Hey guys. I am pretty new to Rancher but I put all my time of the last 3 days into it.
Let’s get to the point:
I want to make use of the LoadBalancer.
Before (or: by now) I used an NGINX Reverse Proxy to deliver the containers to the public web.
I also used a letsencrypt system to cert my domains.
But that is not a LoadBalancer so I want to switch to Rancher delivering the containers to the web.
When I use the Rancher LoadBalancer it allows me to select a certificate from the list of uploaded certificates. But that makes things really complicated when you are using LetsEncrypt.
Example: You have the domain foobar.foo . Now you want to add a certificate with LetsEncrypt. First you’d need to run a letsencrypt container on that domain manually, retrieve the certificates, download them, then upload them and then setup the foobar.foo site with the LoadBalancer with SSL.
That seems awkwardly wrong. Am I doing something wrong or is my mind stuck?
Have you looked at the service in the catalog “Let’s Encrypt Certificate Manager?” You can navigate to it by using a url like https://your-rancher-server-domain/env/yourenvid/catalog/community:letsencrypt . This is doing something similar to what you describe but all in that container and using Rancher’s APIs to update the certificate in its store. Using the Rancher API to do so should ensure the certificate is available to the load balancer. Now, if you renew the certificate, and you already have a loadbalancer set up that references the certificate, it should have its certificate updated automatically. I might be wrong about that last part, but I could swear I’ve had it work that way before.
Hope this helps!
Thank you for the response Brandon.
I did take a look at that Manager, yes. But there is no documentation on this other than what is given on GitHub.
E.g. why do I need to provide an account for any of the given providers? Using certbot just my e-mail adress is required.
It might be that the given tool actually solves my problem but I want to know how this tool works and why the fields in the given form that appears are required.
Thanks in advance!
You can take a look at the source if you really want to dive deep into what the code is doing at https://github.com/janeczku/rancher-letsencrypt , but I can cover why you need the provider account:
The reason for a provider login/api keys/whatever is for verifying domain ownership. LetsEncrypt may want a record to be created in your DNS with specific information as a check. Providing the service access to your DNS provider allows it to handle that step for you.
But domain ownership through Certbot is normally verified by curl’ing http://domain/something .
I see that everything you are saying is correct but that would force me to switch the manager of my DNS to one of the listed ones.
There are 2 ways to validate control of the domain; TXT record in DNS or file at specific path on web server.
DNS validation requires use of a supported DNS provider and API keys to automate, but then works regardless of what you’re using the cert for (e.g. a SMTP server).
HTTP-accessible file would require you be hosting your website through Rancher to automate for an existing domain with a website.
If you were so inclined, you could fork the repository, add your provider ( https://github.com/janeczku/rancher-letsencrypt/blob/master/letsencrypt/providers.go ), update other related scripts in it to allow for setting that provider, and add your repo to your Rancher server’s catalog sources. Doing a pull request wouldn’t be bad, either. This is all assuming you’re in the mood to dive in to some Go or even engineer your own automated solution.
If you’d like to just use a script approach, you could take all the steps that you’ve written here and write a script that will use rancher-compose and the rancher cli/api to handle this whole process.
So to answer your original question: yes, it takes a few steps to handle the LetsEncrypt process.
iam in the same boat like you - I found, but did not test the following repository:
Which uses the ownership of the webroot aproach
This seems to be appropriate. I’ll test this.
I tested this. This works really good. When you want to add new domains you can upgrade/edit the existing letsencrypt container.
The only thing left now is:
As you configure all this witch Rancher the Rancher UI itself cannot setup SSL for itself - obviously.
But that is another topic. The given issue is solved