Generate Let's Encrypt (ACME) Certs for OpenShift 4

os4-acme-certs.sh

#!/bin/sh
EMAIL="${1}"

if [ "${#}" -ne 1 ]; then
	echo "USAGE: os4-acme-certs.sh email@example.com"
	echo "QUITTING"
	exit 1
fi
	
OUT="$(env | grep ^AWS | wc -l)"
if [ ${?} -lt 1 ]; then
	echo "Please set the correct AWS environment variables to proceed"
	echo "QUITTING"
	exit 1
fi

OUT="$(which lego)"
if [ ${?} -ne 0 ]; then
	echo "You must download lego from https://github.com/go-acme/lego/releases to proceed"
	echo "QUITTING"
	exit 1
fi


OUT="$(oc whoami)"
if [ ${?} -ne 0 ]; then
	echo "Cannot access Kubernetes API server.  Do you have "oc" installed and access to"
	echo "a working KUBECONFIG?"
	echo "QUITTING"
	exit 1
fi

API_SERVER="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')"

WILDCARD="$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')"

if [ -f  .lego/certificates/${API_SERVER}.crt ] || [ -f .lego/certificates/${API_SERVER}.certs ]; then
	echo "Found previously issued lego certs, attempting to apply them"
else
	echo "No issued lego certs found.  Requesting them now"
	lego --dns route53  -a -m "${EMAIL}" -d ${API_SERVER} -d ${WILDCARD} -d *.${WILDCARD} run
fi

oc project openshift-ingress

#oc delete secret router-certs-default
oc create secret tls letsencrypt-certs  --cert=.lego/certificates/${API_SERVER}.crt --key=.lego/certificates/${API_SERVER}.key
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "letsencrypt-certs" }}}'
#oc delete pods -l ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default

Nice script. Refer to https://github.com/redhat-cop/openshift-lab-origin/blob/master/OpenShift4/Lets_Encrypt_Certificates_for_OCP4.adoc for instructions about also replacing the API certificate so your cluster will be even better.