Public | Automated Build

Last pushed: a year ago
Short Description
ASoS Gaming Community Let's Encrypt Docker Image
Full Description

Let's Encrypt Certificate Manager for Rancher




A Rancher service that obtains free SSL/TLS certificates from the Let's Encrypt CA, adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.

Requirements

  • Rancher Server >= v1.2.0
  • If using a DNS-based challenge, existing account with one of the supported DNS providers:

    • Aurora DNS
    • AWS Route 53
    • Azure DNS
    • CloudFlare
    • DigitalOcean
    • DNSimple
    • Dyn
    • Gandi
    • NS1
    • Ovh
    • Vultr
  • If using the HTTP challenge, a proxy that routes example.com/.well-known/acme-challenge to rancher-letsencrypt.

How to use

This application is distributed via the ASoS Gaming Community Catalog.

Enable the Community Catalog under Admin => Settings in the Rancher UI.
Then locate the Let's Encrypt template in the Catalog section of the UI and follow the instructions.

Storing certificate in shared storage volume

By default the created SSL certificate is stored in Rancher for usage in load balancers.

If you specify an existing volume storage driver (e.g. rancher-nfs) then the account data, certificate and private key will be stored in a stack scoped volume named lets-encrypt, allowing you to access them from other services in the same stack. See the Storage Service documentation.

Example

When mounting the lets-encrypt storage volume to /etc/letsencrypt in another container, then production certificates and keys are located at:

  • /etc/letsencrypt/production/certs/<certificate name>/fullchain.pem
  • /etc/letsencrypt/production/certs/<certificate name>/privkey.pem

where <certificate name> is the name of the certificate sanitized to consist of only the following characters: [a-zA-Z0-9-_.].

Provider specific usage

AWS Route 53

The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID> with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.

{
    "Version": "2017-04-11",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
            ]
        }
    ]
}

OVH

First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:

  • Account ID: Your OVH account ID
  • Password: Your password
  • Script name: letsencrypt
  • Script description: Letsencrypt for Rancher
  • Validity: Unlimited
  • Rights:
    • GET /domain/zone/*
    • POST /domain/zone/*
    • DELETE /domain/zone/*

Then deploy this service using the generated key, application secret and consumer key.

HTTP

If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply choose HTTP from the list of providers.
Then make sure that HTTP requests to domain.com/.well-known/acme-challenge are forwarded to the rancher-letsencrypt service, e.g. by configuring a Rancher load balancer accordingly.

Building the image

make build && make image

Contributions

PR's welcome!

Docker Pull Command
Owner
asos
Source Repository