Rancher Auto Certs
This is a Docker image made for Rancher users.
It generates certificates with Let's Encrypt to match what's in its configuration file, and imports them to Rancher using the API.
This is mainly a Python 3 script that uses ACME Tiny.
Get your Let's Encrypt Account Key
If you already used Let's Encrypt with the
certbot client, you can copy your account key
.json file (found in
/etc/letsencrypt) and convert it to the format used by this script using the
Otherwise, you can generate a new key with :
openssl genrsa 4096 > account.key
Create the Rancher service
This image declares two volumes:
/usr/src/app/configfor the configuration file
config.ymland can be used to store the Let's Encrypt account keys.
/media/acme-challengeis where the challenge files will be put.
This image doesn't take care of making the ACME Challenge files available from the web. If you don't already have a web server to do that, you can create a
nginx service and mount the volume with the challenge files to be available at the
/.well-known/acme-challenge path. You need to configure your frontend or loadbalancher to make all requests to the path
/.well-known/acme-challenge - on all the domains you want certificates for - go to the right service.
The script needs tokens to access the Rancher API. You just need to add the following labels to the service and Rancher will automatically create environment vars for the API access :
Here is an example Rancher config:
auto-certs: labels: io.rancher.container.create_agent: 'true' io.rancher.container.agent.role: environment image: jremy/rancher-auto-certs:X.Y.Z volumes: - auto-certs-config:/usr/src/app/config - auto-certs-acme-challenge:/media/acme-challenge httpd-acme-challenge: image: nginx:1.10 volumes: - auto-certs-acme-challenge:/usr/share/nginx/html/.well-known/acme-challenge:ro
Pimp the config
The script config file is a YAML file.
Each certificate is defined with a
name and a list of
domains. The name is only used for Rancher. Usually the name is one of the certificate domains, but this is not a restriction.
By default the config points to the Let's Encrypt staging environment, which generates invalid certificates. To use the production environment, change the
ca value to
The script will run once a day, and renew certificates if needed.
When you update the config, just restart the container in Rancher for the script to re-run.