At Tozny, many of our web services are hosted in Docker containers housed within various Rancher environments. We needed an efficient way to automate the creation and management of our TLS/SSL certificates in these environments, so we wrote a service in-house to take care of things.
The service runs as two containers:
- a basic Nginx container to power Let’s Encrypt webroot verification
- a service container to keep everything running
The service itself:
- automatically fetches new certificates
- pushes certificates into Rancher via its API so load balancers pick them up automatically
- polls the Rancher API for certificate expiration and automatically renews expiring certificates
- easily rolls from Let’s Encrypt staging certificates for testing to Production CA verified certificates
- verifies local certificates against Rancher API certificates
This tool has proven enormously effective for our own use, so the team has elected to open it to the public in the hope that it is useful for others.