flywithu/community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

letsencrypt v0.4.0 (#410)

Browse Source 
* Update letsencrypt template to v0.4.0 (1)

* Update letsencrypt template to v0.4.0 (2)
This commit is contained in:
Jan B 2017-02-02 21:57:36 +01:00 committed by Hussein Galal
parent d4f83acad5
commit 78e773aa46
4 changed files with 286 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
templates/letsencrypt/3/README.md Normal file
View File

@ -0,0 +1,86 @@
# Let's Encrypt Certificate Manager
### About
The Let's Encrypt Certificate Manager obtains a free (SAN) SSL Certificate from the [Let's Encrypt CA](https://letsencrypt.org/) and adds it to Rancher's certificate store. Once the certificate is created it is scheduled for automatic renewal 20-days before expiration. Rancher load balancer services are automatically updated to use the renewed certificate.
### Usage
1. Accept the terms of service.
2. Select the API version to use. The Sandbox API should be used for testing purposes.
3. Fill in your email address.
4. Enter the name used for storing the certificate in Rancher and volumes. Any existing certificate by that name will be updated.
5. Enter one or more domain names. The first domain will be used as the Common Name property of the certificate.
6. Fill in the required credentials for the chosen provider. Note provider specific usage notes below.
If you want the certificate to be automatically renewed, leave the service running. Otherwise you may remove the service once the certificate has appeared in Rancher's certificate store.
### Using persistent storage volume
If you specify an existing volume storage driver (e.g. rancher-nfs) then the account data, certificate and private key will be stored in a stack scoped volume named `lets-encrypt`, allowing you to access them from other services in the same stack. See the [Storage Service documentation](https://docs.rancher.com/rancher/v1.3/en/rancher-services/storage-service/).
#### Example
When mounting the `lets-encrypt` storage volume to `/etc/letsencrypt` in another container, then production certificates and keys are located at:
- `/etc/letsencrypt/production/certs/<certificate name>/fullchain.pem`
- `/etc/letsencrypt/production/certs/<certificate name>/privkey.pem`
where `<certificate name>` is the name of the certificate sanitized to consist of only the following characters: `[a-zA-Z0-9-_.]`.
### Provider specific usage
#### AWS Route 53
The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace `<HOSTED_ZONE_ID>` with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
}
]
}
```
#### OVH
First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:
- `Account ID`: Your OVH account ID
- `Password`: Your password
- `Script name`: letsencrypt
- `Script description`: Letsencrypt for Rancher
- `Validity`: Unlimited
- `Rights`:
- GET /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Then deploy this service using the generated key, application secret and consumer key.
#### HTTP
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply choose `HTTP` from the list of providers.
Then make sure that HTTP requests to `domain.com/.well-known/acme-challenge` are forwarded to the `rancher-letsencrypt` service, e.g. by configuring a Rancher load balancer accordingly.
### Suggestions & bug reports
Please submit suggestions or any issues you find to the [rancher-letsencrypt](https://github.com/janeczku/rancher-letsencrypt) GitHub repo.

36
templates/letsencrypt/3/docker-compose.yml Normal file
View File

@ -0,0 +1,36 @@
version: '2'
services:
letsencrypt:
image: janeczku/rancher-letsencrypt:v0.4.0
environment:
EULA: ${EULA}
API_VERSION: ${API_VERSION}
CERT_NAME: ${CERT_NAME}
EMAIL: ${EMAIL}
DOMAINS: ${DOMAINS}
PUBLIC_KEY_TYPE: ${PUBLIC_KEY_TYPE}
RENEWAL_TIME: ${RENEWAL_TIME}
PROVIDER: ${PROVIDER}
CLOUDFLARE_EMAIL: ${CLOUDFLARE_EMAIL}
CLOUDFLARE_KEY: ${CLOUDFLARE_KEY}
DO_ACCESS_TOKEN: ${DO_ACCESS_TOKEN}
AWS_ACCESS_KEY: ${AWS_ACCESS_KEY}
AWS_SECRET_KEY: ${AWS_SECRET_KEY}
DNSIMPLE_EMAIL: ${DNSIMPLE_EMAIL}
DNSIMPLE_KEY: ${DNSIMPLE_KEY}
DYN_CUSTOMER_NAME: ${DYN_CUSTOMER_NAME}
DYN_USER_NAME: ${DYN_USER_NAME}
DYN_PASSWORD: ${DYN_PASSWORD}
VULTR_API_KEY: ${VULTR_API_KEY}
OVH_APPLICATION_KEY: ${OVH_APPLICATION_KEY}
OVH_APPLICATION_SECRET: ${OVH_APPLICATION_SECRET}
OVH_CONSUMER_KEY: ${OVH_CONSUMER_KEY}
GANDI_API_KEY: ${GANDI_API_KEY}
volumes:
- lets-encrypt:/etc/letsencrypt
labels:
io.rancher.container.create_agent: 'true'
io.rancher.container.agent.role: 'environment'
volumes:
lets-encrypt:
driver: ${STORAGE_DRIVER}

163
templates/letsencrypt/3/rancher-compose.yml Normal file
