Getting the cert

• Assuming that there is a proxy that handles a bunch of different domains.
• That proxy should support Let’s Encrypt either directly (there are some haproxy images on the Hub).
• Or it can be configured to redirect Let’s Encrypt challenges to the Let’s Encrypt container (described in the Forum).

Basically: Run Let’s Encrypt with ‘–standalone’. For validation, Let’s Encrypt will try to find a file on your domain (/.well-known/acme-challenge). The proxy redirects that to the container you just started (which might need to have a fixed address/ip, or the proxy needs to find it via the regular service discovery mechanism you are using).

Installing a cert

• Manually.
• A custom installer plugin, for Tutum for example, could use the Tutum API to redeploy the app container with a new SSL_CERT environment variable.

Renew a certificate

• Let’s Encrypt certs are only valid for 3 months, so renewing is an issue.
• A cronjob could re-run the above process every x months.
• A Let’s Encrypt service & web ui where all the domains can be managed.