CSP, whichever in that case. In that way, all the browsers can rely on that. And the process is very simple. Now, do we have to do this manually? Well, no, I mean, lesson group says it's automatically. So the tools always remember that there's an agent for that, so that agent will take care of that, we just need to get the configurations that we need and it will do it. But this is actually the process that's going behind the scenes on that. So with this being said, let's take a mental pause and say, OK, well, am I ready to now use these anywhere? Yes, I mean, like I said, you can just go to the lesson group website, do download that, one of the agents, whichever you like the most. And if you're using, let's say, whatever you're using is a web server somewhere, a virtual server and you have Apache and UNIX, so whatever you feel more comfortable, you install the server bot, you configure that with your web server and he will take care of the rest. Now, what happens if we want to do any Kubernetes? Well, same thing. So we just download whatever UNIX or web server version we want, we configure that and we deploy our application. Now, do we want to do it that way? Not really. There's already something that can do it for us. We just another project that I'm going to introduce now in this webinar, which is server manager. Semai was developed by Jetstack basically they've been doing a great job on this project because what this project does is just, it just makes it a lot easier for us to configure and use all these certificates because we're only interacting with what we know the best, which is Kubernetes objects. So that makes the process a lot more easier, but of course it goes more than that because it's not only for less encrypt, they actually do support a lot more sources. Less encrypt just happened to be one more. So just to give an idea what they support, they support HashiCorp as well, Benafi and they also have the private PKI so you can create your own PKI if you want to. But even more than that, in the recent versions and I say recent, not like a few months ago, but I mean recent because I've been using server manager for quite some time and they come up with these community sources now where I can deploy, I can develop my own sources if I want to or I can use one of the lists that the community already created, which is very, very nice and engaging because they say less encrypt is doing the job for us and we want to use our private because we are an enterprise and we want to have our own private certificates. Well, we can do that or if there's one that we want to use, for example, you want to use Cloud Player. Okay, well they do have a, and the community want for Cloud First. So definitely if this price has been growing so much, I do enjoy it, I use it a lot. So definitely it's worth to stop by and read more, not just what I'm showing here. So, well, this is kind of like how it works. I wanted to show you a couple more things about that before we get into the demo. One of them is the issuer. We're going to be using these objects for sure and the issuer is just basically a representation of a certificate authority in cornered, obvious terms. They do support multiple. Here they, just to give you a couple of them, they do support CA, which is kind of the example that you see in the image, ACME, which is the one that we're going to be using for less encrypt and then they have sales sign, bold, menafi, and stalls. So this is kind of how it looks like. You just declare what you want in your specs, then you define how you want it to behave, which we're going to be seeing in a second. The second object that I'm going to show you is the certificate. The certificate, interesting enough, we are not going to create it, but we're going to look into it and see how it looks like and what it does. But the certificate is the way that then after you get your authority created and you're all good and you verify and you own that domain, then you can create a certificate. That certificate would work with that specific CA and that's how you're going to communicate with back and forth and then keep your certificate in sync. So this is how it looks like. I do have here a couple of links that definitely I will recommend that you guys look into a little more in depth. The certificate lifecycle, for example, which is the image that you see on the right, is impossible to see everything, but the reason why I'm putting it in there is because they do have a really detailed diagram of how the whole lifecycle of the certificate works. It's a lot, but definitely I recommend you guys taking another separate reading to this lifecycle because it goes very in depth of how that process works and then you will understand even more how they encapsulate all these complex processes that we usually go through using issuing certificates and getting certificates and reworking certificates into a very simple object and definitely have to give clues to them on that. All right, so this is all I have before the demo. So what we're going to be doing then we're going to basically now put all this stuff together. So what we learned so far about is CTP, is CTPS, SSL, TLS in less encrypted and same manner. Couple of things here, if you're following along, I'm going to be using a Kubernetes cluster in the heat elotion. You can use whichever you want. It does not really matter what type of cloud player you use. It just happened to be using that one because it's just simple to avoid real quick. One, we're going to need a domain name. I think that's the part of the whole point of this webinar is it's tied to a domain. So definitely we need one. I have one name chip, which I'm going to show you guys later, the one that I'm going to be using. And we're going to start the English