Let's Encrypt Certificate Manager for Rancher
A Rancher service that obtains free SSL/TLS certificates from the Let's Encrypt CA, adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.
Requirements
- Rancher Server >= v0.63.0
- If using a DNS-based challenge, existing account with one of the supported DNS providers:
AWS Route 53CloudFlareDigitalOceanDNSimpleDynVultrOvhGandi
- If using the HTTP challenge, a proxy that routes
example.com/.well-known/acme-challengetorancher-letsencrypt.
How to use
This application is distributed via the Rancher Community Catalog.
Enable the Community Catalog under Admin => Settings in the Rancher UI.
Then locate the Let's Encrypt template in the Catalog section of the UI and follow the instructions.
Accessing certificates and private keys from other services
The created SSL certificate is stored in Rancher for usage in load balancers.
If you want to use it from other services (e.g. a Nginx container) you can opt to save the certificate and private key to a host path,
named volume or Convoy storage volume. You can then mount the volume or host path to other containers and access the files as follows:
<path_on_host or volume name>/<certificate name>/fullchain.pem
<path_on_host or volume name>/<certificate name>/privkey.pem
where <certificate name> is the name you specified in the UI forced to this set of characters: [a-zA-Z0-9-_.].
Provider specific usage
AWS Route 53
The following IAM policy describes the minimum permissions required to run rancher-letsencrypt using AWS Route 53 for domain authorization.
Replace <HOSTED_ZONE_ID> with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
}
]
}
OVH
You need to create your credential on the following URL: https://eu.api.ovh.com/createToken/ Then submit the form as following:
Account ID: Your OVH account IDPassword: Your passwordScript name: letsencryptScript description: Letsencrypt for RancherValidity: UnlimitedRights:- GET /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Then get your key and store them.
To finish, when you start this container add the following environment variable:
PROVIDER: OvhOVH_APPLICATION_KEY: your key generated in previous stepOVH_APPLICATION_SECRET: your secret generated in previous stepOVH_CONSUMER_KEY: your consumer key generated in previous step
HTTP
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply set the following option:
PROVIDER: HTTP
With this you'll have to make sure that HTTP
requests to example.com/.well-known/acme-challenge get redirected
to your rancher-letsencrypt instance. You can use a reverse proxy, like
the Rancher Load Balancer for that:
Building the image
make build && make image
Contributions
PR's welcome!

