Hi, I'm getting the following error in Rancher.

26-5-2016` 12:41:38level=info msg="Starting Let's Encrypt Certificate Manager v0.2.7 5dbb48c"
26-5-2016 12:41:48level=fatal msg="LetsEncrypt client: Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': failed to get \"https://acme-v01.api.letsencrypt.org/directory\": Get https://acme-v01.api.letsencrypt.org/directory: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"

After which the rancher stack restarts. I'm using CloudFlare DNS. No stale _acme-challenge records are set. The error is present in v0.2.9 and v0.2.5 as well. Any known solution for this problem?

If you try to add a new domain to an existing certificate it is not detected it so no new certificate is issued. It still finds the certificate in the store and on rancher, so the result is a nop rather than the error about not managing an existing certificate.

I tried to use your letsencrypt stack. but I ran into a problem : I don't use one of the supported DNS provider.

But sending the certificate to the provider is only useful if the DNS provider provide a reverse-proxy services (like Cloudflare), and thus should be optional, allowing the user to use the stack more easily.

Would it be possible?

The token that needs to be supplied while installing is the Domain Token. There are three different tokens you can get at dnsimple.com for your account and/or domain. Please update the field's description to reflect this.

I've been using jwilder/nginx-proxy for a couple of months now and had a great experience. However, it doesn't really work nicely with the Rancher load balancer service.

This is why I've switched to rancher-letsencrypt, which is amazing too. However, it's unusable for all the services we deploy at work. This is because I don't have access to the DNS records for the domains.

Luckily, there's multiple challenges available in the ACME standard, one of which is the simple HTTP challenge. This is how I've created certificates for our work domains using jwilder/nginx-proxy.

Now it would be great if rancher-letsencrypt had the option to use the HTTP-based challange instead of the DNS-based. Would that be possible?

hi, i'm using digitalocean dns provider, after offering newly-generated token from digitalocean.com, i got error logs from rancher:
Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action

Is there any help? Thanks!

Just started having it fail to obtain certificates with CloudFlare DNS.

4/24/2016 1:54:14 PMlevel=info msg="Starting Let's Encrypt Certificate Manager v0.2.8 5d5d280"
4/24/2016 1:54:14 PMlevel=info msg="Using locally stored Let's Encrypt account for colton@*****"
4/24/2016 1:54:14 PMlevel=info msg="Trying to obtain SSL certificate for ..."
4/24/2016 1:57:22 PMlevel=error msg="[****] Error obtaining certificate: acme: Error 400 - urn:acme:error:malformed - Unable to update challenge :: Response does not complete challenge"

There was a recent change to crackcomm/cloudflare#4 that has broken compatibility with other Rancher Go-based components. This may be the cause of the issue I'm seeing.

Hello ,

I am using rancher v1.1.3 and docker v1.8 .
I tried to configure your producat to work with Namecheap and get the error:
level=info msg="Starting Let's Encrypt Certificate Manager v0.3.0 f8965f6"
level=info msg="Generating private key (2048) for [email protected]."
level=info msg="Creating Let's Encrypt account for [email protected]"
level=fatal msg="LetsEncrypt client: Could not set DNS provider: Unsupported DNS provider: Namecheap"

Best Regards

Are there plans for supporting PowerDNS? Lego seems to support it already.

Hi there, not sure if i can be done or if it's worth it, but do you have any plans to create multiple certificates instead of having one with multiple hostnames?
I think it could be useful for big projects where a company would like to not expose other services domains in the certificate.

I imagine having the same comma-separated list of domains but instead of having everything in a certificate, use the certificate field as a prefix for the new certificates it's going to create

Have no problems at storing certificates on data volume containers inside host, but I'm not able to make it work with rancher-nfs and digitalocean block volume.

I attach the volume to rancher server host and spin up the rancher driver on agent host giving the ip of my rancher server and /mnt/volume-name as mount point.

