• info@bizmate.biz

Author Archive

LetsEncrypt ACMEv2 SSL certificate provisioning in Rancher 1.6 – legacy

Preface

Rancher 1.6 allows the use of the old/legacy Cattle engine and if you are still using this old version of Rancher you should probably consider upgrading or using another orchestrator if you do not want to use Kubernetes as Rancher does not support Cattle or Docker Swarm alike simpler solutions.

LetsEncrypt on Rancher 1.6 using ACME v2

Provisioning SSL certs on Rancher 1.6 and previous was possible by deploying a service with image janeczku/rancher-letsencrypt:v0.5.0 and provide the correct configuration.

This solution was using the LetsEncrypt ACME v1 API and as this API is not deprecated you will see errors such as

31/07/2021 16:28:42time="2021-07-31T15:28:42Z" level=info msg="Starting Let's Encrypt Certificate Manager v0.5.0 0913231"
31/07/2021 16:28:42time="2021-07-31T15:28:42Z" level=fatal msg="LetsEncrypt client: Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': acme: Error 403 - urn:acme:error:serverInternal - ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27 for more information."

.

There is an alternative to this solution by just using a different image that is implementing the ACMEv2 integration with LetEncrypt.

To deploy the new solution use these steps or follow the description below:

  1. Create a new service (not from the catalogue), give it a name such as MyDomainLetsEncrypt. and use the image vxcontrol/rancher-letsencrypt:v1.0.0
  2. Add these volumes making sure the volumes used for the certificate is the one used to indeed to load the certificates in Rancher
    1. /var/lib/rancher:/var/lib/rancher
    2. MyCertificatesNamedVolume:/etc/letsencrypt Рnotice that the name of the volume depends on your current setup.
  3. In the “Command” tab, set the “Console” option to none
  4. In the “Labels” tab, create the following 2 labels:
    io.rancher.container.agent.role=environment
    io.rancher.container.create_agent=true
  5. Copy the environment variables template below, add your domain and email values. Then click to add an Environment Variable, and paste the whole block into the first “Variable” input field. All the environment variables will be added
    API_VERSION=Production
    AURORA_ENDPOINT=
    AURORA_KEY=
    AURORA_USER_ID=
    AWS_ACCESS_KEY=
    AWS_SECRET_KEY=
    AZURE_CLIENT_ID=
    AZURE_CLIENT_SECRET=
    AZURE_RESOURCE_GROUP=
    AZURE_SUBSCRIPTION_ID=
    AZURE_TENANT_ID=
    CERT_NAME=**ENTER DOMAIN NAME**
    CLOUDFLARE_EMAIL=
    CLOUDFLARE_KEY=
    DNSIMPLE_EMAIL=
    DNSIMPLE_KEY=
    DNS_RESOLVERS=8.8.8.8:53,8.8.4.4:53
    DOMAINS=**ENTER DOMAIN NAME**
    DO_ACCESS_TOKEN=
    DYN_CUSTOMER_NAME=
    DYN_PASSWORD=
    DYN_USER_NAME=
    EMAIL=**ENTER YOUR EMAIL**
    EULA=Yes
    GANDI_API_KEY=
    NS1_API_KEY=
    OVH_APPLICATION_KEY=
    OVH_APPLICATION_SECRET=
    OVH_CONSUMER_KEY=
    PROVIDER=HTTP
    PUBLIC_KEY_TYPE=RSA-2048
    RENEWAL_PERIOD_DAYS=20
    RENEWAL_TIME=12
    RUN_ONCE=false
    VULTR_API_KEY=
  6. Create the service, once the service is created and running correctly you will see it is producing logs such as
    31/07/2021 17:31:08time="2021-07-31T16:31:08Z" level=info msg="Starting Let's Encrypt Certificate Manager v1.0.0 eb89fad"
    31/07/2021 17:31:08time="2021-07-31T16:31:08Z" level=info msg="Generating private key (2048) for myemail@mydomain.com."
    31/07/2021 17:31:09time="2021-07-31T16:31:09Z" level=info msg="Creating Let's Encrypt account for myemail@mydomain.com"
    31/07/2021 17:31:10time="2021-07-31T16:31:10Z" level=info msg="Using Let's Encrypt Production API"
  7. You can now map the load balancer to redirect calls to port 80 , yourdomain.com and PATH /.well-known/acme-challenge to the service you created above so that it can indeed handle the SSL certificate generation.
  8. Once the certificate is generated do map it on port 443 of your domain load balancer service for the same domain.

I hope the above is helpful but do feel free to contact us if you have any feedback or questions.

 

 

bizmatewp_bw5mow