controller. In this case, it's NGNX. We're going to install CERN Manager and then we're going to use a web service to test all this. And the web service that I'm going to be using is the Google microservice demo. It's like a boutique store and we're just going to use that one as a reference. All right, so let's not delay this more and let's jump right into it. Let me just one second so I can share my other screen and we should be good to go. All right, so you just want to confirm that everything is, we can see it. All right, so just checking the font. It looks good, I guess, okay. All right, so let's get this started. So what are we going to be doing? First, let me show you that we have a cluster. So that's it, we have a digital ocean cluster. And if we look at the, we have some parts running on default. Yes, we have one, which is the NGNX controller. And I had to cheat a little bit because the NGNX controller usually takes some time to get the load balancer IP. So to avoid that, I just got at least the service, the load balancer and the NGNX controller in place. So I don't have to waste time on that one. But so that's what we have. So you can see here that we have the service. We got this NGNX IP and let's see what it is and also we have there, that's it. Okay, so that's all we got. All right, so now the first step that we're going to be doing and I'm going to use here my guide is we're going to install the actual web service. That's the first thing that we're going to be doing. I have it right here in the, is a day I downloaded the repo, the microservice. So we just all have to do is just apply and then we're going to go to the release and we're going to deploy the manifest. They do have this to install in multiple places using Istio in different ways, but we're just going to use the plain one. We just wanted the services being deployed. So let's deploy that. What does the being deploy? I'm going to switch to my browser and I'm going to show you this is the store demo. So we don't have anything right now. So it's basically responding the NGNX. That's all we have. And because we don't have any ingress or anything set up we have the 404 in the front. So everything is expected. That's exactly what we want. So everything was created. Let's just check the parts and see if we got everything that we need in place. So yeah, some of them are still not running, but we don't mind because the one that we care about is front end. That's the one that we need to, the one that we're going to use. And in order to use it, we're going to create an ingress. So if you look at the ingress that we have right here, let me just make this bigger. Like is it placed straight forward ingress? Nothing really different here to what we already know, except for we just declaring here, well, not much different here. So let's just deploy this and we're going to do the apply and then we'll zero one ingress demo. So what's the expectation is that once this is done, we should be able to go here and see this store. Perfect, so that's what we have. That's the store right there. Of course, it's not secure. We don't have any type of security in place. Even if I want to force that to happen, it's going to tell me like now you cannot, but of course, coordinated by default, it's trying to put a certificate self-signed there, which is fake. I mean, of course, we are not going to do that. Just going to say no, thank you. We'll go back to the store in HTTP. So this is like us now doing the HTTP version that I will say on the first slide. We are navigating, not secure place. So if we add to car and we start doing or checking, check out whatever we want to do, I won't basically recommend that because then you're going to be basically navigating securely. Okay, so what's next step? Well, next step is this service is broken because one of the paths is not running, but that doesn't matter right now for us. Right, so the next step, well, let's create the first issuer. So what is an issuer right here? An issuer, as we were looking into the slide, we just describe what type of issuer we want. So it's good to mention that a lesson script has two type of issuers. One is the staging version, sorry, two versions of issuer, staging and production. So with the staging one, you will get basically everything like you're getting production minus the validation, meaning that you create a staging certificate but it's not gonna be trusted by the browser. So everything else will give you and the reason why they do that is for you to test. If you're working on your own environment and developing something like that and you want to ensure that the whole process works, well, use this one staging because the production, it has some rate limitings and stuff like that that you want to make sure that you don't cross and that's the reason why staging is for. So what we declare here is just the server which is the API endpoint, the email, the name of the secret that we want to use for storing that specific information and then the resolver. Here, I'm just saying, hey, anything that is HTTP or one use the English class in your next and they just use that to relate the issuer with the Ingress and that's why I was saying that we might not create a certificate. I'm gonna show you a certificate but we're not gonna use the object certificate because they make it even easier for us to just relate them using the solvers. So let's do that, let's apply that one file, one, zero, two and then we do it that. So we're creating the staging. So let me show you how that works, how that looks like. You go to QCTL and then we say describe and we say issuer and then of course we give a, if I put the name, second my, here you go. Oh, all right, so first blopper, I knew it. We missed something guys. We didn't install