The volume becomes available, but I'm not able to tell letsencrypt to use it.

When i upgrade the rancher-letsencrypt node and the certificate already exists, I get the following behavior:

31.1.2017 09:42:17level=info msg="Starting Let's Encrypt Certificate Manager v0.4.0 3c41d73"
31.1.2017 09:42:17level=info msg="Generating private key (P384) for user@domain."
31.1.2017 09:42:18level=info msg="Creating Let's Encrypt account for user@domain"
31.1.2017 09:42:18level=info msg="Using Let's Encrypt Production API"
31.1.2017 09:42:18level=info msg="Found locally stored certificate 'domain'"
31.1.2017 09:42:18level=info msg="Found existing certificate 'domain' in Rancher"
31.1.2017 09:42:18level=info msg="Managing renewal of certificate 'domain'"
31.1.2017 09:42:18level=info msg="Certificate renewal scheduled for 2017/03/19 21:00 UTC"

This looks fine, however my certificate is actually expiring on 2017/03/10. Is this a bug or wanted behavior? I definitely do not think it's a great UX...

Hello janeczku,

Thank you for your great work. Do you have an estimate when there will be an update for the community catalog? It is now at 0.2.7

After setting up Let's encrypt with the options to save to a folder, the certificate is generated and seems to work with NGINX. However the files that are generated and placed in the certs folder are:

• fullchain.pem
• metadata.json
• privkey.pem

I expected that there would be a domain.crt file as well that contains the actual domain certificate. Am I missing something? I would like to use the certificates for a server that is outside of rancher.

How would you update the certificates retrieved, e.g. adding a subdomain? Would you create a new services for that, or remove the old stack and redo it with the addition domain?

This issue is a request for support for NSOne as a DNS provider. Lego already seems to contain support so hopefully this should be relatively easy.

Thanks for this epic service!

When there are multiple Hosted Zones, rancher-letsencrypt does not use the right enclosing zone in Route53. Instead it seems to pick the first one in the list or maybe there is a bug in the algorithm that tries to find the enclosing Hosted Zone. This results in a failure like below (I've changed the actual domain names).

7/19/2016 3:36:27 PMlevel=info msg="Starting Let's Encrypt Certificate Manager v0.3.0 f8965f6"
7/19/2016 3:36:30 PMlevel=info msg="Using locally stored Let's Encrypt account for ****@gmail.com"
7/19/2016 3:36:30 PMlevel=info msg="Trying to obtain SSL certificate (foo.bar.foo.com) from Let's Encrypt CA"
7/19/2016 3:36:31 PMlevel=error msg="[foo.bar.foo.com] Error obtaining certificate: Error presenting token: Failed to change Route 53 record set: InvalidChangeBatch: RRSet with DNS name _acme-challenge.foo.bar.foo.com. is not permitted in zone notfoo.notfoo.com.\n\tstatus code: 400, request id: cd6a6547-4db5-11e6-a875-bf12718e75ac"

What would be involved in adding support for an additional DNS provider? Specifically, I would like to see support added the DYN Managed DNS platform.

API Reference: https://help.dyn.com/dns-api-knowledge-base/

I am beginning to see these error messages

April 4, 2016 8:31:41 AM GMT+7level=info msg="Starting Let's Encrypt Certificate Manager v0.2.5 a31b992"
April 4, 2016 8:31:51 AM GMT+7level=fatal msg="Rancher client: Get https://my.rancher.api.host/v1: net/http: request canceled (Client.Timeout exceeded while awaiting headers)"

Before that rancher-letsencrypt has been working normally for me. What could be the reason for the error?

Looks like work has already begun? I can help out on this but I would need some time because I'm new to Rancher.

After upgraded to v0.4.0 and tryed to use rancher-ebs storage, i got this error message :

Upgrading (Failed to allocate instance [container:1i8153]: Bad instance [container:1i8153] in state [error]: Error response from daemon: create letsencrypt_lets-encrypt_2bf09: VolumeDriver.Create: size is required)

Is there a way to pass a volumedriver option, or maybe target a already existing volume?

