Tool that helps you automatically renew LetsEncrypt certificates and serve them in consul K/V storage.
Note: It is tightly integrated with proxy-server (nginx in this case) and consul-template
tool. Please read below for full understanding of certificate issuing and installation process.
At first create following K/V structure in Consul:
letsconsul
|_
| \_renew_interval = 168h
|_
| \_reload_interval = 10s
|_
| \_service = letsconsul
|_
| \_domains_enabled = ["example.com", "qlean.ru"]
|_
\_domains
|_
| \_example.com
| |_
| | \_domain_list = ["www.example.com", "example.com"]
| |_
| | \_email = [email protected]
| |_
| \_timestamp = 0
|_
\_qlean.ru
|_
| \_domain_list = ["qlean.ru", "www.qlean.ru", "assets.qlean.ru"]
|_
| \email = [email protected]
|_
\_timestamp = 0
Consul configuration keys:
renew_interval
- domain certificate expiration timereload_interval
- time after letsconsul reloading domains information from consulservice
- consul service namedomains_enabled
- domains fromletsconsul/domains
that can be validated and renewed with certs/keys
When letsconsul starting it reading particular command line arguments:
-b
- host:port variable that validation web-server will listen (by default 0.0.0.0:8080)-c
- consul address (by default 127.0.0.1:8500)
Also, you can specifly consul ACL token with CONSUL_TOKEN environment variable.
Example of usage:
$ wget https://github.com/hypersleep/letsconsul/releases/download/0.0.2/letsconsul-linux-64.zip
$ unzip letsconsul-linux-64.zip
$ ./letsconsul -b 0.0.0.0:8080 -c 127.0.0.1:8500
After app starts, it fetching domains information from consul by given consul_service
key, checking certificate expiration time and if more than renew_interval
then starts certificate renew process.
Updating and receiving certificates is based on LetsEncrypt HTTP validation.
After validation request has sent to LetsEncrypt, letsconsul starts a validation web-server on address -b
that should receive a LetsEncrypt validation request.
Ensure that validation web-server available from internet! You can simply do this with combination of nginx proxy and consul-template:
server {
listen 80;
server_name www.example.com example.com;
{{range service "letsconsul"}}
location /.well-known/acme-challenge {
proxy_set_header Host $host;
proxy_pass http://{{.Address}}:{{.Port}};
}
{{end}}
}
If validation will be made successfully, letsconsul writes received certificates and keys to fullchain
and private_key
consul keys.
After that you can use values of fullchain
and private_key
as cert/key files for nginx using consul-template:
/etc/ssl/example.com.crt.ctmpl:
{{key "letsconsul/domains/example.com/fullchain"}}
rendering to: /etc/ssl/example.com.crt
/etc/ssl/example.com.key.ctmpl:
{{key "letsconsul/domains/example.com/private_key"}}
rendering to: /etc/ssl/example.com.key
Finally, you're got fully automated and distributed by many servers/proxies HTTPS certificates!
You can see full workflow on following chart: