A Rancher service that obtains free SSL/TLS certificates from the Let's Encrypt CA, adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.
-
Rancher Server >= v1.5.0
-
If using a DNS-based challenge, existing account with one of the supported DNS providers:
Aurora DNS
AWS Route 53
Azure DNS
CloudFlare
DigitalOcean
DNSimple
Dyn
Gandi
NS1
Ovh
Vultr
-
If using the HTTP challenge, a reverse proxy that routes
example.com/.well-known/acme-challenge
torancher-letsencrypt
.
This application is distributed via the Rancher Community Catalog.
Enable the Community Catalog under Admin
=> Settings
in the Rancher UI.
Then locate the Let's Encrypt
template in the Catalog section of the UI and follow the instructions.
By default the created SSL certificate is stored in Rancher's certificate store for usage in Rancher load balancers.
You can specify a volume name to store account data, certificate and private key in a (host scoped) named Docker volume. To share the certificates with other services you may specify a persistent storage driver (e.g. rancher-nfs).
See the README in the Rancher catalog for more information.
You can either set environment variables or use Rancher Secrets for provider configuration.
Possible options are:
Azure
- AZURE_CLIENT_ID - /run/secrets/azure_client_id
- AZURE_CLIENT_SECRET - /run/secrets/azure_client_secret
- AZURE_SUBSCRIPTION_ID - /run/secrets/azure_subscription_id
- AZURE_TENANT_ID - /run/secrets/azure_tenant_id
- AZURE_RESOURCE_GROUP - /run/secrets/azure_resource_group
Aurora
- AURORA_USER_ID - /run/secrets/aurora_user_id
- AURORA_KEY - /run/secrets/aurora_key
- AURORA_ENDPOINT - /run/secrets/aurora_endpoint
CloudFlare
- CLOUDFLARE_EMAIL - /run/secrets/cloudflare_email
- CLOUDFLARE_KEY - /run/secrets/cloudflare_key
DigitalOcean
- DO_ACCESS_TOKEN - /run/secrets/do_access_token
AWS
- AWS_ACCESS_KEY - /run/secrets/aws_access_key
- AWS_SECRET_KEY - /run/secrets/aws_secret_key
DNSSimple
- DNSIMPLE_EMAIL - /run/secrets/dnsimple_email
- DNSIMPLE_KEY - /run/secrets/dnsimple_key
DYN
- DYN_CUSTOMER_NAME - /run/secrets/dyn_customer_name
- DYN_USER_NAME - /run/secrets/dyn_user_name
- DYN_PASSWORD - /run/secrets/dyn_password
VULTR
- VULTR_API_KEY - /run/secrets/vultr_api_key
OVH
- OVH_APPLICATION_KEY - /run/secrets/ovh_application_key
- OVH_APPLICATION_SECRET - /run/secrets/ovh_application_secret
- OVH_CONSUMER_KEY - /run/secrets/ovh_consumer_key
GANDI
- GANDI_API_KEY - /run/secrets/gandi_api_key
NS1
- NS1_API_KEY - /run/secrets/ns1_api_key
Note: If you have both a private and public zone in Route53 for the domain, you need to run the service configured with public DNS resolvers (this is now the default).
The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID>
with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
}
]
}
First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:
Account ID
: Your OVH account IDPassword
: Your passwordScript name
: letsencryptScript description
: Letsencrypt for RancherValidity
: UnlimitedRights
:- GET /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Then deploy this service using the generated key, application secret and consumer key.
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply choose HTTP
from the list of providers.
Then make sure that HTTP requests to domain.com/.well-known/acme-challenge
are forwarded to port 80 of the rancher-letsencrypt
service, e.g. by configuring a Rancher load balancer accordingly. If you are using another reverse proxy (e.g. Nginx) you need to make sure it passed the original host
header through to the backend.
make build && make image
PR's welcome!