It says in the Rancher UI (and also got an email from Let's encrypt about it 10 days ago) that my certifcate will expire in 12 days, so my question is: how often are the certs renewed? Do I have to manually do something or will the renewal only run in like the last 3 days or something?

Hello,

I have multiple directories with multiple certs in my config, each folder is a domain, I want to keep all domains separated, so I ask if this container will update every directory with a cert and metadata or I must have a singe directory with a unique file with all certs.

Best regards,

Currently only the LB is able to use the LE generated certificates, however one might want to use the generated certificates in other contexts (such as nginx SSL termination).

According to a previously answered question it's currently possible to mount the volume holding the certificates however this is, according to the answer, not going to be possible in the future.

I'd very much appreciate if I could use one LE container for all my certificates and would therefore like to be able to get the certificates directly from this one container.

Trying to obtain a cert with the latest catalog version I'm unable to obtain a cert.

See some issues floating around as late as the last couple weeks that letsencrypt may have an issue (a note in 3rd week Jan, tought they had it fixed, note from last week suggests other users (of letsencrypt clients) are having this issue.

If you have a minute could you look into this? I'd really like to deploy a production service using rancher-letsencrypt (have one ready to go, production mode has it stopped)

Thanks!!!

Hi,

Will you update the Rancher Template to give access to the lastest change ?

Please see the thread here: https://community.letsencrypt.org/t/error-429-too-many-pending-authorizations/27273

I'm using the Route53 DNS method for challenge proof.

I'm not sure which side is broken here, but I'll leave my service stopped for a day and try to get some more preliminary logs.

Hi,
first thanks a lot for this module.

Sorry for the noob question but what's the purpose of using DNS providers ?
let's encrypt as itself doesn't use it if I don't get wrong ?

I want to know the way it works because my dns provider is ovh but my dns zone is managed by a private server.

Many thanks !

Hi there

I've just se tup a new rancher deployment, and Am currently trying to ge this letsencrypt stack working.

I simply added from the catalog, filled in the details (I'm using DNSimple) and launched. The service keeps restarting, and by using the docker logs command, I see the following lines, repeated over and over:

level=info msg="Starting Let's Encrypt Certificate Manager v0.2.7 5dbb48c"
level=info msg="Using locally stored Let's Encrypt account for [email protected]"
level=info msg="Trying to obtain SSL certificate for myhost.mydomain.uk"
level=error msg="[myhost.mydomain.uk] Error obtaining certificate: Error presenting token dns: domain must be fully qualified"

I was using a real domain which is already set up in DNSimple, but have obviously swapped it out for a placeholder there.

Any suggestions would be appreciated, thanks!

If I spawn a LE stack, it gets a certificate and stores it in the certificate store. If I then remove the stack and recreate it with the same settings, it will 'Found existing certificate 'cake' in Rancher' but still go out and grab a fresh one from LetsEncrypt.

For production usage, this isn't safe. I never want to pull a new certificate unnecessarily unless the previous one is about to expire (or maybe if I enable that functionality and in sandbox mode). If it's a worry about populating the local volume/directory with the certificate, we should pull the present one from the Certificate Store and save it.

Not entirely clear what permissions are required by this.

Hi,

Just a question on what happens when the certs are renewed and propagated to the load balancers. Will the load balancers restart or will all new connections just use the updated certs without any interruption? Im mainly using long running websocket connections.

Thank you :)

Regards,
Riaan

Hi,

When we install this container from rancher catalog, it's not possible to set env vars or setup needed config from GUI. Is it missing or i have missed something ?

Thx in advance.

References:

https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

https://www.huque.com/bin/gen_tlsa

Using the new 1.2.0 release, I've been doing some testing with this service and I've found the following:

1. Interaction with the Certificate Store still works perfectly.
2. Looking for Load Balancers does not work and doesn't have to anymore. The new LB automatically sees something changes and updates (see below).

