Getting the cert
- Assuming that there is a proxy that handles a bunch of different domains.
- That proxy should support Let’s Encrypt either directly (there are some haproxy images on the Hub).
- Or it can be configured to redirect Let’s Encrypt challenges to the Let’s Encrypt container (described in the Forum).
Basically: Run Let’s Encrypt with ‘–standalone’. For validation, Let’s Encrypt will try to find a file on your domain (/.well-known/acme-challenge). The proxy redirects that to the container you just started (which might need to have a fixed address/ip, or the proxy needs to find it via the regular service discovery mechanism you are using).
Installing a cert
- A custom installer plugin, for Tutum for example, could use the Tutum API to redeploy the app container with a new SSL_CERT environment variable.
Renew a certificate
- Let’s Encrypt certs are only valid for 3 months, so renewing is an issue.
- A cronjob could re-run the above process every x months.
- A Let’s Encrypt service & web ui where all the domains can be managed.