Need to upgrade versions for certbot and acme.

Steps to reproduce:

1. Add cert from other Certificate Authority (Godaddy, Verisign)
2. Name cert in Rancher UI the same as domain used in Rancher-lets-encrypt (test.example.com)
3. Start Rancher-lets-encrypt service
4. RLE looks for certificate in Rancher API that matches hostname (test.example.com)
5. RLE finds cert, but it is not signed by LetsEncrypt CA, so it deletes the existing (test.example.com) certificate
6. RLE then provisions a Lets-encrypt certificate matching (test.example.com) and uploads it through the Rancher API.

Outcome:
Old certificate from CA other than Lets-Encrypt is overwritten.

Desired:
Any certificate that is named the same as hostname, but not signed by either "Staging" or "Production" Lets-encrypt CA should be ignored.

We should come up with a standard format for logging, so if someone wants to parse it, or just read it, it is easier to understand. Right now there are lots of print statements that dont have a particular format.

8/28/2017 12:16:21 PM Skipped user interaction because Certbot doesn't appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.

This is just a warning generated from certbot. It should be fixed to force certbot to know it is not expecting user input due to the automated nature of the service.

Hello,

Is it suppose to automatically create a new certificate when a new path is add in the load balancer ?
(Almost the same way JrCs/docker-letsencrypt-nginx-proxy-companion do ? )
Or Am I wrong ? and domain must be add to environment variable in letsencrypt-nginx and restarted ? )

Regards,

The actual image certbot version is 0.13.0 and the current certbot version is 0.15.0. The certificates are not being issued because of this difference in versions, since acme protocol was changed from one version to the other.

Hi,

the service sounds great, but I can't get ist work easily with rancher web ui because of the env file. Would be great to see rancher-lets-encrypt at catalog or compatible for rancher ui usage.

Maybe it's worth to add support to Kubernetes, becouse Rancher 2 is on the horizont?

I've been using this in rancher for many years now without issue so I don't check it too often 😄 but I recently added a new domain to let's encrypt and noticed an odd error in my logs that could have been going on for a while now.

"Error creating new order :: too many certificates already issued for exact set of domains". Looks like I've indeed hit my limit of 5 duplicate certificates for each domain, strange?

Taking a quick peek at the logs in /var/log/letsencrypt I noticed that the following block must be getting triggered based on the output which seems to create certs without checking their expiry.

      elif "X3" not in server_cert_issuer and not STAGING:
          # we have a self-signed certificate we should replace with a prod certificate.
          # this should only happen once on initial rancher install.
          print("INFO: Replacing self-signed certificate: {0}, "
                "{1} with production LE cert".format(server, server_cert_issuer))
          self.create_cert(server)
          self.post_cert(server)

Looking at the output

Replacing self-signed certificate: *******.com, CN=R3,O=Let's Encrypt,C=US 

Looking at https://letsencrypt.org/certificates/ that seems to make sense as X3 is retired and the default is now R3.

I'm guessing hardcoding the issuer here is a bad idea anyways? R4 / E2 are backups and this is subject to change anyways.

Currently workflow for testing is:

1. Build image on internal CI system
2. Push image to private registry
3. Pull image on testing rancher instance
4. Manually poking and prodding
5. Once good, submit PR and merge to master
6. Docker hub build triggers
7. Image available publicly

This is mostly a placeholder issue while I come up with better testing system. This does not include actual code testing, but more for integration between rancher-lets-encrypt and the Rancher API.

Is rancher-lets-encrypt compatible to rancher 2.0 beta yet?

I'm not sure if I should test this out. Propably, I will kill my productive environment...

It would be nice to have a v1.0 and v1.1 builds available rather than always having to use latest for Docker image builds.

Hi,
I looked through the code, but it seems like it will create a single certificate for every domain specified in DOMAINS in the letsencrypt.env file. Since lets-encrypt supports to use multiple domains within a single certificate, it would be awesome, if this could be added to rancher-lets-encrypt.

The use-case would be to have a single certificate for example.com and www.example.com, or example.com and login.example.com.

A possible solution would be to split at ; per certificate and at , per domain:

DOMAINS=example.com,www.example.com;example-service.com,api.example-service.com

This would create two certificates:

1. example.com with www.example.com as subject alternative name
2. example-service.com with api.example-service.com as subject alternative name

When the repository supports rancher catalogs (I'll create a PR later today) The split could possibly be achieved by using a multiline question with one certificate per line and each line can list multiple certificates split by a ,

Edit: Here is the PR I mentioned above: #11

Hi there,

When I try to start the Docker containers, I get the following error:

[root@srv rancher-lets-encrypt]# docker-compose up
WARNING: The Docker Engine you're using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use the bundle feature of the Docker experimental build.

