You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 26, 2024. It is now read-only.
This repository provides with a cron-based certbot agent that will attempt to acquire Let's Encrypt certificates you control
16
+
This repository provides with a cron-based certbot agent that will attempt to acquire Let's Encrypt certificates you
17
+
control
9
18
for a list of subdomains you provide, and provision Kong with them.
10
19
11
20
Ideal for integrating a Kong deployment in Kubernetes with Let's Encrypt.
12
21
13
-
There's an example [kubernetes cronjob](kubernetes/certbot-cronjob.yml) you can use as a guide to deploy wherever you need.
22
+
There's an example [kubernetes cronjob](kubernetes/certbot-cronjob.yml) you can use as a guide to deploy wherever you
23
+
need.
14
24
15
25
## Compatibility
16
26
17
-
* Kong Certbot Agent 3.x: compatible with Kong 0.14 and 1.x. Kubernetes examples compatible with Kubernetes >= 1.8
18
-
* Kong Certbot Agent 2.x: compatible with Kong 0.14 and 1.x. Kubernetes examples compatible with Kubernetes <= 1.8
19
-
* Kong Certbot Agent 1.x: compatible with Kong <= 0.13. Kubernetes examples compatible with Kubernetes <= 1.8
27
+
* Kong Certbot Agent 3.x: compatible with Kong 0.14 and 1.x. Kubernetes examples compatible with Kubernetes >= 1.8
28
+
* Kong Certbot Agent 2.x: compatible with Kong 0.14 and 1.x. Kubernetes examples compatible with Kubernetes <= 1.8
29
+
* Kong Certbot Agent 1.x: compatible with Kong <= 0.13. Kubernetes examples compatible with Kubernetes <= 1.8
20
30
21
31
## How to
22
32
23
33
### Run the container
24
-
- The container takes 3 environment variables to operate:
34
+
35
+
- The container takes 3 environment variables to operate:
25
36
- KONG_ENDPOINT: this will be the http endpoint your kong admin is at, without its path. ie `http://kong:8001`
26
37
- EMAIL: this is the email address linked to your let's encrypt certificates.
27
38
- DOMAINS: this is a comma-separated list of domains we'll be asking certificates for.
28
-
- Deploy container in your environment.
29
-
- It will automagically run the updater script every 24th of the month.
30
-
- Profit!
39
+
- Deploy container in your environment.
40
+
- It will automagically run the updater script every 24th of the month.
41
+
- Profit!
31
42
32
43
### Kong configuration
33
44
34
-
In order for the challenge to work correctly, you need to open up a service and a route in Kong pointing to the container at a very
45
+
In order for the challenge to work correctly, you need to open up a service and a route in Kong pointing to the
46
+
container at a very
35
47
specific URL path. It MUST respond on every domain you're requesting certs for.
36
48
37
49
When it comes the time to run certbot, it will open an HTTP server, put some stuff on a specific path, then ping
@@ -41,17 +53,17 @@ This is a service definition example in Kong admin:
41
53
42
54
```json
43
55
{
44
-
"host": "kong-certbot-agent",
45
-
"created_at": 1543512083,
46
-
"connect_timeout": 60000,
47
-
"id": "service-id-foo",
48
-
"protocol": "http",
49
-
"name": "KongCertbot",
50
-
"read_timeout": 60000,
51
-
"port": 80,
52
-
"updated_at": 1543513810,
53
-
"retries": 5,
54
-
"write_timeout": 60000
56
+
"host":"kong-certbot-agent",
57
+
"created_at":1543512083,
58
+
"connect_timeout": 60000,
59
+
"id":"service-id-foo",
60
+
"protocol":"http",
61
+
"name":"KongCertbot",
62
+
"read_timeout":60000,
63
+
"port":80,
64
+
"updated_at":1543513810,
65
+
"retries":5,
66
+
"write_timeout":60000
55
67
}
56
68
```
57
69
@@ -61,30 +73,30 @@ Then, associate this route to it:
61
73
62
74
```json
63
75
{
64
-
"created_at": 1543512115,
65
-
"strip_path": false,
66
-
"hosts": [
67
-
"your.list",
68
-
"of.domains",
69
-
"for.the",
70
-
"same.certificate"
71
-
],
72
-
"preserve_host": false,
73
-
"regex_priority": 0,
74
-
"updated_at": 1543513584,
75
-
"paths": [
76
-
"/.well-known/acme-challenge"
77
-
],
78
-
"service": {
79
-
"id": "service-id-foo"
80
-
},
81
-
"methods": [
82
-
"GET"
83
-
],
84
-
"protocols": [
85
-
"http"
86
-
],
87
-
"id": "route-id-foo"
76
+
"created_at":1543512115,
77
+
"strip_path":false,
78
+
"hosts": [
79
+
"your.list",
80
+
"of.domains",
81
+
"for.the",
82
+
"same.certificate"
83
+
],
84
+
"preserve_host":false,
85
+
"regex_priority": 0,
86
+
"updated_at":1543513584,
87
+
"paths": [
88
+
"/.well-known/acme-challenge"
89
+
],
90
+
"service": {
91
+
"id": "service-id-foo"
92
+
},
93
+
"methods": [
94
+
"GET"
95
+
],
96
+
"protocols": [
97
+
"http"
98
+
],
99
+
"id":"route-id-foo"
