Automation about docker-letsencrypt HOT 5 CLOSED

Hi @lgomez - thanks for the feedback.

This is a good point - right now the container is v static and fed by environment variables.

Are you using kubernetes?

If so, I think the best way would be to change fetch_certs to read from a file on disk which could be populated by an env variable (to be backwards compatible) or by a ConfigMap.

This would mean that you would only need to update the config map.

If you want to get it to work as is, you could dynamically update your deployment container template for this container to change the DOMAINS env variable - it will then ensure that a container is running for that domain.

But yes, a change is needed in fetch_certs.sh assuming you want each domain to have its own certificate (currently a single certificate is fetched which is valid for all the domains in DOMAINS)

The change needed should just be a case of moving the certonly call to inside the for loop.

As for running non-interactive, it should be already? What questions are you getting? Are you using the image at https://hub.docker.com/r/ployst/letsencrypt/ or self-building? if the image, what version?

from docker-letsencrypt.

Thank you.

I am using Kubernetes. ConfigMap is a great idea. I'll use that to pass values in. Thanks.

The prompts I get are the ones coming from openssl req through letsencrypt certonly when I run kubectl exec -it ${pod name} /bin/bash -- -c '[email protected] DOMAINS=example.com ./fetch_certs.sh'.

Based on this https://certbot.eff.org/docs/using.html#command-line-options, I think I could generate a "Certificate Signing Request (CSR)" file and pass it to letsencrypt certonly using the --csr option.

I could generate the CSR using openssl req with the -subj option like so:

# Set the values...
C="US" # C: 2 letter ISO country code
ST="California" # ST: State
L="San Francisco" # L: Location, city
ORG="Example Org" # O: Organization
OU="IT Department" # OU: Organizational Unit, Department
CN="example.com" # CN: Common Name (FQDN)

# Generate the certificate...
openssl req \
  -nodes \
  -newkey rsa:2048 \
  -keyout $CN.key \
  -out $CN.csr \
  -subj "/C=$C/ST=$ST/L=$L/O=$ORG/OU=$OU/CN=$CN" # < this is the important bit here.

which is what I would then pass to --csr.

Does this make sense or am I trying to do something that can already be done and I just don't know how?

Thanks again!

from docker-letsencrypt.

Does this make sense or am I trying to do something that can already be done and I just don't know how?

I'm still not clear what the error is you're getting. Could you show the whole output?

Is there a reason you're not relying on the cron to fetch the certs? was that also failing with the prompt you get?

Could you try using ployst/letsencrypt:0.0.7 and see if you still get this issue?

from docker-letsencrypt.

Oh man... My bad. I just realized the issue comes not from here but from a step deep in a script that runs before this.

Basically, there was a script running to generate the self-signed INITIAL certs. These are inserted into the initial kube secret and then this repo comes into action. The prompts I was getting were not coming from here but from that initial openssl gen call.

Sorry I've wasted your time. I made the changes and I don't get the prompts now.

Thank you

from docker-letsencrypt.

@lgomez no worries - glad it's useful!

from docker-letsencrypt.