This repository can be used to build two images to generate and install certificates using certbot in a Rancher environment. Note that if you have the required admin permissions you should look at a cert-manager based solution.

This repository builds two containers:

• Dockerfile.nginx (openchemistry/certbot-nginx) - A nginx container that will expose .well-known/acme-challenge for a give host. The NGINX_HOST environment variable is used to set server_name.
• Dockerfile.rancher openchemistry/certbot-rancher) - A certbot/certbot based container with add hooks to copy certificates into a Rancher certificate.

Usage

Several workloads need to be created from the two images.

NGINX workload

This workload needs to be created from the openchemistry/certbot-nginx image. It expose .well-known/acme-challenge that is generated by certbot. A volume should mounted at /usr/share/nginx/html, this volume will also be mounted into the second workload.

Configuration

The following environment variables must be configured on the workload:

• NGINX_HOST - This should be the domain that a certificate is being requested for.

The appropriate ingress should be setup to allow 80 to be routed to this workload.

Certbot workloads

You will need two workloads here, one to do the initial setup (with an entrypoint of /scripts/setup.sh) this one will just be used once ( can be run as a Job ). The second should be setup on a cron schedule to renew the certificate (with an entrypoint of /scripts/renew.sh).

These workload needs to be created from the openchemistry/certbot-rancher they will be used to execute the certbot commands. The volume attached to the NGINX workload should be mount to /data/letsencrypt, this is where certbot will write the challenge. A second volume should be mounted at /etc/letsencrypt, this is where certbot will write the certificates.

Configuration

The following environment variables must be configured on these workloads:

• DOMAIN - The domain that the SSL cert is to be generated for.
• CERT_NAME - The name to give the SSL cert in Rancher.
• NAMESPACE - The Rancher namespace to create the certificate in.
• ENDPOINT_URL - The to use to login to Rancher (for example: https://rancher2.spin.nersc.gov/v3).
• CONTEXT - The rancher project id.
• EMAIL - The email for certbot to use for notifications.

The following secret should be mounted into the workload:

• /secrets/bearer-token - This should contain the bearer token to be used for rancher login.

Script

The image provides two script that can be used as entrypoints:

• /scripts/setup.sh - Run to create the initial certificate.
• /scripts/renew.sh - Run periodically to renew the certificate it necessary.

Once the initial setup workload job has been execute a Rancher certificate will have been created and can be used by the appropriate ingress.