Log from replacing a self-signed I loaded up with one day remaining.

12/13/2016 5:20:00 PMlevel=info msg="Starting Let's Encrypt Certificate Manager v0.3.0 f8965f6"
12/13/2016 5:20:00 PMlevel=info msg="Using locally stored Let's Encrypt account for [email protected]"
12/13/2016 5:20:00 PMlevel=info msg="Found locally stored certificate 'cake'"
12/13/2016 5:20:00 PMlevel=info msg="Found existing certificate 'cake' in Rancher"
12/13/2016 5:20:00 PMlevel=info msg="Serial number mismatch between Rancher and local certificate 'pypi'"
12/13/2016 5:20:01 PMlevel=info msg="Updated Rancher certificate 'cake'"
12/13/2016 5:20:01 PMlevel=info msg="Certificate is not being used by any load balancer"
12/13/2016 5:20:01 PMlevel=info msg="Certificate renewal scheduled for 2017/02/19 12:00 UTC"

From Vincent in IRC:

yes the new balancer reads metadata and sees something changes, so the letsencrypt template doesn't need to try and do that anymore

Additonally, I'd appreciate a bit more information in the log lines around things like using the sandbox server etc.. i.e.

Trying to obtain SSL certificate (domain.com) from Let's Encrypt CA Sandbox server

Add support for Linode DNS.

(AFAIK) Linode is one of the main competitors of DigitalOcean, they both have great and similar services and prices. It would be great to be able to use rancher-letsencrypt in Linode too.

Here's their API: https://www.linode.com/api/dns

Would be awesome if someone could implement namecheap support!

https://www.namecheap.com/support/api/intro.aspx

I create letsencrypt and add load balancer with https, but Cloudflare not redirect from http to https

Is there any plan to add Gandi as a DNS Provider ?

https://github.com/Gandi/letsencrypt-gandi
https://github.com/xenolf/lego/tree/master/providers/dns/gandi

Thanks !

The certificate generated expires in 90 days. I have the number 12 in the renewal_time options.

The current renewal time is 14 days, but letsencrypt sends out renewal notifications 19 days before expiration. I propose to change the renewal time to 20 days, so a user will receive these notifications only if something went wrong.

Hi,

I have an issue when creating a new certificate with dnsimple. It looks like the connection to dnsimple was successful. The TXT record was created.
But after that the connection to or from rancher is not working.
Do I have to publish the 53 DNS port of rancher. Or can you give me a hint whats wrong in my setup?

Here is my log output:

10/5/2016 1:36:26 PMlevel=info msg="Starting Let's Encrypt Certificate Manager v0.3.0 f8965f6"
10/5/2016 1:36:26 PMlevel=info msg="Using locally stored Let's Encrypt account for **@**"
10/5/2016 1:36:26 PMlevel=info msg="Trying to obtain SSL certificate (my.domain.com) from Let's Encrypt CA"
10/5/2016 1:37:31 PMlevel=error msg="[my.domain.com] Error obtaining certificate: Time limit exceeded. Last error: read udp 172.17.0.3:39687->83.222.134.149:53: read: connection refused"

The ip 83.222.134.149 has only a rancher-agent running not the server.
And there is no public 53 port on 83.222.134.149.

Rancher Server 1.1.4
Let's Encrypt 3.0.0

Maybe someone has a hint for me.
Thank you.