View File

@ -0,0 +1,163 @@
.catalog:
name: Let's Encrypt
version: 0.4.0
description: Trusted SSL certificates at zero cost
minimum_rancher_version: v1.2.0-pre4-rc1
questions:
- variable: EULA
label: I Agree to the Let's Encrypt TOS
description: |
Read https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf
required: true
type: enum
options:
- "Yes"
- "No"
- variable: API_VERSION
label: Let's Encrypt API Version
description: |
Select the API version used for issuing the certificate.
Use `Sandbox` for testing only.
required: true
type: enum
default: Production
options:
- Production
- Sandbox
- variable: EMAIL
label: Your Email Address
description: |
Enter the email address to use for creating the Let's Encrypt account.
required: true
type: string
- variable: CERT_NAME
label: Certificate Name
description: |
Name for storing the certificate in the Rancher API and in volumes.
Any existing certificate by that name will be updated.
required: true
type: string
- variable: DOMAINS
label: Domain Names
description: |
Comma delimited list of the certificate domains starting with the Common Name.
E.g: `example.com, dev.example.com`.
required: true
type: string
- variable: PUBLIC_KEY_TYPE
label: Public Key Algorithm
description: |
Select one of the available key types.
required: true
type: enum
default: RSA-2048
options:
- RSA-2048
- RSA-4096
- RSA-8192
- ECDSA-256
- ECDSA-384
- variable: RENEWAL_TIME
label: Renewal Time of Day (00-23)
description: |
Set the time of day (UTC in hours) at which certificate renewals should be run.
default: 12
required: true
type: int
- variable: STORAGE_DRIVER
label: Volume Storage Driver (Optional)
description: |
If you enter the name of an existing storage driver (see `Infrastructure -> Storage`) then a stack scoped storage volume named `lets-encrypt`
will be created or used to store account data, certificates and private keys.
required: false
type: string
- variable: PROVIDER
label: Domain Validation Method
description: Select a DNS provider to use for domain validation. Use 'HTTP' if DNS for the domain is not hosted with any of the providers.
required: true
type: enum
options:
- CloudFlare
- DigitalOcean
- DNSimple
- Dyn
- Gandi
- HTTP
- Ovh
- Route53
- Vultr
- variable: AWS_ACCESS_KEY
label: AWS Route53 Access Key Id
description: Enter the Access Key Id for your AWS account.
type: string
required: false
- variable: AWS_SECRET_KEY
label: AWS Route53 Secret Access Key
description: Enter the Secret Access Key for your AWS account.
type: string
required: false
- variable: CLOUDFLARE_EMAIL
label: CloudFlare Email Address
description: Enter the email address associated with your CloudFlare account.
type: string
required: false
- variable: CLOUDFLARE_KEY
label: CloudFlare API Key
description: Enter the Global API Key for your CloudFlare account.
type: string
required: false
- variable: DO_ACCESS_TOKEN
label: DigitalOcean API Access Token
description: Enter the Personal Access Token for your DigitalOcean account.
type: string
required: false
- variable: DNSIMPLE_EMAIL
label: DNSimple Email Address
description: Enter the email address associated with your DNSimple account.
type: string
required: false
- variable: DNSIMPLE_KEY
label: DNSimple API Key
description: Enter your DNSimple API key.
type: string
required: false
- variable: DYN_CUSTOMER_NAME
label: Dyn Customer Name
description: Enter your Dyn customer name.
type: string
required: false
- variable: DYN_USER_NAME
label: Dyn User Name
description: Enter your Dyn user name.
type: string
required: false
- variable: DYN_PASSWORD
label: Dyn Password
description: Enter your Dyn password.
type: string
required: false
- variable: GANDI_API_KEY
label: Gandi API Key
description: Enter the API key for your Gandi account.
type: string
required: false
- variable: OVH_APPLICATION_KEY
label: OVH Application Key
description: Enter your OVH application key.
type: string
required: false
- variable: OVH_APPLICATION_SECRET
label: OVH Application Secret
description: Enter your OVH application secret.
type: string
required: false
- variable: OVH_CONSUMER_KEY
label: OVH Consumer Key
description: Enter your OVH consumer key.
type: string
required: false
- variable: VULTR_API_KEY
label: Vultr API Key
description: Enter the API key for your Vultr account.
type: string
required: false

2
templates/letsencrypt/config.yml
View File

@ -1,7 +1,7 @@
name: Let's Encrypt
description: |
Trusted SSL certificates at zero cost
version: 0.3.0
version: 0.4.0
category: Security
maintainer: Jan Bruder <jan@rancher.com>
license: The MIT License