More info:
https://docs.docker.com/compose/bundles

Recreating rancherletsencrypt_rancher-lets-encrypt_1
Starting rancherletsencrypt_letsencrypt-nginx_1
Attaching to rancherletsencrypt_letsencrypt-nginx_1, rancherletsencrypt_rancher-lets-encrypt_1
rancher-lets-encrypt_1  | t find an Environment variable set.
rancher-lets-encrypt_1  | 'CATTLE_URL'
rancher-lets-encrypt_1  | Traceback (most recent call last):
rancher-lets-encrypt_1  |   File "/python/rancher.py", line 393, in <module>
rancher-lets-encrypt_1  |     service.check_hostnames_and_ports()
rancher-lets-encrypt_1  |   File "/python/rancher.py", line 362, in check_hostnames_and_ports
rancher-lets-encrypt_1  |     print "Sleeping during host lookups for {0} seconds".format(HOST_CHECK_LOOP_TIME)
rancher-lets-encrypt_1  | NameError: global name 'HOST_CHECK_LOOP_TIME' is not defined

My letsencrypt.env:

[root@srv rancher-lets-encrypt]# cat letsencrypt.env 
DOMAINS=srv.example.com
CERTBOT_WEBROOT=/var/www
[email protected]
RENEW_BEFORE_DAYS=14
LOOP_TIME=300
# Staging = True will get you a cert with the CA Fake, while Staging = False will use production Let's Encrypt to get the Let's Encrypt V3 CA.
STAGING=False
HOST_CHECK_PORT=80
HOST_CHECK_LOOP_TIME=10

As you can see, the HOST_CHECK_LOOP_TIME variable is set. Do you have any ideas why this error happens?

Thanks!

Ragards,
Philip

Found the info via closed ticket here: #5
and trail/error :)

I guess documentation will come soon for better understanding.

Thx

Is ist possible to generate the list of domains (via rancher API, from connected loadbalancer)?

If the rancher server port 8080 falls over/stops, then the Rancher Lets encrypt service fails. Rather than trying to reconnect if we fail, we should wait a configured time and try to connect later.

3/16/2017 9:22:14 AMSleeping: 300 seconds...
3/16/2017 9:27:14 AMTraceback (most recent call last):
3/16/2017 9:27:14 AM  File "/python/rancher.py", line 409, in <module>
3/16/2017 9:27:14 AM    service.loop()
3/16/2017 9:27:14 AM  File "/python/rancher.py", line 152, in loop
3/16/2017 9:27:14 AM    self.cert_manager()
3/16/2017 9:27:14 AM  File "/python/rancher.py", line 166, in cert_manager
3/16/2017 9:27:14 AM    rancher_cert_servers = self.get_rancher_certificate_servers()
3/16/2017 9:27:14 AM  File "/python/rancher.py", line 353, in get_rancher_certificate_servers
3/16/2017 9:27:14 AM    returned_json = self.get_certificate()
3/16/2017 9:27:14 AM  File "/python/rancher.py", line 47, in get_certificate
3/16/2017 9:27:14 AM    r = requests.get(url=url, auth=self.auth())
3/16/2017 9:27:14 AM  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 55, in get
3/16/2017 9:27:14 AM    return request('get', url, **kwargs)
3/16/2017 9:27:14 AM  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 44, in request
3/16/2017 9:27:14 AM    return session.request(method=method, url=url, **kwargs)
3/16/2017 9:27:14 AM  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 383, in request
3/16/2017 9:27:14 AM    resp = self.send(prep, **send_kwargs)
3/16/2017 9:27:14 AM  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 486, in send
3/16/2017 9:27:14 AM    r = adapter.send(request, **kwargs)
3/16/2017 9:27:14 AM  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 378, in send
3/16/2017 9:27:14 AM    raise ConnectionError(e)
3/16/2017 9:27:14 AMrequests.exceptions.ConnectionError: HTTPConnectionPool(host='10.1.4.20', port=8080): Max retries exceeded with url: /v1/certificate (Caused by <class 'socket.error'>: [Errno 111] Connection refused)

There were a few upgrades on certbot and acme modules, that need to be updated in order to have the service working again.

I've updated the requirements and certbot version, since it was failing the certificates renew.

Please take note that I've also updated the rancher.py script to Python 3.7 and did the proper modifications to the Dockerfile.

As I don't have plans on moving my environment to kubernets so soon, I'm still using this. 😃

The certChain must not contain the local certificate. See #12

Currently there is a lot of /etc/letsencrypt hard-coded into the application. We should parameterize this.

In the docker-compose.yml, if tty:true and stdin_open:true are not both set, the service will hang before proceeding.