I just created a a new letsencrypt using the catalog, this is the configuration :

letsencrypt:
environment:
API_VERSION: Production
AWS_ACCESS_KEY: ''
AWS_SECRET_KEY: ''
CERT_NAME: *******************
CLOUDFLARE_EMAIL: ***************************
CLOUDFLARE_KEY: ****************************************
DNSIMPLE_EMAIL: ''
DNSIMPLE_KEY: ''
DOMAINS: *****************************
DO_ACCESS_TOKEN: ''
DYN_CUSTOMER_NAME: ''
DYN_PASSWORD: ''
DYN_USER_NAME: ''
EMAIL: *****************
EULA: 'Yes'
PROVIDER: CloudFlare
PUBLIC_KEY_TYPE: RSA-4096
RENEWAL_TIME: '12'
labels:
io.rancher.container.create_agent: 'true'
io.rancher.container.agent.role: environment
image: janeczku/rancher-letsencrypt:v0.3.0
volumes:

• /srv/docker/letsencrypt/production/certs:/etc/letsencrypt/production/certs

The problem is if I go in /srv/docker/letsencrypt/production/certs it's empty.

Note: I can still use the one for the rancher LB

I installed the letsenrypt service from the rancher catalog and did all the nessecary configuration. On startup, I get the following errormessage in the service:

Error obtaining certificate: Error presenting token: invalid character '<' looking for beginning of value"

I´ve entered my domain, that is registered and active in cloudflare and additionaly a subdomain and I get the errormessage for both domain names.

Hello!

My letsencrypt stopped working and I got the following error message:

Error saving certificate 'Production': Failed to read certificate expiry date: Pem decode did not yield a valid block. Is the certificate in the right format?

What is causing the issue and how can I fix it? I didn't change anything since the last renewal and back then, it worked perfectly.

Thank you very much.

This is the output of rancher-letsencrypt with -debug=1:

7/25/2016 11:04:21 PM[INFO][foo.com, bar.foo.com, biz.foo.com, baz.foo.com, boz.foo.com, qux.foo.com, qix.foo.com] acme: Obtaining bundled SAN certificate
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Could not find solver for: http-01
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:27 PM[INFO][foo.com] Checking DNS record propagation...
7/25/2016 11:04:33 PM[INFO][foo.com] The server validated our request
7/25/2016 11:04:37 PM[INFO][bar.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:40 PM[INFO][bar.foo.com] Checking DNS record propagation...
7/25/2016 11:04:47 PM[INFO][bar.foo.com] The server validated our request
7/25/2016 11:04:51 PM[INFO][biz.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:04:51 PM[INFO][biz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:54 PM[INFO][biz.foo.com] Checking DNS record propagation...
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Could not find solver for: http-01
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:07:02 PM[INFO][baz.foo.com] Checking DNS record propagation...
7/25/2016 11:09:07 PM[INFO][boz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:09:09 PM[INFO][boz.foo.com] Checking DNS record propagation...
7/25/2016 11:11:12 PM[INFO][qux.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:11:12 PM[INFO][qux.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:11:13 PM[INFO][qux.foo.com] Checking DNS record propagation...
7/25/2016 11:13:15 PM[INFO][qix.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:13:17 PM[INFO][qix.foo.com] Checking DNS record propagation...
7/25/2016 11:14:46 PM[INFO][qix.foo.com] The server validated our request
7/25/2016 11:14:48 PMlevel=error msg="[biz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[baz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[boz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[qux.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"

Any ideas on what's going on here?

How do i setup letsencrypt to accept my self signed cert to connect to Rancher API?

12/11/2016 18.08.22level=info msg="Starting Let's Encrypt Certificate Manager v0.3.0 f8965f6"
12/11/2016 18.08.37level=fatal msg="Could not connect to Rancher API: Get https://xxxxxxx: x509: certificate signed by unknown authority"

Support for OVH has recently been integrated in lego (go-acme/lego#233). I'd be happy to test it.

I'm wondering it there might already be a way to prevent this container from running after issuing a cert and instead call it as a "run once" container. Due to memory consumption when running a lot of these containers I'd prefer to call them using a cron like https://hub.docker.com/r/socialengine/rancher-cron/

In combination of a fixed issue #50 this would be a perfect solution.

Can we get support for azure dns?

https://azure.microsoft.com/en-us/services/dns/