diff --git a/templates/letsencrypt/3/README.md b/templates/letsencrypt/3/README.md new file mode 100644 index 0000000..8188f43 --- /dev/null +++ b/templates/letsencrypt/3/README.md @@ -0,0 +1,86 @@ +# Let's Encrypt Certificate Manager + +### About +The Let's Encrypt Certificate Manager obtains a free (SAN) SSL Certificate from the [Let's Encrypt CA](https://letsencrypt.org/) and adds it to Rancher's certificate store. Once the certificate is created it is scheduled for automatic renewal 20-days before expiration. Rancher load balancer services are automatically updated to use the renewed certificate. + +### Usage + 1. Accept the terms of service. + 2. Select the API version to use. The Sandbox API should be used for testing purposes. + 3. Fill in your email address. + 4. Enter the name used for storing the certificate in Rancher and volumes. Any existing certificate by that name will be updated. + 5. Enter one or more domain names. The first domain will be used as the Common Name property of the certificate. + 6. Fill in the required credentials for the chosen provider. Note provider specific usage notes below. + +If you want the certificate to be automatically renewed, leave the service running. Otherwise you may remove the service once the certificate has appeared in Rancher's certificate store. + +### Using persistent storage volume + +If you specify an existing volume storage driver (e.g. rancher-nfs) then the account data, certificate and private key will be stored in a stack scoped volume named `lets-encrypt`, allowing you to access them from other services in the same stack. See the [Storage Service documentation](https://docs.rancher.com/rancher/v1.3/en/rancher-services/storage-service/). + +#### Example + +When mounting the `lets-encrypt` storage volume to `/etc/letsencrypt` in another container, then production certificates and keys are located at: + +- `/etc/letsencrypt/production/certs//fullchain.pem` +- `/etc/letsencrypt/production/certs//privkey.pem` + +where `` is the name of the certificate sanitized to consist of only the following characters: `[a-zA-Z0-9-_.]`. + +### Provider specific usage + +#### AWS Route 53 + +The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization. +Replace `` with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:GetChange", + "route53:ListHostedZonesByName" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/" + ] + } + ] +} +``` + +#### OVH + +First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this: + +- `Account ID`: Your OVH account ID +- `Password`: Your password +- `Script name`: letsencrypt +- `Script description`: Letsencrypt for Rancher +- `Validity`: Unlimited +- `Rights`: + - GET /domain/zone/* + - POST /domain/zone/* + - DELETE /domain/zone/* + +Then deploy this service using the generated key, application secret and consumer key. + +#### HTTP + +If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge. +Simply choose `HTTP` from the list of providers. +Then make sure that HTTP requests to `domain.com/.well-known/acme-challenge` are forwarded to the `rancher-letsencrypt` service, e.g. by configuring a Rancher load balancer accordingly. + +### Suggestions & bug reports +Please submit suggestions or any issues you find to the [rancher-letsencrypt](https://github.com/janeczku/rancher-letsencrypt) GitHub repo. \ No newline at end of file diff --git a/templates/letsencrypt/3/docker-compose.yml b/templates/letsencrypt/3/docker-compose.yml new file mode 100644 index 0000000..6381aff --- /dev/null +++ b/templates/letsencrypt/3/docker-compose.yml @@ -0,0 +1,36 @@ +version: '2' +services: + letsencrypt: + image: janeczku/rancher-letsencrypt:v0.4.0 + environment: + EULA: ${EULA} + API_VERSION: ${API_VERSION} + CERT_NAME: ${CERT_NAME} + EMAIL: ${EMAIL} + DOMAINS: ${DOMAINS} + PUBLIC_KEY_TYPE: ${PUBLIC_KEY_TYPE} + RENEWAL_TIME: ${RENEWAL_TIME} + PROVIDER: ${PROVIDER} + CLOUDFLARE_EMAIL: ${CLOUDFLARE_EMAIL} + CLOUDFLARE_KEY: ${CLOUDFLARE_KEY} + DO_ACCESS_TOKEN: ${DO_ACCESS_TOKEN} + AWS_ACCESS_KEY: ${AWS_ACCESS_KEY} + AWS_SECRET_KEY: ${AWS_SECRET_KEY} + DNSIMPLE_EMAIL: ${DNSIMPLE_EMAIL} + DNSIMPLE_KEY: ${DNSIMPLE_KEY} + DYN_CUSTOMER_NAME: ${DYN_CUSTOMER_NAME} + DYN_USER_NAME: ${DYN_USER_NAME} + DYN_PASSWORD: ${DYN_PASSWORD} + VULTR_API_KEY: ${VULTR_API_KEY} + OVH_APPLICATION_KEY: ${OVH_APPLICATION_KEY} + OVH_APPLICATION_SECRET: ${OVH_APPLICATION_SECRET} + OVH_CONSUMER_KEY: ${OVH_CONSUMER_KEY} + GANDI_API_KEY: ${GANDI_API_KEY} + volumes: + - lets-encrypt:/etc/letsencrypt + labels: + io.rancher.container.create_agent: 'true' + io.rancher.container.agent.role: 'environment' +volumes: + lets-encrypt: + driver: ${STORAGE_DRIVER} diff --git a/templates/letsencrypt/3/rancher-compose.yml b/templates/letsencrypt/3/rancher-compose.yml new file mode 100644 index 0000000..6df1e15 --- /dev/null +++ b/templates/letsencrypt/3/rancher-compose.yml @@ -0,0 +1,163 @@ +.catalog: + name: Let's Encrypt + version: 