Public | Automated Build

Last pushed: 10 months ago
Short Description
Extended Timeout for Digitalocean
Full Description

Let's Encrypt Certificate Manager for Rancher




A Rancher service that obtains free SSL/TLS certificates from the Let's Encrypt CA, adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.

Requirements

  • Rancher Server >= v0.63.0
  • Existing account with one of the supported DNS providers:
    • AWS Route 53
    • CloudFlare
    • DigitalOcean
    • DNSimple
    • Dyn
    • Vultr
    • Ovh

How to use

This application is distributed via the Rancher Community Catalog.

Enable the Community Catalog under Admin => Settings in the Rancher UI.
Then locate the Let's Encrypt template in the Catalog section of the UI and follow the instructions.

Accessing certificates and private keys from other services

The created SSL certificate is stored in Rancher for usage in load balancers.
If you want to use it from other services (e.g. a Nginx container) you can opt to save the certificate and private key to a host path,
named volume or Convoy storage volume. You can then mount the volume or host path to other containers and access the files as follows:
<path_on_host or volume name>/<certificate name>/fullchain.pem
<path_on_host or volume name>/<certificate name>/privkey.pem
where <certificate name> is the name you specified in the UI forced to this set of characters: [a-zA-Z0-9-_.].

Provider specific usage

AWS Route 53

The following IAM policy describes the minimum permissions required to run rancher-letsencrypt using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID> with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
            ]
        }
    ]
}

OVH

You need to create your credential on the following URL: https://eu.api.ovh.com/createToken/
Then submit the form as following:

  • Account ID: Your OVH account ID
  • Password: Your password
  • Script name: letsencrypt
  • Script description: Letsencrypt for Rancher
  • Validity: Unlimited
  • Rights:
    • GET /domain/zone/*
    • POST /domain/zone/*
    • DELETE /domain/zone/*

Then get your key and store them.

To finish, when you start this container add the following environment variable:

  • PROVIDER: Ovh
  • OVH_APPLICATION_KEY: your key generated in previous step
  • OVH_APPLICATION_SECRET: your secret generated in previous step
  • OVH_CONSUMER_KEY: your consumer key generated in previous step

Building the image

make build && make image

Contributions

PR's welcome!

Docker Pull Command
Owner
joschi36
Source Repository

Comments (0)