Get certificates for domains with wildcards based on Let’s Encrypt with Rancher 1.x


#1

Hi,
I am facing issue with generating certificates using Let’s Encrypt community services stack based on image janeczku/rancher-letsencrypt. I have to generate certificates for multiple domains with same ending.
Example:
test.example.domain.xyz
test1.example.domain.xyz
test2.example.domain.xyz

So the obvious answer is to use wildcard in certificate generating process like this:
*.example.domain.xyz

I already know that image janeczku/rancher-letsencrypt was updated a year ago and is deprecated so i was searching for something else. I found vxcontrol/rancher-letsencrypt it was updated month ago but it is not working as well with wildcards in domain. I also found out that Certbot ver. 0.22+ is supporting this process but i don’t understated how to implement this with Let’s Encrypt in custom docker image.

Is there a way to create certificates based on domain with wildcard using Let’s Encrypt community service stack ?
Does anyone know maybe other community available stack here on Rancher for such matter?
Is there any other solution for implementing self-renewable certificates for my services here on Rancher ?

There is what I’ve got when i switched images from janeczku/rancher-letsencrypt to vxcontrol/rancher-letsencrypt and typed *.example.domain.xyz in DOMAINS variable before upgrading.

7/19/2018 " level=info msg="Trying to obtain SSL certificate (*.example.domain.xyz) from Let's Encrypt Production CA"
7/19/2018 " level=info msg="[INFO][*.example.domain.xyz] acme: Obtaining bundled SAN certificate"
7/19/2018 " level=info msg="[INFO][*.example.domain.xyz] AuthURL: auth_url"
7/19/2018 " level=info msg="[INFO][example.domain.xyz] acme: Could not find solver for: dns-01"
7/19/2018 " level=error msg="[acme: Error -> One or more domains had a problem:\n[example.domain.xyz] [example.domain.xyz] acme: Could not determine solvers\n] Error obtaining certificate: acme: Error -> One or more domains had a problem:\n[example.domain.xyz] [example.domain.xyz] acme: Could not determine solvers\n"
7/19/2018 " level=info msg="Starting Let's Encrypt Certificate Manager v1.0.0 eb89fad"
7/19/2018 " level=info msg="Using locally stored Let's Encrypt account for my.email@dom.com"
7/19/2018 " level=info msg="Using Let's Encrypt Production API"
7/19/2018 " level=info msg="Using HTTP challenge: Sleeping for 120 seconds before requesting certificate"
7/19/2018 " level=info msg="Make sure that HTTP requests for '/.well-known/acme-challenge' for all certificate domains are forwarded to port 80 of the container running this application"
7/19/2018 " level=info msg="Trying to obtain SSL certificate (*.example.domain.xyz) from Let's Encrypt Production CA"
7/19/2018 " level=info msg="[INFO][*.example.domain.xyz] acme: Obtaining bundled SAN certificate"
7/19/2018 " level=info msg="[INFO][*.example.domain.xyz] AuthURL: auth_url"
7/19/2018 " level=info msg="[INFO][example.domain.xyz] acme: Could not find solver for: dns-01"
7/19/2018 " level=error msg="[acme: Error -> One or more domains had a problem:\n[example.domain.xyz] [example.domain.xyz] acme: Could not determine solvers\n] Error obtaining certificate: acme: Error -> One or more domains had a problem:\n[example.domain.xyz] [example.domain.xyz] acme: Could not determine solvers\n"

For obvious reasons i changed my real wildcarded domain on *.example.domain.xyz here in post.
TIA for every response :smiley:


#2

Hi @TomBer,

By Let’s Encrypt policy, wildcard certificates require the use of the DNS-01 challenge (which involves creating DNS TXT records requested by the CA, not just posting a file on your web site). It seems here that your ACME client was not configured to do this. The client here isn’t Certbot; I think it’s some version of lego

Maybe you could ask the developers of the image that you used about how to support the DNS-01 challenge with this software stack?


#3

Hi @schoen,

I really appreciate your response. Thanks a lot for clarifying this matter. I found potential solving of my problem here : https://www.bennadel.com/blog/3420-obtaining-a-wildcard-ssl-certificate-from-letsencrypt-using-the-dns-challenge.htm. May be it will help somebody else who is struggling with same issue.
Here is also link to issue started by blog owner Does the DNS challenge need to be executed for renewal?.

Your explanation and informations contained in blog fully answered my question.
Thanks a lot once more :smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.