Table of Contents
Let’s Encrypt Container Detail
Getting Started with VNS3 Plugin System
The Let’s Encrypt container is deployed to VNS3 as a plugin using the container system.
Please be familiar with the VNS3 Plug-In Configuration Guide.
Let’s Encrypt Container - What does it do?
Following initial setup, the container will run once per week to perform the following actions:
- Initiate certificate generation/renewal by Let’s Encrypt
- Perform Let’s Encrypt http challenge verification
- Upload and install certificates to VNS3 via the VNS3 API
You do not need a Let’s Encrypt account to use this container.
Let’s Encrypt Container - What does it need?
The setup script inside the container requires and prompts for the following information:
- A DNS address for which certificates will be generated. This address must resolve to your VNS3 controller’s public IP address.
- An email address to be associated with the certificate, usually your webmaster address.
- You VNS3 controller’s container network IP address. This will be the first address in your overlay subnet; for example, if your container network is
198.51.100.0/28, VNS3’s address is
- Your VNS3 controller’s API password.
Deploying the Let’s Encrypt Container
Getting the Let’s Encrypt Container
The Linux-based (Ubuntu 14.04) Let’s Encrypt Container Image is accessible at the following URL:
This is a read-only Amazon S3 storage location. Only Cohesive Networks can update or modify files stored in this location.
This URL can be used directly in a VNS3 Controller via the Web UI or API to import the container image for use in that controller. General screenshot walkthrough and help available in the Plug-In Configuration Document.
Uploading the Container Image to VNS3
From the Container —> Images page, choose Upload Image.
Provide a name for the image and a short description if you wish.
Select Image File URL and enter the Let’s Encrypt Container Image file URL:
Allocating a Container from the Image
When the Image has imported successfully, its state will be Ready in the Status Column.
To launch a container from the image, choose Allocate from the Image’s Action menu.
Launching the Let’s Encrypt Container
After selecting Allocate from the Actions menu, name your container, provide a description (optional), and
/usr/bin/supervisord as the Command to start the container.
You can allow VNS3 to auto-assign a container network IP, but it is recommended that you choose one explicitly. Take note of this address for the following steps.
Let’s Encrypt Container Firewall Rules
The Let’s Encrypt Container requires the following firewall rules be added to the VNS3 controller:
# Container internet access FORWARD_CUST -o eth0 -s <container_ip> -j ACCEPT FORWARD_CUST -o plugin0 -d <container_ip> -j ACCEPT POSTROUTING_CUST -s <container_ip> -o eth0 -j MASQUERADE # Container SSH access PREROUTING_CUST -p tcp --dport 44 -j DNAT --to <container_ip>:22 # Container LetsEncrypt verification PREROUTING_CUST -i eth0 -p tcp --dport 80 -j DNAT --to <container_ip>:80 # LetsEncrypt container API access INPUT_CUST -i plugin0 -s <container_ip> -p tcp --dport 8000 -j ACCEPT OUTPUT_CUST -o plugin0 -d <container_ip> -p tcp --sport 8000 -j ACCEPT
Anywhere it appears, replace
<container_ip> with the container IP you noted in the previous step.
Configuring the Let’s Encrypt Container
After allocating the container and applying the necessary firewall rules to VNS3, you can ssh into the container on port 44.
The username is
container_admin, and the default password is
We recommend that you change this password immediately, using the following command:
sudo passwd container_admin
Configuration of the Let’s Encrypt container is simple; start by SSHing into the container. Next, run
You will be prompted to enter the following information:
- The controller’s DNS address
- An email address to be associated with the generated certificates
- Your VNS3 controller’s Container Network IP address
- Your VNS3 controller’s API password
The script will then generate and install a Let’s Encrypt HTTPS certificate, and it will renew that certificate every week for as long as the container runs.
Once the initial certificate generation process has completed (indicated by the message
finished_ok), you may log out of the container.
Export a Container Image
In the event that your VNS3 controller needs to be replaced or upgraded, you will need a copy of your configured Let’s Encrypt Container. We recommend creating and downloading an image of your container as a final step of the deployment process:
From the Containers page in the VNS3 web UI, select Action > Save as Image for your new Let’s Encrypt Container. Once that process is complete, you’ll be brought to the Images page. Select Action > Export on the new image, and provide a name.
Once Exporting is complete, you will have the option to download the image locally.