You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+9-13Lines changed: 9 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@
14
14
A [Rancher](http://rancher.com/rancher/) service that obtains free SSL/TLS certificates from the [Let's Encrypt CA](https://letsencrypt.org/), adds them to Rancher's certificate store and manages renewal and propagation of updated certificates to load balancers.
15
15
16
16
#### Requirements
17
-
* Rancher Server >= v1.2.0
17
+
* Rancher Server >= v1.5.0
18
18
* If using a DNS-based challenge, existing account with one of the supported DNS providers:
19
19
*`Aurora DNS`
20
20
*`AWS Route 53`
@@ -28,7 +28,7 @@ A [Rancher](http://rancher.com/rancher/) service that obtains free SSL/TLS certi
28
28
*`Ovh`
29
29
*`Vultr`
30
30
31
-
* If using the HTTP challenge, a proxy that routes `example.com/.well-known/acme-challenge` to `rancher-letsencrypt`.
31
+
* If using the HTTP challenge, a reverse proxy that routes `example.com/.well-known/acme-challenge` to `rancher-letsencrypt`.
32
32
33
33
### How to use
34
34
@@ -39,23 +39,19 @@ Then locate the `Let's Encrypt` template in the Catalog section of the UI and fo
39
39
40
40
### Storing certificate in shared storage volume
41
41
42
-
By default the created SSL certificate is stored in Rancherfor usage in load balancers.
42
+
By default the created SSL certificate is stored in Rancher's certificate store for usage in Rancher load balancers.
43
43
44
-
If you specify an existing volume storage driver (e.g. rancher-nfs) then the account data, certificate and private key will be stored in a stack scoped volume named `lets-encrypt`, allowing you to access them from other services in the same stack. See the [Storage Service documentation](https://docs.rancher.com/rancher/v1.3/en/rancher-services/storage-service/).
44
+
You can specify a volume name to store account data, certificate and private key in a (host scoped) named Docker volume.
45
+
To share the certificates with other services you may specify a persistent storage driver (e.g. rancher-nfs).
45
46
46
-
#### Example
47
-
48
-
When mounting the `lets-encrypt` storage volume to `/etc/letsencrypt` in another container, then production certificates and keys are located at:
where `<certificate name>` is the name of the certificate sanitized to consist of only the following characters: `[a-zA-Z0-9-_.]`.
47
+
See the README in the Rancher catalog for more information.
54
48
55
49
### Provider specific usage
56
50
57
51
#### AWS Route 53
58
52
53
+
Note: If you have both a private and public zone in Route53 for the domain, you need to run the service configured with public DNS resolvers (this is now the default).
54
+
59
55
The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
60
56
Replace `<HOSTED_ZONE_ID>` with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
61
57
@@ -106,7 +102,7 @@ Then deploy this service using the generated key, application secret and consume
106
102
107
103
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
108
104
Simply choose `HTTP` from the list of providers.
109
-
Then make sure that HTTP requests to `domain.com/.well-known/acme-challenge` are forwarded to the `rancher-letsencrypt` service, e.g. by configuring a Rancher load balancer accordingly.
105
+
Then make sure that HTTP requests to `domain.com/.well-known/acme-challenge` are forwarded to port 80 of the `rancher-letsencrypt` service, e.g. by configuring a Rancher load balancer accordingly. If you are using another reverse proxy (e.g. Nginx) you need to make sure it passed the original `host` header through to the backend.
0 commit comments