by Devin Yang
(This article was automatically translated.)

Published - 6 years ago ( Updated - 5 years ago )

foreword

This article mainly shares how I use Docker to apply for a Let's Encrypt certificate.
Let's Encrypt has quite a variety of ACME Clients,
I will use the official push Certbot (ACME Client) for illustration.
And use docker to execute ACME Client.
This has two advantages for me:

1. I don't need to use the highest authority (root) on the host (host) to run the certbot program, and I don't need to install the Python environment for executing the Client.

2. Paste the command, automatically download the Client and execute it, and then obtain the certificate. After you understand the docker command and certbot parameters, this will be a very simple thing.

Dockerfile

Before we start, let's take a look at the Dockerfile settings provided by Certbot.
Understanding the settings of the Dockerfile will help us understand the purpose of the instructions to be executed later, so let's take a look.
For the location of Dockerhub, please see here: https://hub.docker.com/r/certbot/certbot
FROM python:2-alpine3.7

ENTRYPOINT [ "certbot" ]
EXPOSE 80 443
VOLUME /etc/letsencrypt /var/lib/letsencrypt
WORKDIR /opt/certbot

COPY CHANGELOG.md README.rst setup.py src/
COPY acme src/acme
COPY certbot src/certbot

RUN apk add --no-cache --virtual .certbot-deps \
libffi\
libssl1.0 \
openssl \
ca-certificates \
binutils
RUN apk add --no-cache --virtual .build-deps \
gcc \
linux-headers\
openssl-dev \
musl-dev\
libffi-dev \
&& pip install --no-cache-dir \
--editable /opt/certbot/src/acme \
--editable /opt/certbot/src\
&& apk del .build-deps
It can be seen that the ENTRYPOINT above is the certbot command, and we can substitute the host into the parameter side to execute the command in the container.

How to get a certificate with certbot

I divide him into four application scenarios, not four steps.
Scenario 2, a voucher can be generated with just one line of command.
Please pay attention to the parameters substituted after certbot/certbot in the docker command,
Different situations use different parameters.

Scenario 1, manual manual setting
It means that when the web server is a remote host, we want to generate a certificate for the host on our own computer.
Because the directory needs to be mounted into the container, so that the generated credentials can be written to our host.
Please create a folder first.
mkdir -p /etc/letsencrypt
Then use the command below to generate a certificate ( please replace it with your own email )
docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -ti certbot/certbot certonly --manual --email devin@ccc.tc --agree-tos
During the process, we will be asked which domain name to use, and we will be asked to put the challenge information on the remote web server.
Here is my approach, directly ssh to the host, copy the relevant information requested by certbot, use echo standard output, and re-import it into a file through greater than.
 
ssh root@我的主機
cd /var/www/html/.well-known/acme-challenge/
echo LW_70m1q1QWIAxktnR8rU3QK4znLP9iyvp1Uf3mBsU4._ZtWqdsZpgLv_TS7hHMCm0zcL8HXhJrGePNrNSSi23Y> LW_70m1q1QWIAxktnR8rU3QK4znLP9iyvp1Uf3mBsU4
After finishing, press Enter again, if he can connect to the file through the website and pass the verification, the certificate will be issued and placed in the relevant directory under /etc/letsencrypt.


Scenario 2, certonly only generates certificates
It means that the certificate is generated through the running web server. Simply put, the place where we want to execute the command,
There is already a live web server running.

Before executing the command, please confirm that these two directories exist on the host side.
mkdir -p /etc/letsencrypt
mkdir -p /var/www/html/.well-known/acme-challenge
(Here it is assumed that the root directory of the website of your operating host is under /var/www/html. In addition, please replace it with the domain name that generates the certificate yourself. It is impossible to use www.ccc.tc )
If your directory is not /var/www/html, please adjust the mounting location by yourself.
docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -v /var/www/html:/html -ti certbot/certbot certonly --email devin@ccc.tc --agree-tos --webroot -w /html -d www.ccc.tc
In the above command, the -v parameter is used to mount the two folders on the host side respectively.
/etc/letsencrypt (credentials and let's encrypt settings)
/var/www/html (the root directory of the website)
In addition, there is an extra --webroot -w /html What does this mean?
Here I define the root directory of the website as /html (inside the container). But we passed the -v /var/www/html:/html parameter of docker,
Mount the real directory /var/www/html on the host side into the /html of the container.

