gitlab-letsencrypt
gitlab-letsencrypt copied to clipboard
Automatic job renewal via scheduled pipelines
To automatically renew certificates you could use Scheduled CI pipelines
- [ ] Add master branch to protected branches if it is not there already
- [ ] Add protected secret variable PRIVATE_TOKEN
- [ ] Add renew job to .gitlab-ci.yml
stages:
# ...
- renew_ssl
renew_ssl:
stage: renew_ssl
script:
- |
if [ -z "${RENEW_SSL:-}" ]; then
exit
fi
# TODO renew command
only:
- master
- [ ] Create pipeline schedule
interval pattern: 1 month target branch: master variables:RENEW_SSL
=1
I don't know if you can commit from CI job. If not using deployment key with allowed write access will be necessary.
@mishak87 This info would be very appreciated if it were on the readme
+1 for this. I tried to implement it, but because a scheduled pipeline needs to complete before the challenge pipeline it can't work at the moment.
I did it in my project https://gitlab.com/axil/axil.gitlab.io/blob/master/.gitlab-ci.yml.
Example:
letsencrypt:
image: node:8-alpine
stage: post-deploy
variables:
DOMAIN: "axilleas.me"
before_script:
- apk add git python --update-cache
- npm install -g gitlab-letsencrypt --unsafe-perm
script: |
gitlab-le \
--production \
--domain $DOMAIN www.$DOMAIN \
--email $LE_EMAIL \
--token $LE_TOKEN \
--repository $CI_PROJECT_URL \
--path content/.well-known/acme-challenge
only:
- schedules
@axilleas I have just tested it too. Thanks for examples. I will write blog post about bit more secure setup soon (tm).
I do not like the "root" token available for all jobs and merge requests. It could be avoided setting up letsencrypt
protected environment (only for project Maintainers) and setting CI variables to be available only for that environment.