Let’s Encrypt has proven to be a fantastic solution to obtaining and maintaining SSL certificates. It’s completely free and once it’s setup, you never need to worry about certificate renewal again. The only drawback is that it requires automation. Let’s Encrypt certificates are only valid for 90 days, and you’re expected to renew them programmatically. This makes using them with a NetScaler somewhat difficult. As I’ve mentioned before, Ryan Butler has bailed us out with an awesome python script to do this automation. So naturally, I’ve decided to over complicate it.
When I first started using that script, I had a dedicated Linux web server to run it on. I’ve since converted all of my web based apps to containers in a Docker Swarm. It got to the point that the script was the last thing running on the server. So I have built and published a Docker container to run it. It’s a very niche use case, but I figured it might help someone else…so here it is.
This is a very basic container that does the following:
- Sets up an Alpine Linux base
- Adds the packages required by the script
- Downloads the latest version of the script from Ryan’s GitHub
- Sets up a Cron job to run the script
To run the container you just need a Linux host with Docker installed and a location to store the persistent volumes.
Starting the Container
Even if you’re going to run the container as a Swarm service, you’ll need to run it with a normal
run command first. This is because you’ll need to use
exec to open an interactive shell to complete the configuration. This can’t be done with a service. Once it’s configured, you can stop the container and redeploy it as a Swarm service if you want.
To start the container, use the following command. Replace <path to data> with your persistent data location.
docker run --name ns-letsencrypt \ --mount type=bind,source=<path to data>,target=/root \ --mount type=bind,source=/etc/localtime,destination=/etc/localtime,readonly \ xawen/ns-letsencrypt
Once the container is running, get the container ID
$ docker ps
Then, open a shell into it:
$ docker exec -it <contaner ID> bash
Now, follow the directions on Ryan’s page. However, skip the following steps. The Docker image already includes these.
- Configure Linux Server: apt-get install python git python-pip curl
- Configure Linux Server: pip install requests
- Configure Linux Server: git clone –recursive https://github.com/ryancbutler/ns-letsencrypt
- Automate Renewal: All steps
That’s it. The Docker image creates a cron job that will run once per week (3am on Saturday). The ns_letsencrypt script will update the LE certificate once it’s within 30 days of expiration.
At this point, if you want to run this on a Swarm, you can stop and delete the container then redeploy it as a Service.