So certbot can write the challenge file to our website directory.
/var/www/html/.well-known/acme-challenge
That is to say, he will link to the files and content randomly generated by certbot on our host.
http://www.ccc.tc/.well-know/acme-challenge/0wCvy2q6URD-AwFTJQGUkz5sug6d3ptGp6QQGzqe1Eg

After passing, certbot will store the certificate and settings in /etc/letsencrypt on the host side ( -v /etc/letsencrypt:/etc/letsencrypt ).
Therefore, in the same docker mounting method, after changing the entrypoint of certbot to renew, it can be automatically updated when the certificate is about to arrive.
0 0 * * * docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -v /var/www/html:/html -ti certbot/certbot renew
Try executing renew, you can see that the certificate has not expired:
root@ccc:~# docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -v /var/www/html:/html -ti certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.cc.tc.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.ccc.tc/fullchain.pem expires on 2019-04-12 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 3, standalone independent server
When certbot has more --standalone parameters, it means that he will build a challenge http server, so you should make sure that your firewall has port 80 enabled.
In the example below, the DNS solution of the domain name substituted after -d needs to be able to resolve the external network IP used by your computer.
docker run --rm  -v /etc/letsencrypt:/etc/letsencrypt  -p 80:80 -ti certbot/certbot certonly --standalone --email devin@ccc.tc --agree-tos --preferred-challenges http -d test1.ccc.tc
In this example, certbot helps us build a web server to receive the challenge and generate certificates.
Obviously, you can see that port 80 will be opened on the host side through -p and mapped to port 80 in the container.
In addition, of course, /etc/letsencrypt in the container must be mounted to retain the generated credentials.
Because I added --rm to the docker parameter, it will be automatically removed when the container is executed.
So we need to mount /etc/letsencrypt via -v to preserve the settings and obtain the certificate.

Therefore, there is no need for a web server. When docker is running, certbot will independently generate a web server, and the host will be stopped after the job is completed.
Then, on our /etc/letsencrypt, there is the certificate.

The /etc/letsencrypt directory on the left of -v can be customized.
If I created a letsencrypt folder in my home directory, I can mount it as follows -v ${HOME}/letsencrypt:/etc/letsencrypt.
${HOME} refers to our home directory, you can use echo ${HOME} on MacOS or Linux system to see.
I hope that everyone can think about and understand the meaning behind the parameters, and then adjust the parameters according to their own environmental needs, instead of just adjusting the domain name and email and just posting it.

Scenario 4: wildcard certificate application
If we want to generate any subdomain certificate (*.ccc.tc), we can use the following command.
docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -ti certbot/certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d "*.ccc.tc"
The certificate of wildcard needs to be challenged by dns, so you must be able to adjust the DNS Server and add the txt record required by it for verification.
 

At last

If you can successfully use docker to generate credentials. In fact, the parameters are the same,
In an environment without docker, you can also directly install the certbot file and use the certbot command to generate certificates.
Put the entire docker command below
docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -v /var/www/html:/html -ti certbot/certbot
Think of it as executing the certbot command
/usr/bin/certbot


The certificate setting of the web server is beyond the scope of this article, but here is a little reminder for everyone. In the second certonly setting,
Because the host that generates the certificate is on the same machine as the web host, we can directly write the certificate settings to the settings of the web server. Take Apache as an example:
SSLCertificateFile    /etc/letsencrypt/live/www.ccc.tc/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ccc.tc/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.ccc.tc/chain.pem
Add a schedule to check certbot renew every day and the following command to restart the host.
service httpd graceful
In this way, the certificate can be automatically updated without anyone noticing it.
If your host is nginx, you can use
nginx -s reload
If it is a host in a container (container), I believe this trick should kill, you may try :)
https://www.ccc.tc/notes/50

After reading this article, do you find that voucher application is so simple that it explodes, and automation is not difficult, isn't it?



 

Tags: ssl certbot

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

Similar Stories


openssl

How to remove PEM password

You can remove the cipher using the openssl rsa command. We pass in the SSL .key and get a .key file as output.

config,ssl,certbot

Apache and Nginx's ACME authentication pass kill

Some people may be curious about what to do with this. Let me briefly explain my situation. The super old host cannot install HAProxy or certbo without Docker, only apache and nginx. But I need to automatically apply for and update the certificate on the host, so I let the host mount the folder on another host that can run the certbot program through NFS, so that the verification file generated by him can be directly generated on the old host /home In the /nginx/acme-challenge/.well-known/acme-challenge/ directory, the web page can be successfully verified and the certificate can be obtained. When there are a bunch of vhosts, you can all eat the same folder, instead of creating a directory for each vhost website.

certbot,letencrypt

Manually update the full record of Whildcard certificate, tips on how to automatically update unbelievable

I wrote this record of manual update first, because I think about the future and then write an automatic update. That's how you have a control group. If we have used Let's encrypt to apply for a whildcard certificate, we will definitely find this passage after the successful application.