Automatic job renewal via scheduled pipelines

[mishak87]

To automatically renew certificates you could use Scheduled CI pipelines

• Add master branch to protected branches if it is not there already
• Add protected secret variable PRIVATE_TOKEN
• Add renew job to .gitlab-ci.yml

stages:
  # ...
  - renew_ssl

renew_ssl:
  stage: renew_ssl
  script:
    - |
      if [ -z "${RENEW_SSL:-}" ]; then
        exit
      fi
      # TODO renew command
  only:
    - master

• Create pipeline schedule
  interval pattern: 1 month
  target branch: master
  variables:
  RENEW_SSL = 1

I don't know if you can commit from CI job. If not using deployment key with allowed write access will be necessary.

[gabrielperales]

@mishak87 This info would be very appreciated if it were on the readme

[nathansmonk]

+1 for this. I tried to implement it, but because a scheduled pipeline needs to complete before the challenge pipeline it can't work at the moment.

[axilleas]

I did it in my project https://gitlab.com/axil/axil.gitlab.io/blob/master/.gitlab-ci.yml.

Example:

letsencrypt:
  image: node:8-alpine
  stage: post-deploy
  variables:
    DOMAIN: "axilleas.me"
  before_script:
    - apk add git python --update-cache
    - npm install -g gitlab-letsencrypt --unsafe-perm
  script: |
    gitlab-le \
    --production \
    --domain $DOMAIN www.$DOMAIN \
    --email $LE_EMAIL \
    --token $LE_TOKEN \
    --repository $CI_PROJECT_URL \
    --path content/.well-known/acme-challenge
  only:
    - schedules

[mishak87]

@axilleas I have just tested it too. Thanks for examples. I will write blog post about bit more secure setup soon (tm).
I do not like the "root" token available for all jobs and merge requests. It could be avoided setting up letsencrypt protected environment (only for project Maintainers) and setting CI variables to be available only for that environment.