The Let's Encrypt Certificate Manager obtains a free (SAN) SSL Certificate from the Let's Encrypt CA and adds it to Rancher's certificate store. Once the certificate is created it is scheduled for automatic renewal 20-days before expiration. Rancher load balancer services are automatically updated to use the renewed certificate.
- Added support for Aurora DNS, Azure DNS and NS1
- Added support for stopping container after creating/renewing certificate
- Added configuration option to specify DNS resolvers to use (fixes an issue with private zones on AWS)
- Added configuration option to specify renewal grace period
- Added support for Rancher servers using self-signed certs
- Logs now contain ACME library messages
- Accept the terms of service.
- Select the API version to use. The Sandbox API should be used for testing purposes.
- Fill in your email address.
- Enter the name used for storing the certificate in Rancher and volumes. Any existing certificate by that name will be updated.
- Enter one or more domain names. The first domain will be used as the Common Name property of the certificate.
- Fill in the required credentials for the chosen provider. Note provider specific usage notes below.
If you want the certificate to be automatically renewed, leave the service running. Otherwise you may remove the service once the certificate has appeared in Rancher's certificate store.
If you specify a name under "Volume Name" then account data, certificate and private key are stored in a (host scoped) Docker volume with the specified name. To store the data in a stack scoped volume that can be shared with services running on other hosts, you should provide the name of an already active persistent storage service under "Persistent Storage Driver". See the Storage Service documentation.
- Configure the service with a volume named "letsencrypt".
- Mount the volume to
/etc/letsencrypt
in another service.
This service can then access the certificate and key in the following locations:
/etc/letsencrypt/production/certs/<certificate name>/fullchain.pem
/etc/letsencrypt/production/certs/<certificate name>/privkey.pem
where <certificate name>
is the name of the certificate sanitized to consist of only the following characters: [a-zA-Z0-9-_.]
.
Note: If you have both a private and public zone for the domain, make sure you configure the service to use public DNS resolvers (the default ones are fine).
The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID>
with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
}
]
}
First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:
Account ID
: Your OVH account IDPassword
: Your passwordScript name
: letsencryptScript description
: Letsencrypt for RancherValidity
: UnlimitedRights
:- GET /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Then deploy this service using the generated key, application secret and consumer key.
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply choose HTTP
from the list of providers.
Then make sure that HTTP requests to domain.com/.well-known/acme-challenge
are forwarded to port 80 of the rancher-letsencrypt
service, e.g. by configuring a Rancher load balancer accordingly. Make sure the reverse proxy passes the original host
header to the backend.
Please submit suggestions or any issues you find to the rancher-letsencrypt GitHub repo.