SirManager. So how about we do that first? Okay, so let's go to the readme and we're just gonna copy this. I do have already helped install so I don't need to do the add in the repo and update in the repo. You might have to do it but in my case I don't have to. I'm just gonna install it using Helm. While it's doing that, a couple of things here which I have to make sure that I have them. Make sure that you have the install CRDs when using Helm, by default it's not enabled. So when you install with Helm everything installs and then I mean it starts breaking and something is because it doesn't have the CRDs available. So and I didn't notice that when I was doing it so just keep in mind that when you're installing using the manifest usually they do have two manifests. One for the CRD, one for the installation. So I just keep that in mind. I disabled Prometheus because I don't have Prometheus to install so I didn't want that to cause any potential issues. It doesn't but just in case and I just got the workbook time out for seconds which right now is not relevant. So that everything is installed right now. So if we go to good CTL get an S we get, we have the set manager if we want to make sure that everything in the set manager is working so we just see what is there, all the parts running so we should be good to go. So just out of curiosity, if you go to bot, two logs and you expect the set manager you will see that basically just getting all the, it's gonna start looking for certificates and see if he can do something about it. So let's just now apply the certificate that we have before. Okay, now it is created and we're about to see if we can get the issue. Okay, there's an issue right there. So let's describe it, issue and let's just copy your name and let's see what we see. Okay, cool. So it's a huge all bit right now because I'm going to screen but it's not that much to be honest. It basically just creating everything looks good. That's the spec. What's important here is the status, right? So if you can see it just created this claim, unique URI, sorry, this challenge, that's the challenge using the protocol at me and then everything basically went well because it just created my account and created my input and status type ready. So that tells me that this specific issuer is all good. We're good to go. Just keep in mind which I forgot to mention that you have to use your email so I'm sure that it's okay because that's what they use to create their accounts so that could create some unexpected torch shooting. But now, since we already have the less encrypted working and staging, can we start using it? Yes, let's use it now. So to use it, we're going to be looking into, let me just close these ones and we're going to see the version three. So in the version three of the ingress, all we're going to do now is adding one notation here, just this one right here, 97. And we need to declare that we want this to also respond by TLS. And the TLS, when it responds to TLS, then I'm going to allow them to respond using the same host that I declared right here. And also I wanted to use the secret that is going to be created here. So before we do that, let's check out if we have any secret. Let's get secret, all right? So we have some secret, but not the ones that we didn't need. There's other secrets here that we really don't need, but the one that we want is a store demo. Store demo is not there. So okay, let's move on then. And just to show you guys the certificate, there's no certificates, right? So we don't have any certificate. So how are we going to create now the certificate? It's going to be automatic. Let's do it now. Give CTL, apply minus F, and then we're going to do version three. Let's see what's going on now. Perfect. So now we have an ingress. So if we're going to create and get ingress, I miss it, I miss it, I miss it right here. We got an ingress right there. Call demo, right? So with this, with this now ingress call demo, we can go ahead and check the website now response using TLS. Let's just, boom. So now the certificate that we're getting is a second. Using the film, let me just refresh and see what certificate I'm getting. All right, there you go. All right, so it was just some type of cache in there. So okay, so yes, I'm still getting the connection being not recognized by the browser, like the browser does not recognize who is this a certificate authority, neither my authority. But if you can see here, the staging now is being the one responding. So it's telling me that, yes, let's increase giving me the certificate that I need. It just happened to be that that's not the one that you can see here, that they can see I trust it. And that's okay. I mean, we don't need to trust that one because it's just for testing, but it's working. So basically I'm getting a certificate. I'm getting my keys, my private key and my public key to do them, all these issuance and renewals and revoked. So let's see how that looks then. If we know that we got the issuance, let's see if we can get a certificate. So, voila, we get a certificate right there. So let's now describe what that certificate looks like. And it's called store demo. All right, awesome. So this is our certificate right now. And then what happened is that it created the whole certificate for me. I didn't have to do it, which is good. I basically saved one step. Now, what it's doing is, if you recall the slide where we were saying we need to assign what is going to be the DNS name and that kind of stuff. So it's right here. So it just already created the whole object for me, creating reference to the issuer and doing the whole process. And if you notice, it did the process of creating a certificate. So notice that that's why it's not instant. It's not like, oh, I created