0.4.0 + description: Trusted SSL certificates at zero cost + minimum_rancher_version: v1.2.0-pre4-rc1 + questions: + - variable: EULA + label: I Agree to the Let's Encrypt TOS + description: | + Read https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf + required: true + type: enum + options: + - "Yes" + - "No" + - variable: API_VERSION + label: Let's Encrypt API Version + description: | + Select the API version used for issuing the certificate. + Use `Sandbox` for testing only. + required: true + type: enum + default: Production + options: + - Production + - Sandbox + - variable: EMAIL + label: Your Email Address + description: | + Enter the email address to use for creating the Let's Encrypt account. + required: true + type: string + - variable: CERT_NAME + label: Certificate Name + description: | + Name for storing the certificate in the Rancher API and in volumes. + Any existing certificate by that name will be updated. + required: true + type: string + - variable: DOMAINS + label: Domain Names + description: | + Comma delimited list of the certificate domains starting with the Common Name. + E.g: `example.com, dev.example.com`. + required: true + type: string + - variable: PUBLIC_KEY_TYPE + label: Public Key Algorithm + description: | + Select one of the available key types. + required: true + type: enum + default: RSA-2048 + options: + - RSA-2048 + - RSA-4096 + - RSA-8192 + - ECDSA-256 + - ECDSA-384 + - variable: RENEWAL_TIME + label: Renewal Time of Day (00-23) + description: | + Set the time of day (UTC in hours) at which certificate renewals should be run. + default: 12 + required: true + type: int + - variable: STORAGE_DRIVER + label: Volume Storage Driver (Optional) + description: | + If you enter the name of an existing storage driver (see `Infrastructure -> Storage`) then a stack scoped storage volume named `lets-encrypt` + will be created or used to store account data, certificates and private keys. + required: false + type: string + - variable: PROVIDER + label: Domain Validation Method + description: Select a DNS provider to use for domain validation. Use 'HTTP' if DNS for the domain is not hosted with any of the providers. + required: true + type: enum + options: + - CloudFlare + - DigitalOcean + - DNSimple + - Dyn + - Gandi + - HTTP + - Ovh + - Route53 + - Vultr + - variable: AWS_ACCESS_KEY + label: AWS Route53 Access Key Id + description: Enter the Access Key Id for your AWS account. + type: string + required: false + - variable: AWS_SECRET_KEY + label: AWS Route53 Secret Access Key + description: Enter the Secret Access Key for your AWS account. + type: string + required: false + - variable: CLOUDFLARE_EMAIL + label: CloudFlare Email Address + description: Enter the email address associated with your CloudFlare account. + type: string + required: false + - variable: CLOUDFLARE_KEY + label: CloudFlare API Key + description: Enter the Global API Key for your CloudFlare account. + type: string + required: false + - variable: DO_ACCESS_TOKEN + label: DigitalOcean API Access Token + description: Enter the Personal Access Token for your DigitalOcean account. + type: string + required: false + - variable: DNSIMPLE_EMAIL + label: DNSimple Email Address + description: Enter the email address associated with your DNSimple account. + type: string + required: false + - variable: DNSIMPLE_KEY + label: DNSimple API Key + description: Enter your DNSimple API key. + type: string + required: false + - variable: DYN_CUSTOMER_NAME + label: Dyn Customer Name + description: Enter your Dyn customer name. + type: string + required: false + - variable: DYN_USER_NAME + label: Dyn User Name + description: Enter your Dyn user name. + type: string + required: false + - variable: DYN_PASSWORD + label: Dyn Password + description: Enter your Dyn password. + type: string + required: false + - variable: GANDI_API_KEY + label: Gandi API Key + description: Enter the API key for your Gandi account. + type: string + required: false + - variable: OVH_APPLICATION_KEY + label: OVH Application Key + description: Enter your OVH application key. + type: string + required: false + - variable: OVH_APPLICATION_SECRET + label: OVH Application Secret + description: Enter your OVH application secret. + type: string + required: false + - variable: OVH_CONSUMER_KEY + label: OVH Consumer Key + description: Enter your OVH consumer key. + type: string + required: false + - variable: VULTR_API_KEY + label: Vultr API Key + description: Enter the API key for your Vultr account. + type: string + required: false diff --git a/templates/letsencrypt/config.yml b/templates/letsencrypt/config.yml index baea8fb..a763cd4 100644 --- a/templates/letsencrypt/config.yml +++ b/templates/letsencrypt/config.yml @@ -1,7 +1,7 @@ name: Let's Encrypt description: | Trusted SSL certificates at zero cost -version: 0.3.0 +version: 0.4.0 category: Security maintainer: Jan Bruder license: The MIT License