lego

LEGO

  • Canonical Telco
Channel Revision Published Runs on
4/stable 34 14 Feb 2025
Ubuntu 22.04
4/candidate 34 14 Feb 2025
Ubuntu 22.04
4/beta 34 23 Jan 2025
Ubuntu 22.04
4/edge 59 07 Apr 2025
Ubuntu 22.04
4/edge 58 07 Apr 2025
Ubuntu 22.04
juju deploy lego --channel 4/stable
Show information

Learn to deploy on juju >

Platform:

Ubuntu
22.04

Relevant links

Contacts

Share your thoughts on this charm with the community on discourse.

Join the discussion

Getting Started

In this tutorial, we will get certificates signed by Let’s Encrypt for the tls-certificates-require charm using the lego-operator

Pre-requisites

  • Ubuntu 22.04
  • A Juju controller
  • A valid domain name from one of the supported DNS Providers from this list.
  • The authentication data required for the DNS provider plugin as specified in the documentation of LEGO
  • A requirer charm using the tls-certificates-interface

1. Add the Juju model

juju add-model lego

2. Deploy and Configure the Requirer Charm

In this tutorial we are going to use the tls-certificates-requirer charm, and we will configure it to use our valid domain name.

juju deploy tls-certificates-requirer --config common_name="techtutorial.org" --config sans_dns="techtutorial.org"

3. Deploy and Confgiure lego

juju deploy lego --channel 4/stable

Configure the Let's Encrypt server. In this tutorial we will use the staging server of Let’s Encrypt

juju config lego server="https://acme-staging-v02.api.letsencrypt.org/directory"

Configure your email

juju config lego email=<your email address>

Configure the plugin. In this tutorial we will use the hetzner plugin but you can use the plugin of your choice as long as it is supported by LEGO

juju config lego plugin="hetzner"

Next we must add a secret that contains the required configuration for the plugin having the config options as the keys and their values as the values, in the case of hetzner we only need the hetzner API Key, but this varies per plugin so make sure to check the plugin’s documentation like this of hetzner’s

juju add-secret lego-credentials hetzner-api-key=<key>

Grant the secret to the charm

juju grant-secret lego-credentials lego

Configure the charm with the ID of the secret we just created

juju config lego plugin-config-secret-id=<secret id>

Now lego should be in Active state and ready to be integrated with requirer charms.

4. Integrate the charms

juju integrate lego tls-certificates-requirer

5. Validate Certificate

Wait until the charms go into the following states:

Model  Controller  Cloud/Region        Version  SLA          Timestamp
lego   k8s         microk8s/localhost  3.6.4    unsupported  13:04:55Z

App                        Version  Status  Scale  Charm                      Channel        Rev  Address         Exposed  Message
lego                                active      1  lego                       4/stable        34  10.152.183.222  no       1/1 certificate requests are fulfilled
tls-certificates-requirer           active      1  tls-certificates-requirer  latest/stable  143  10.152.183.168  no       1/1 certificate requests are fulfilled

Unit                          Workload  Agent  Address       Ports  Message
lego/0*                       active    idle   10.1.250.243         1/1 certificate requests are fulfilled
tls-certificates-requirer/0*  active    idle   10.1.250.212         1/1 certificate requests are fulfilled

We can validate that the certificate was actually signed by Let's Encrypt

juju run tls-certificates-requirer/leader get-certificate \
  | yq -r '.certificates | fromjson | .[0].certificate' \
  | openssl x509 -text -noout

The output shows that the certificate was signed by Let's Encrypt for techtutorial.org

