Using ACME v2 and possibility of generate wildcard certificates

[asdek]

Hello,

• Major changes for this version are using ACME v2 and possibility of generate wildcard certificates
• Bump version of lego to 1.0.1
• Also, I took the liberty to change the version of the package to v1.0.0, similarly lego
• Updated square/go-jose to v2
• Updated aws/aws-sdk-go, Sirupsen/logrus, Azure/azure-sdk-for-go, Azure/go-autorest packages

[marcbachmann]

Awesome, thanks for the update. 👏
I already found one small issue which either could use a fix or just some additional documentation.

The configuration DOMAIN=*.subdomain.example.com,*.example.com fails with the following error:

urn:ietf:params:acme:error:malformed - Error creating new order :: DNS name had a malformed wildcard label

Changing the order to DOMAIN=*.example.com,*.subdomain.example.com works.

[graemer957]

Nice work @asdek 👍🏻

I tried to use this morning, but ran into a problem:

03/07/2018 11:43:59time="2018-07-03T10:43:59Z" level=info msg="Starting Let's Encrypt Certificate Manager v1.0.0 eb89fad"
03/07/2018 11:44:01time="2018-07-03T10:44:01Z" level=info msg="Generating private key (2048) for [email protected]."
03/07/2018 11:44:02time="2018-07-03T10:44:02Z" level=fatal msg="LetsEncrypt client: Could not create client: directory missing new registration URL"

Looks like this is fixed go-acme/lego#562, but I believe you are already using v1.0.1 of lego?

[graemer957]

This only looks to be a problem if you set API_VERSION to Sandbox, which we do first to test the settings. A quick look around I couldn't find if this is supported or not for wildcard certificates.

[graemer957]

Tracked the problem down to the v01 endpoint being used for Staging/Sandbox.

[graemer957]

This also needs to be updated to the v02 endpoint https://acme-staging-v02.api.letsencrypt.org/directory, otherwise, we get the error:

03/07/2018 13:50:27time="2018-07-03T12:50:27Z" level=fatal msg="LetsEncrypt client: Could not create client: directory missing new registration URL"

[asdek]

Thanks. Fixed

[livehybrid]

👍 on this one

[guatedude2]

bump

[emilnygaard]

Bump 👍

[radeno]

@asdek thanks fro great work. hope @janeczku will merge it and release new version soon.
What about storing also chain.pem and cert.pem as separate files?
Fullchain is nice, but is too large for OCSP stapling #105 to increase handshake and lowering time to first byte.

[radeno]

@asdek it is likely that @janeczku abandon this project. There is the way how to make your work to go public.
Ask to https://github.com/rancher/community-catalog maintainers to use your fork or ask them to add new catalog. Don't know what is easier, but we should do that. I think there is hundreds if no thousands users of this software.

But there is second question. Do you wanna maintain it? (new PRs, new features, bugfixes etc)

[annerajb]

I doubt this will ever be merged considering Rancher has now moved to 2.0 and they don't seem to want to do any sort of development to 1.6 environments.
best bet is to fork it and use a community catalog.

[hajnalmt]

This is quite sad, that this project is abandonned.

[fridgerator]

@asdek Is it possible to us this in Rancher 1.6 without the Rancher Catalog?

I noticed there is a vxcontrol/rancher-letsencrypt repo on docker hub. Can I just use this directly?

[fridgerator]

I guess I answered my own question, this seems to work 👍

[fridgerator]

I've created instructions for creating new services with the forked version of this repo manually : https://gist.github.com/fridgerator/db607d268f1f99329c8f9449e89abb4f