Skip to main content

Hashicorp Nomad to Renew your TLS Certificates

Shen Zhen, China

All my web applications are configured to use a containerized NGINX ingress for the TLS termination. Before I was using a simple Cron Jobs to keep my certificates updated. Now, since I moved all my apps into Nomad/Consul clusters, I wanted to see if I cannot use the option to periodically start a Nomad service to trigger a Certbot Renewal with the EXEC_RAW driver.

Prepare the Host

First, download the Let’s Encrypt client, certbot:

apt update
apt install certbot

Run the following command to generate certificates:

certbot -d example.com -d www.example.com
certbot certificates

Additionally, I will have to enable the EXEC_RAW plugin in my Nomad Client Configuration:

/etc/nomad.d/client.hcl

plugin "raw_exec" {
config {
enabled = true
}
}

Nomad Job File

I currently do not know how to test for whether the certificate was actually renewed. So I cannot add second task to the job below that restarts the Docker service if this case is true. But since all my apps are monitored using Zabbix I will be prompted once a used certificate reaches the end of it's lifespan. So I can manually restart Docker to start using the updated certificate:

job "myapp_ingress_cert" {

periodic {
# run every day @5:55am
cron = "55 5 * * *"
}
type = "batch"
reschedule {
attempts = 0
unlimited = false
}
datacenters = ["mydatacenter"]

group "myapp-ingress-cert" {

task "cert-renewal" {
driver = "raw_exec"

config {
command = "/usr/bin/certbot"
args = ["renew", "--quiet", "--no-self-upgrade"]
}
}
}
}

UPDATE:

Solution for non-interactive certonly renewal:

job "myapp_ingress_cert" {

periodic {
# run every day @5:55am
cron = "55 5 * * *"
}
type = "batch"
reschedule {
attempts = 0
unlimited = false
}
datacenters = ["mydatacenter"]

group "myapp-ingress-cert" {

task "cert-renewal" {
driver = "raw_exec"

config {
command = "/usr/bin/certbot"
args = ["certonly", "--quiet", "--noninteractive", "--standalone", "--cert-name", "my.domain.com"]
}
}
}
}

Run the Job

nomad plan myapp_ingress_cert.tf

+ Job: "myapp_ingress_cert"
+ Task Group: "myapp-ingress-cert" (1 create)
+ Task: "cert-renewal" (forces create)

Scheduler dry-run:
- All tasks successfully allocated.
- If submitted now, next periodic launch would be at 2022-11-14T05:55:00Z (22h52m3s from now).
nomad job run -check-index 0 myapp_ingress_cert.tf

Job registration successful
Approximate next launch time: 2022-11-14T05:55:00Z (22h51m52s from now)

Hashicorp Nomad to Renew your TLS Certificates