I opened a Gitter room
Bugs go to issues please.
A service to automatically create and renew letsencrypt certificates.
Example
var CertService = require("letsencrypt-cert-service");
var certService = new CertService(config);
certService.start(callback);Kind: inner class of letsencrypt-cert-service
| Param | Type | Description |
|---|---|---|
| config | ||
| config.domains | Array.<string> |
The hostnames which the certificate is to be created for |
| config.email | string |
Letsencrypt notification email |
| [config.private] | boolean |
Set to true when you want private service to be running |
| [config.password] | string |
Strong password to protect private parts - required when private true |
| [config.username] | string |
Username of choice - required when private true |
Available on docker hub.
This service can be run on a webserver to obtain letsencrypt certificates. It can be run on the server that the A record of the domain points to, but the major benefit of this service is, that it can be run in a professional setup with loadbalancers and in this scenario be deployed on any node behind the loadbalancer without interrupting the live deployment.
This service has been tested in a deployment orchestrated with Tutum and their haproxy image but should work fine in other setups too.
As this is a docker container, all configuration is done by setting appropriate environment variables. These are as follows:
|Variable|Explanation|Example value|
| --- | --- | --- | --- |
|CERT_DOMAINS|Domains the certificate should be issued for, comma separated | example.com,app.example.com|
|CERT_EMAIL|Email for notifications (like imminent certificate expiry)|admin@example.com|
|CERT_SERVICE_PRIVATE|Flag to run private part of app (certificate hosting)|true|
|CERT_SERVICE_PASSWORD|Pass to authenticate against private certificate service|SomeGoodPassword|
|CERT_SERVICE_USERNAME|Username to authenticate against private certificate service|michael|
|Variable|Explanation|Example value|
| --- | --- | --- | --- |
|VIRTUAL_HOST|Routing all acme queries to the service|http://*/.well-known/*
|VIRTUAL_HOST_WEIGHT|Taking over domain.com/.well-known/acme... queries. You need to set a value that is higher than the one of the "catch all" service|1
|EXCLUDE_PORTS|Don't route traffic to port 443|443
Usually you would want the newly generated certificates to be stored in the hosts file system
so make sure to link the container dir /etc/letsencrypt to the host.
The problem with the default letsencrypt tool is that it expects to be run on port 80 on the root domain.
Or at least the server where all http traffic to the domain example.com ends up. This
means that you can either "inject" it into your one instance apache or nginx server. If you have another setup
which involves for example some node http servers and path based http routing + loadbalancing you need to take down
your live deployment, start a new webserver, get the certificates on port 80 and then start your deployment
again. It goes without saying that this cannot be a "workflow".
To provide a solution to the above problem, we suggest this service.
- It can be run additionally as an additional service in any load balanced setup.
- It can run forever and permanently runs a http server on port 80 (important for load balancers that check whether the service is "alive" before routing traffic to it).
- One can connect to the service at any time and create or renew certificates with a simple command.
We describe the usage for a domain domain.com.
- Deploy with appropriate environment variables (see above)
- Recommended: Open ports 80 and 443 of the container on the host, get a subdomain like "certs.domain.com" and point to the host (or tutums load balancer). Don't forget to add "certs.domain.com" to the list of domains for the certifcate.
- Link to the cert service from load balancer(s), you can get one cert for up to 100 subdomains which of course could be ending up in different stacks with different load balancers. You can link to this cert service from each of them.
- Route all traffic for
http://*/.well-known/*to service at port 80 - Check for all domains whether
http://domain.com/.well-known/checkshows the correct success message ("Letsencrypt cert service reporting in! Load balancing seems to work.") - Check whether
http://certs.domain.com/statusshows success message - Go to
http://certs.domain.com/makecert(wait, connection might time out, if everything is set up correctly it will still work, check server logs) - On success (and if private service enabled) go to
https://certs.domain.com/statusand authenticate (Please check that it is encrypted traffic!) - Get your certificate from
https://certs.domain.com/certs/domain.com/cert.pem - Get your private key from
https://certs.domain.com/certs/domain.com/privkey.pem - Get you Tutum Haproxy certificate string from
https://certs.domain.com/certs/domain.com/bundle.pem?haproxy=true(:D)
Maintenance:
- With private service enabled and certificates in place you can hit
https://certs.domain.com/makecertto renew certs. On success you can retrieve the new extended certificate as above.
Important:
- There are no checks on rate limit and so on. Please do not hit
/makecerttoo often.
After deploying the service make sure you get an answer from this service when you go to http://[subdomain.]domain.com/.well-known/check ("Letsencrypt cert service reporting in! Load balancing seems to work.")
Before you open a pull request, please acknowledge the Unlicense. You have to sign a CLA before I can merge any PRs. For further details see the contribution guidelines.
Released under the Unlicense. See the Unlicense