Thoughts on a Let’s Encrypt docker workflow

Getting the cert

  • Assuming that there is a proxy that handles a bunch of different domains.
  • That proxy should support Let’s Encrypt either directly (there are some haproxy images on the Hub).
  • Or it can be configured to redirect Let’s Encrypt challenges to the Let’s Encrypt container (described in the Forum).

Basically: Run Let’s Encrypt with ‘–standalone’. For validation, Let’s Encrypt will try to find a file on your domain (/.well-known/acme-challenge). The proxy redirects that to the container you just started (which might need to have a fixed address/ip, or the proxy needs to find it via the regular service discovery mechanism you are using).

Installing a cert

  • Manually.
  • A custom installer plugin, for Tutum for example, could use the Tutum API to redeploy the app container with a new SSL_CERT environment variable.

Renew a certificate

  • Let’s Encrypt certs are only valid for 3 months, so renewing is an issue.
  • A cronjob could re-run the above process every x months.
  • A Let’s Encrypt service & web ui where all the domains can be managed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s