a certificate and right away I got my security website. No, it does the process. You say, okay, let me issue the certificate because it doesn't exist. Second, let me create a store that new private key, get the temporary secret in place, then create the new certificate request, which is another object that definitely I recommend for the rate reading on the website. But I'm getting that done. All that for me. And at the end, I get the certificate being successful issue. I got my new certificate, which that translate into a secret into this store demo allowed according to this. So if I get that and say, well, let's inspect what we are getting here. Let's try the secret store, look at this. So now this secret that right here is basically storing some metadata that that's the one I definitely use to keep in sync with the certificate request. But I get my two certificates. This is it. So now I basically in this, that's the way that the ingress is relating now to the certificate and the key. Because if we recall on the ingress, he says that he's expecting this secret name, but I never created that secret. But it's in there because the whole chain process done by Sir Manair is doing most of the work for me. I mean, that doesn't mean that I cannot do it manually. I can't just wait for you to do it manually. You can do your own specifications or that they're not stopping you doing that. But this is more than enough. That's not what I need. Okay, so now we got the same working. We're good. It's time to go to production. Let's move on and get into production. All right. So for that, all we have to do is just create a different issue. We need to now create the issuer for production. If you notice the difference, it's just that the other one says staging, this one does not have a staging. So that's the only thing. So let's apply that real quick because I mean, we already talked about that. So, and let's do this here for, right. Perfect. So we got the lesson clip plot created, this inspector real quick. So we know what we're talking and we're dealing here. And in the issuer, and let's just get the same as before. He's just doing the whole process and making sure that, you know, this is an act right here that if we just click here, you just open a different browser. Give me one second. It's supposed to be here. That's my act right there. So of course the method is not allowed because it's not doing, it's not supposed to be doing it like that. But that's the API responding. Okay. All right, so then we got here, the, it says it's being created account. It's been registered. This is good. It's ready. Let's do it. All right. So with that, the next step was to update the ingress, the ingress for my website. So let me show you how that looks like. Same thing. So the ingress, it doesn't change much except for this. The only thing that we're changing is, okay, I want you to now use the less encrypted production version, not the staging, but everything else is still the same. I'm not changing anything. I want the ingress to be the same. I want the same secret name. No problem. All right. I mean, you could change the secret name if you want to, but I mean, in this case it doesn't really matter. So let's now apply the file. And let's just give it a second. Now, while we're doing that, I want to show you something real quick. Set manager and see if we can see it loss. And let me show you how the set manager actually works. So there's a lot there. I'm sorry. It's hard to see and I know, but if you notice, he is doing the challenges. It's 301. So it's saying, hey, file one existing the SDP resolver for the store demo is related to the kind of service. And it's just getting all this information and relationship and then it's gonna be doing the self-check and that kind of stuff. So if we put it with the minus F, you might be able to see it in live. So, and that's what it's doing. So I want to show you the actual challenge. Please apply your change in the long and say, the challenge in work, not only insist. So it's doing all that process of doing the challenge, which is great. So that's perfect. So in the meantime, let's check the website real quick and see if we got already the good version. There you go. So, I mean, it was pretty fast that we couldn't catch the whole process, but if you can see here, everything starts here on the certificate request when he's starting getting and say, hey, I want a new certificate. And it's for this specific version of the API. It's creating all these challenges and doing the process right here. And then, you know, it was fulfilled. So it was done. But what's the result of this? Well, we now have a secure connection. If we're gonna look at the value certificate, it says that I'm using the ISRG as root X1. And then I can see here that my store demo is trusted by my browser. And voila, happy everyone. Now, our traffic between my browser and the server is entirely encrypted using the latest and greatest and the most advanced techniques that Less Encrypt offers. And I basically had to do barely anything. Everything was mostly done by the SEM manager and in this case, that talks to the Less Encrypt. And I think that this is it. This is where I wanted to show you how to secure your website using the Less Encrypt and SEM manager. So, happy to answer any questions. You can reach out to me on any social media as I was saying on the slide. Let me just go back to those slides. Share that. So, that's it. That's all I wanted to show you guys. And I guess I'm more than happy to answer any questions that you may have as any given point. Just reach out to me on any social media. You can, let me just put this back online one more time just in case. You can find me as adarformirrors. And well, thank you so much for the time. And enjoy.