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:e0:c0:af:ed:73:58:25:bd:c4:76:a0:22:f7:a6:3f:27:16
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R11
        Validity
            Not Before: Apr  8 12:05:16 2025 GMT
            Not After : Jul  7 12:05:15 2025 GMT
        Subject: CN = techtutorial.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f9:15:c4:61:e0:10:06:c8:f5:33:40:19:e1:b2:
                    09:21:9e:b5:d0:37:9a:80:01:c9:93:e1:ef:f3:6f:
                    26:de:4d:0d:5a:5a:94:67:48:d6:be:e1:76:65:62:
                    7c:b7:e8:ab:31:6c:9d:37:d5:00:a7:e5:74:c4:62:
                    fb:19:c0:41:68:b8:7d:f6:d6:21:a0:5e:3f:5f:fd:
                    a8:d9:38:50:3a:21:cb:bd:9f:46:78:02:13:21:95:
                    88:79:80:d5:87:0d:1b:96:ac:bc:17:1b:46:f9:ba:
                    a2:90:9a:22:9f:c5:3a:3e:ab:79:b1:0a:0e:c8:f5:
                    ac:8e:a9:35:b8:a7:60:2b:a5:5c:64:df:7e:48:20:
                    cc:95:d5:b5:89:c0:ad:20:4f:f7:d4:8f:3b:49:17:
                    33:35:f2:7e:a8:a5:9a:de:30:dd:36:a9:24:47:97:
                    a1:fb:cf:67:b6:a2:90:7a:87:cf:8a:6c:64:71:89:
                    60:bb:f3:35:13:36:1f:e3:16:1c:03:ba:f6:81:d3:
                    3b:0d:a3:d6:a1:2b:96:4b:30:e4:ad:84:6e:14:c6:
                    57:09:24:9a:1a:1f:74:dd:4d:89:20:bb:51:f0:fe:
                    22:f0:8c:76:3e:21:8e:07:a9:66:d6:ee:df:d2:52:
                    25:ab:ba:7f:00:14:86:b2:d3:19:11:1f:3e:0e:f4:
                    ce:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                0B:92:5F:73:51:AF:A3:BE:D4:8E:CC:31:8C:E4:63:78:AF:6C:99:5D
            X509v3 Authority Key Identifier:
                C5:CF:46:A4:EA:F4:C3:C0:7A:6C:95:C4:2D:B0:5E:92:2F:26:E3:B9
            Authority Information Access:
                OCSP - URI:http://r11.o.lencr.org
                CA Issuers - URI:http://r11.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:techtutorial.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://r11.c.lencr.org/23.crl
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : CC:FB:0F:6A:85:71:09:65:FE:95:9B:53:CE:E9:B2:7C:
                                22:E9:85:5C:0D:97:8D:B6:A9:7E:54:C0:FE:4C:0D:B0
                    Timestamp : Apr  8 13:03:46.809 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:8C:9C:E8:1D:F5:E1:78:B8:75:8C:60:
                                92:CD:EE:2C:70:C4:0C:7D:E3:E0:EC:EF:07:5F:72:F6:
                                C1:A7:F8:5E:80:02:20:3E:4E:92:C1:25:FF:06:88:22:
                                DD:29:17:B5:90:EF:3E:35:CE:24:D5:EF:3E:B2:0F:8B:
                                F8:6D:DF:DB:B4:6C:7D
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:DC:CA:34:95:D7:E1:16:05:E7:95:32:FA:C7:9F:F8:
                                3D:1C:50:DF:DB:00:3A:14:12:76:0A:2C:AC:BB:C8:2A
                    Timestamp : Apr  8 13:03:46.857 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:2A:45:92:1D:C5:C1:0A:04:68:2D:87:FA:
                                4E:88:98:2A:A9:A2:A3:8D:5D:3C:5A:9B:23:AC:BA:5B:
                                A8:DF:4E:A6:02:21:00:8D:AC:52:A5:E1:F9:F1:29:8C:
                                A4:25:4F:E2:9E:86:B3:BB:32:07:6F:D1:4C:39:CC:5E:
                                16:72:37:33:3B:BD:6A
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        60:f7:c4:0a:20:a9:c5:b3:7e:43:16:d1:d1:0c:b4:c1:b9:67:
        ea:8c:07:6c:25:56:75:d2:22:1f:0f:d5:48:97:7b:c0:5f:ae:
        5c:a5:21:7f:4a:a5:52:5f:af:ce:9c:f8:46:bc:40:ce:45:9a:
        b4:62:f4:cf:d3:29:1e:29:0f:53:7d:70:d9:44:7a:2d:2a:27:
        60:8d:9b:d4:49:ac:f4:33:db:f7:3a:89:72:07:58:6a:67:11:
        57:a6:80:a5:dd:17:5b:9f:fb:9c:6d:85:0c:cb:68:26:58:fa:
        d2:2c:ad:b9:69:2e:66:99:21:71:b0:10:30:74:9a:37:30:65:
        fd:4b:40:8a:3b:0b:0b:1a:48:aa:c6:8d:d5:2d:08:5e:e8:2b:
        60:bc:69:0b:c3:96:18:cd:ac:4e:80:05:51:86:5d:87:98:26:
        b8:21:59:73:91:8e:53:93:f6:2c:6e:eb:c8:77:b8:2c:89:e4:
        ef:74:9e:7e:7c:34:08:82:61:e1:b0:1d:15:8b:2d:b2:9e:b6:
        18:ac:96:b2:ec:de:6f:f6:54:96:ca:f6:2b:32:85:e7:82:61:
        3d:0a:c5:b6:4d:1f:03:46:80:92:d2:a0:99:50:e5:7c:ab:de:
        1b:6a:aa:8e:8a:ba:bd:67:95:de:68:45:30:1f:ff:91:08:85:
        c8:cd:20:a6

Help improve this document in the forum (guidelines). Last updated 10 days ago.