88
100
}
89
101
```
90
102
@@ -125,9 +137,12 @@ docker run -it --rm \
125
137
126
138
### How many domains can I get certs for?
127
139
128
-
You can give the agent a pretty big list of domains to acquire certificates for (100), but bear in mind it will be one certificate
129
-
shared among all of them. You might want to set up different cronjobs for different sets of certificates, grouped in a manner
130
-
that makes sense to you. Also, if one of the domains you're getting a certificate from fails the HTTP challenge, cert acquisition
140
+
You can give the agent a pretty big list of domains to acquire certificates for (100), but bear in mind it will be one
141
+
certificate
142
+
shared among all of them. You might want to set up different cronjobs for different sets of certificates, grouped in a
143
+
manner
144
+
that makes sense to you. Also, if one of the domains you're getting a certificate from fails the HTTP challenge, cert
145
+
acquisition
131
146
for the whole group fails.
132
147
133
148
### How about wildcard certs?
@@ -137,17 +152,25 @@ Due to the way certbot agent works, this will never be supported by the agent.
137
152
138
153
### Any considerations on a first time set up?
139
154
140
-
Yes. Certbot has a limit of [50 certificate requests per domain per week](https://letsencrypt.org/docs/rate-limits/) - it is very easy to go over this limit during
155
+
Yes. Certbot has a limit of [50 certificate requests per domain per week](https://letsencrypt.org/docs/rate-limits/) -
156
+
it is very easy to go over this limit during
141
157
your initial set up while you manage to get all your stuff lined up together nicely:
142
158
143
-
* Use test certs initially, allowances are more generous. You can modify the command to `command: [ "/workdir/certbot-agent", "certs:update", "$(KONG_ENDPOINT)", "$(EMAIL)", "$(DOMAINS)", "--test-cert" ]` until you have everything right.
144
-
* Ensure your scheduling does not retry a failed command. It's very unlikely it will succeed a second time with the same parameters
145
-
and you'll go over the limit quicker than fast, especially in Kubernetes which by default will retry until your cluster goes down. The
159
+
* Use test certs initially, allowances are more generous. You can modify the command to
* Ensure your scheduling does not retry a failed command. It's very unlikely it will succeed a second time with the same
163
+
parameters
164
+
and you'll go over the limit quicker than fast, especially in Kubernetes which by default will retry until your
165
+
cluster goes down. The
146
166
[example kubernetes cronjob](kubernetes/certbot-cronjob.yml) specifically stops this from happening
147
167
148
168
### How often should I renew my certs?
149
169
150
-
By default, certbot has a limit of 50 certificate requests per domain per week as mentioned earlier, so bear this in mind. Also, certs are good for 3 months. Let's Encrypt themselves recommend once every 60 days. [The example kubernetes cronjob](kubernetes/certbot-cronjob.yml)
170
+
By default, certbot has a limit of 50 certificate requests per domain per week as mentioned earlier, so bear this in
171
+
mind. Also, certs are good for 3 months. Let's Encrypt themselves recommend once every 60
172
+
days. [The example kubernetes cronjob](kubernetes/certbot-cronjob.yml)
151
173
is setup like so.
152
174
153
-
You can certainly do it more often, but there's no point in spamming Let's Encrypt with extra requests - remember this is a shared resource, free as in freedom and beer, and someone surely pays for it. Be considerate.
175
+
You can certainly do it more often, but there's no point in spamming Let's Encrypt with extra requests - remember this
176
+
is a shared resource, free as in freedom and beer, and someone surely pays for it. Be considerate.
0 commit comments