Rancher: support of Let's encrypt

Jup. Would be really nice. :+1:
As I remember they moved it from 16.11 to 03.12. (public beta)

It would be a very nice feature.

:+1: wow!! It would be awesome

+1 you read my mind!! :) i'm counting the days for it to become public beta... @kurkop

http://forums.rancher.com/t/letsencrypt-integration-to-rancher/923/2?u=vincent

This seems like something that would be best as a rancher-catalog template that interacts in a standalone codebase (probably in Go) with the Let's Encrypt + Rancher APIs, rather than baking support for a very specific niche into Rancher itself (actually Cattle, and in Java).

@vincent99 Let's Encrypt requires access to the web server root(or it can run a standalone webserver) to verify your control over the domain
I think it possible only inside the load balancer because it listens the port

If a rancher-catalog template can interact with an existing LB, it would be possible.
But if it's not the case, we need it part of rancher (since the port 80 and 443 could be already used per machine) since the program needs to control the DNS endpoint before the validation of the generated certificate.

maybe this could work also in tandem with the Route53 service that's already in the catalog. You can use that integration to validate the control of the domain.

I'm not sure that a huge pourcentage of folks use Route53 (I'm not)

Letsencypt is made by a non for porfit company, so integrating it tightly would only feel like a "soft vendor lockin" - If that is part of the concern anyway...

+1

It is possible to write a component that would run in the environment that would interact with both letsencrypt tool chain and the Rancher API to create and update the certificate. Rancher would then propagate the certificate to the LB. I would love to see this happen.

I've been playing with letsencrypt within rancher...

For now I haven't hooked into the rancher API, but I was trying to figure it out the best way to run the letsecrypt client.

What I did was:

• Add the domain I want to get a certificate for to the loadbalancer with hostname routing and add a path to .well-known. The target for this entry in the loadbalancer is the letsencrypt service running the official letsencrypt docker image (port 80)
• Run letsencrypt certonly in standalone mode and using the 80 port with the --standalone-supported-challenges http-01 argument.

This way the letsencrypt service is able to verify the ownership of the domain.

What I'm not sure how to do is the automation phase based on rancher events...
I will take a look at the external-dns catalog component.

:+1:

Cross posting from the forum:

I'd like to implement a container that runs letsencrypt (https://letsencrypt.org/) to acquire certificates for my domains and renew them automatically.
I have found the rancher API calls to add a certificate and to set a network endpoint (domain / subdomain) but I can't find a way to list all my configured endpoints.
I'm going to implement a letsencrypt plugin for rancher.

Do you have any suggestions for me?

@blackjid great manual workflow

+1 @ibuildthecloud

+1

I would love a Let's Encrypt integration with ssl termination / offloading into the loadbalancer.

Certificates should be created via Let's Encrypt API or inside a temporary Let's Encrypt client container and then moved to the loadbalancer and offered to download for production use. The Let's Encrypt client shouldn't stay in production environment.

There is also a github project offering a static website to create Let's Encrypt certificates making requests to the Let's Encrypt API.

It's a open source project:
https://github.com/diafygi/gethttpsforfree/blob/gh-pages/README.md

+1

+1
On Dec 15, 2015 2:02 PM, "Petr" [email protected] wrote:

+1

—
Reply to this email directly or view it on GitHub
https://github.com/rancher/rancher/issues/2734#issuecomment-164757055.

Also found a nice 3MB webserver with integrated lets encryption feature.
Could be used as Webserver and also a proxy / loadbalancer.
Haven't tested it yet...

https://caddyserver.com/

+1

I guess this is an opportunity to earn some karma for capable ones.

@blackjid @zaubererty How is the status? Can you share some code? I'd love to have a look...

I think, as @ibuildthecloud envisioned, if it would be integrated into the environment, something as the following (optional/convenience!) workflow would be possible:
SSL terminate a port on a LB by the simple click on a checkbox, next to entering a domain.

+1 :)

Almost there... :wink: :tada:

@janeczku that is so great!

@janeczku wow thank you so much!

+1

+1 for this

@janeczku https://github.com/rancher/community-catalog will be available as a first-class option in 0.57 or 0.58 if you want to put a PR in when you're done.

@vincent99 Certainly! In the process i realized that the permissions for "environment" or "external-dns" agent roles are not sufficient to create certificates and upgrade load balancers. I wonder if there is something we can do, so one needn't have to manually create an API user and fill out even more credentials in the on-boarding form for the service?

I am talking about these labels:

io.rancher.container.create_agent: "true"
io.rancher.container.agent.role: "external-dns"

Great! :)
Is a integration to the Rancher Loadbalancer planned / possible?

@janeczku that should be doable; @alena1108?

@janeczku Thank you for your effort!

:heart:

@janeczku AWESOME job!!

@janeczku I'm also creating a container, that's almost ready to be deployed to the Rancher Community Catalog. You can read about my WIP here: https://github.com/adamgoose/rancher-certificates

Using the following labels gives the container an API Key that has access to certificates:

io.rancher.container.create_agent: "true"
io.rancher.container.agent.role: "environment"

@adamgoose Nice, that even gives permissions for updating the load balancers. :yum: :v:

I've also found that the /v1/certificates endpoint is read-only, so you need to use /v1/projects/{projectId}/certificates

Waiting for this too ^^ .

@seb2411 It's just a matter of https://github.com/rancher/rancher/issues/3556 getting fixed.

:+1:

+1

:+1: so nice to see its on it way :)

+1 @janeczku
+1 @adamgoose

+1

@silviupanaite You now have reactions in right top corner of message ;-)

Let's Encrypt is now available in Rancher's community catalog! Have a nice weekend guys!

Almost forgot: You need to be running Rancher v0.63.0.

Thx ;)

Thanks @janeczku

thanks @janeczku

Hello,

Just a question, How do I add new domain names to the Common Name fields after launch the Let's Encrypt Container?

Best Regards.

@omata-metamax Just do a stack upgrade and change the environment variables.

@rancherdev I'm glad a community member included this. IMHO, let's encrypt should be included in the HA proxy implementation of rancher. I think it's very low overhead and a free service.

@willseward If I configure the instance to generate each cert in it's own directory will be all directories renewed when is needed?

Best regards.

@omata-metamax I'm not sure what you mean by individual directories. Each named certificate/key pair are placed in eponymous directories---one per instance because one service can only generate one certificate with multiple SANs.

However, by updating the SANs on the cert by means of the environment variable, the instance will pick up the difference and update it near expiry.

@willseward When configuring the instance there is an environment variable called CERT_NAME that will create another directory, (inside the container or exposed volume), for that cert. Then I want to know if the cert inside it name/directory will be upgraded when it near expiry.

Or

I have to clone the Let's Encrypt container to configure only and only one naked domain and sub domains in there?

@omata-metamax Yes. The service can only update one certificate/key pair at a time. I'd clone the stack for each certificate that you need.

Thank you very much @willseward

@omata-metamax No problem. I'm glad this service exists.

And I agree with @keyscores . It would be nice to have this integrated by default.

Let's encrypt support with webroot verification instead of external dns service would be great!

Has anyone configured LetsEncrypt with Rancher Kubernetes?

Hi! Is there any way to use this in Kubernetes? It seems that there's no access to community catalog in k8s environments :(