rancher-letsencrypt

command module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2017 License: Apache-2.0 Imports: 8 Imported by: 0

README

Let's Encrypt Certificate Manager for Rancher

Latest Version Circle CI Docker Pulls License

A Rancher service that obtains free SSL/TLS certificates from the Let's Encrypt CA, adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.

Requirements
  • Rancher Server >= v1.2.0
  • If using a DNS-based challenge, existing account with one of the supported DNS providers:
    • AWS Route 53
    • CloudFlare
    • DigitalOcean
    • DNSimple
    • Dyn
    • Vultr
    • Ovh
    • Gandi
  • If using the HTTP challenge, a proxy that routes example.com/.well-known/acme-challenge to rancher-letsencrypt.
How to use

This application is distributed via the Rancher Community Catalog.

Enable the Community Catalog under Admin => Settings in the Rancher UI. Then locate the Let's Encrypt template in the Catalog section of the UI and follow the instructions.

Accessing certificates and private keys from other services

The created SSL certificate is stored in Rancher for usage in load balancers.
If you want to use it from other services (e.g. a Nginx container) you can opt to save the certificate and private key to a host path or volume. You can then access the certificate and key from other services as follows:
<path_on_host or volume name>/<certificate name>/fullchain.pem
<path_on_host or volume name>/<certificate name>/privkey.pem
where <certificate name> is the name you specified in the UI sanitized to consist of only the following characters: [a-zA-Z0-9-_.].

Provider specific usage
AWS Route 53

The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID> with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
            ]
        }
    ]
}
OVH

First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:

  • Account ID: Your OVH account ID
  • Password: Your password
  • Script name: letsencrypt
  • Script description: Letsencrypt for Rancher
  • Validity: Unlimited
  • Rights:
    • GET /domain/zone/*
    • POST /domain/zone/*
    • DELETE /domain/zone/*

Then deploy this service using the generated key, application secret and consumer key.

HTTP

If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge. Simply choose HTTP from the list of providers. Then make sure that HTTP requests to domain.com/.well-known/acme-challenge are forwarded to the rancher-letsencrypt service, e.g. by configuring a Rancher load balancer accordingly.

Rancher Load Balancer Let's Encrypt Targets

Building the image

make build && make image

Contributions

PR's welcome!

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.