The status.ovirt.org certificates expires in April; we have some time but it would be nice to replace Digicert by Let's Encrypt. I see that the cert-manager operator can do that but I have no experience with such integration. It seems like the way to go though (or with another implementation).
I would like to point out that we would need support for HTTP01. DNS01 would be nice but unless we convert the ovirt.org domain fully into a dynamic zone, which I do not recommend, there is an option to use CNAMEs to a dynamic sub-zone; it works fine but it is not yet merged upstream (see https://github.com/certbot/certbot/pull/7244).
status.ovirt.org is running inside OpenShift and we’ve got openshift-acme working there to issue Let’sEncrypt certs to routes that need them.
The metadata required to activate the controller on a certain route is listed here:
I’ve performed the steps so now the certificate is provided by Let’s Encrypt and managed by the controller.