larssb/LetsEncryptIT

A helping hand for your LetsEncrypt needs. With a focus on Kubernetes and automation

LetsEncryptIT

A tool for managing LetsEncrypt certificates. Focusing on Kubernetes and the Google Cloud platform.

ToC

• LetsEncryptIT
  • Axioms - Assumptions
  • What you can do with LetsEncryptIT
  • Using it
    • On the command-line
    • In a Kubernetes cron job
      • Pre-requisites
    • Setting up the cron job
  • Specific files and structure explained
    • Dockerfiles
      • certbot-python3
        • Changes to the file
    • Kubernetes deployment files
      • cronjob.yml
      • letsencryptit-pod.yml
  • Things to note
  • Troubleshooting, help and documentation
    • On LetsEncryptIT
    • On the components that LetsEncryptIT uses

Axioms - Assumptions

• That you are using CloudFlare as your DNS provider. As DNS is the assumed certificate authentication mechanism
• That you use the Google Cloud platform
  • And the use of the built-in Google Cloud Load-balancer to "front" your Kubernetes cluster

What you can do with LetsEncryptIT

As of 20190411

• Expand a LetsEncrypt certificate. With one or more domains. See expanding a LetsEncrypt certificate
• Remove one or more domains from a LetsEncrypt certificate. Shrinking it (shrinking is not verified LetsEncrypt terminology)
  • See shrinking a LetsEncrypt certificate
• Renewing a LetsEncrypt certificate. See renewing a LetsEncrypt certificate
• List info on a LetsEncrypt certificate. See list information on a LetsEncrypt certificate
• Update a GCP (Google Cloud Platform) load-balancer with the LetsEncrypt cert stored on a GCP Kubernetes persistent disk. See this how-to

Using it

On the command-line

1. Ensure that you have followed the pre-requisites document
2. Refer yourself to the links to documentation on this, in the section above

In a Kubernetes cron job

Pre-requisites

1. Ensure that you have followed the pre-requisites document
2. Update the placeholders to contain real values in the cronjob.yml file 2. The claimName property needs to be updated with the name of the persistent disk claim you made on GCP

Setting up the cron job

Execute: kubectl apply -f ./kubernetes/deploys/cronjob.yml

Specific files and structure explained

Dockerfiles

Their location: /LetsEncryptIT/docker/*

certbot-python3

This Dockerfile is created because of this issue - in short the official Certbot Docker image does not support Python v3+. This projects uses Python v3+ only compatible code.

The image is basically a ripoff of the official Dockerfile found here

Changes to the file

Basically only the top-level line of. From FROM python:2-alpine3.9 to FROM python:3-alpine3.9

Kubernetes deployment files

cronjob.yml

Consider this file a template which can be used for setting up a Kubernetes cronjob.

letsencryptit-pod.yml

A Pod deployment to act as a cli for interacting with the LetsEncryptIT tool. E.g. expanding a certificate, renewing and so forth.

Things to note

• Remember to delete the letsencryptit-cli Pod after use. Unless, you want it running so that you can quickly use it, and are okay with the resources it will be using (not many though)

Troubleshooting, help and documentation

On LetsEncryptIT

• See Get info and debug LetsEncryptIT
• a look behind the scenes. On the inner workings of the LetsEncryptIT tool

On the components that LetsEncryptIT uses

• On LetsEncrypt
• On the Google Cloud load-balancer API
• Gathering the name of your GCP proxy. This can be a bit confusing, so I created a small how-to on this.
  • The name is used for the TARGET_HTTPS_PROXY constant variable in the constants.py file. Which gets its value from the gcp_project_proxy environment variable.