At Tozny, we have been using a service written in house to automate creating and maintaining TLS certificates in our Rancher environments.
The service runs as two containers: a basic nginx container for the webroot verification, and another service container.
The service does:
- Automatically get certificates
- Push certificates into Rancher API (This way load balancers pick them up automatically)
- Poll Rancher API for certificate expiration
- Auto renew certificates
- Easily roll from Let’s Encrypt staging certificates for testing to Production CA verified certificates
- Check local certificates against Rancher API certificates
We have decided to open the tool up to the public in the hope that it is useful for others. The project started when we weren’t comfortable giving AWS credentials for our entire domain to every rancher instance. (Why should dev have the same keys that prod uses for dns verification?). Therefore, we create a service (written in Python) to do webroot verification instead.
More details on our github page for the project: https://github.com/tozny/rancher-lets-encrypt
and the docker hub page: https://hub.docker.com/r/tozny/rancher-lets-encrypt/