* 証明書の更新を自動的に処理 ✨
* Caddy
    * 証明書の更新を自動的に処理 ✨
* Nginx
    * 証明書更新のために Certbot のような外部コンポーネントを使用
* HAProxy
    * 証明書更新のために Certbot のような外部コンポーネントを使用
* Nginx のような Ingress Controller を持つ Kubernetes
    * 証明書の更新に cert-manager のような外部コンポーネントを使用
* クラウド・プロバイダーがサービスの一部として内部的に処理（下記を参照👇）

もう1つの選択肢は、HTTPSのセットアップを含んだより多くの作業を行う**クラウド・サービス**を利用することです。 このサービスには制限があったり、料金が高くなったりする可能性があります。しかしその場合、TLS Termination Proxyを自分でセットアップする必要はないです。

HSPLokhttp3/internal/tls/OkHostnameVerifier;->getSubjectAltNames(Ljava/security/cert/X509Certificate;I)Ljava/util/List;
HSPLokhttp3/internal/tls/OkHostnameVerifier;->isAscii(Ljava/lang/String;)Z
HSPLokhttp3/internal/tls/OkHostnameVerifier;->verify(Ljava/lang/String;Ljava/security/cert/X509Certificate;)Z
HSPLokhttp3/internal/tls/OkHostnameVerifier;->verify(Ljava/lang/String;Ljavax/net/ssl/SSLSession;)Z

import java.net.SocketTimeoutException
import java.net.URI
import java.net.URLConnection
import java.net.UnknownHostException
import java.security.KeyStore
import java.security.cert.CertificateException
import java.security.cert.X509Certificate
import java.time.Duration
import java.util.Arrays
import java.util.EnumSet
import java.util.Locale
import java.util.concurrent.TimeUnit

// Setting up the test suite.
// Starting the Test server with temporary backend.
func (s *TestSuiteCommon) SetUpSuite(c *check) {
	if s.secure {
		cert, key, err := generateTLSCertKey("127.0.0.1")
		c.Assert(err, nil)

		s.testServer = StartTestTLSServer(c, s.serverType, cert, key)
	} else {
		s.testServer = StartTestServer(c, s.serverType)
	}

	s.client = s.testServer.Server.Client()

- kube-controller-manager currently needs a writable `--cert-dir` (default is `/var/run/kubernetes`) for generating self-signed certificates, when no `--tls-cert-file` or `--tls-private-key-file` are provided.

- The kube-controller-manager managed signers can now have distinct signing certificates and keys.  See the help about `--cluster-signing-[signer-name]-{cert,key}-file`.  `--cluster-signing-{cert,key}-file` is still the default. ([#90822](https://github.com/kubernetes/kubernetes/pull/90822), [@deads2k](https://github.com/deads2k)) [SIG API Machinery, Apps and Auth]

 
## Changes by Kind

### Deprecation

- 'kubeadm: marked the sub-phase of ''init kubelet-finilize'' called ''experimental-cert-rotation''
  as deprecated and print a warning if it is used directly; it will be removed in
  a future release. Add a replacement sub-phase ''enable-client-cert-rotation''.' ([#124419](https://github.com/kubernetes/kubernetes/pull/124419), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]

- kubeadm still generates RSA keys when deploying a node, but also accepts ECDSA
keys if they already exist in the directory specified in the `--cert-dir` option. ([#76390](https://github.com/kubernetes/kubernetes/pull/76390), [@rojkov](https://github.com/rojkov))

- The `kubelet` now reports distinguishes log messages about certificate rotation for its client cert and server cert separately to make debugging problems with one or the other easier. ([#101252](https://github.com/kubernetes/kubernetes/pull/101252), [@smarterclayton](https://github.com/smarterclayton))

    )
    response2.body.close()
  }

  @Test
  fun unmatchingPinnedCertificate() {
    enableTls()
    server.enqueue(MockResponse())

    // Pin publicobject.com's cert.
    client =
      client
        .newBuilder()
        .certificatePinner(
          CertificatePinner
            .Builder()
            .add(server.hostName, "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=")