curlftpfs introduction and manual certificate application

by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

Situation sharing, imagine that you have WebHosting, which only provides FTP connection, and then you want to apply for a certificate manually.
In this article, I share how I use Docker to install curlftpfs, and mount the FTP folder of the remote host,
Then execute certbot in the container to apply for an SSL certificate.

Aside from the certificate application, when I first discovered the curlftpfs command, I found it very interesting, especially if you are a MacOS user,
When you don't have a satisfactory FTP software at hand. You love scrolling through the command line as much as I do, so maybe you should love this command too. 🤭

First of all, let's start by creating a Dockerfile.
The Yaml file is as follows, I am used to the terminal in the Chinese environment. 

From ubuntu:latest
RUN apt-get update && apt-get install -y \
locales curlftpfs python3 certbot vim

#Chinese environment
RUN echo "Asia/Taipei" > /etc/timezone && \
    dpkg-reconfigure -f noninteractive tzdata && \
    sed -i -e 's/# zh_TW.UTF-8 UTF-8/zh_TW.UTF-8 UTF-8/' /etc/locale.gen && \
    echo 'LANG="zh_TW.UTF-8"'>/etc/default/locale && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=zh_TW.UTF-8

ENV LANG zh_TW.UTF-8
ENV LANGUAGE zh_TW.UTF-8
ENV LC_ALL zh_TW.UTF-8

Let’s use this Dockerfile to build an ftpbot image, the command is as follows:
Please put the Dockerfile in an empty directory before building, it must Avoid unnecessary caching problems. 

docker build -t ftpbot .

Completed the creation of the image, I will build another letsencrypt in my folder directory, so I can use the command below to create a container and enter the container
etc. To use curlftpfs in the container, --privileged is required when the container starts. 

docker run --rm --privileged -v $(pwd)/letsencrypt:/etc/letsencrypt -ti ftpbot bash

Next, mount the folder of the remote host in the container to the /mnt directory of the container

curlftpfs FTP account: FTP password@FTP host/ mnt

Execute the certbot command and follow the instructions

certbot certonly --manual --email Application email --agree -tos \
-d domain.com \
-d www.domain name.com

In the above screen, the screen will stop and wait for Enter, he wants us to go to the website to create a verification file LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
At this time, we can have two kinds of processing Method
1. Ctrl+z puts the program in the background temporarily, then switches to the FTP directory of the webpage mounted on /mnt to generate the acme verification file, and then press fg to return to the foreground.
2. Open another terminal to enter the running container to operate. I use this method as my habit. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4._ZtWqdsZpgLv_TS7hHMCm0zcL8HXhJrGePNrNSSi23Y

And make it available on your web server at this URL:

http://domain.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

For example, we are in the container, type hostname, it is better to copy

root@07291c69af42:~ # hostname
07291c69af42
root@07291c69af42:~#

Then on your own Host side, you can issue commands to enter the same executing container

docker exec -ti 07291c69af42 bash
root@07291c69af42:/#

For example, the root directory of the remote website is /www, so we can create the .well-knon/acme-challenge directory with the following command.
In the case of FTP mounting, it is recommended to touch first and then echo. The operation is as follows

root@07291c69af42:~# cd /mnt/
root@07291c69af42:/mnt# mkdir -p www/.well-knon/acme-challenge
root@07291c69af42:/mnt# cd www/.well-knon/acme-challenge
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# touch LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
#Here, after the echo content, there is a > redirection
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# echo LW_70m1q1QWIAtnR8rU--short---GePNrNSSi23Y > LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
root@07291c69af42:/mnt/www/.well-knon/acme-challenge#

After completion, confirm that the URL is open to this file, and then press Enter to complete the verification of ACME . 

http://domain name.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

After all is done, You can umount and leave, and then the certificate will be in the hanging directory (the diagram below)

cd letsencrypt/live/domain name.com< /pre>
The above is a manual method, but it is also possible to automatically apply for vouchers and RENEW. However, the space is limited, so I will introduce it again when I have the opportunity. 
Is it okay to directly let certbot save the certificate file to the /mnt directory? The answer is "no". In this case, certbot cannot directly write to the mounted remote host folder. 

Reminder, we can let certbot generate the verification file in the local folder in the container, and then use a Python watchdog file to change the program, and if the file is found to be added, copy it
Move the file Go to the verification directory on /mnt, my experience is verified, and the certificate application for six websites is done at one time. 

As for the renew part, we have the letsencrypt folder on the host side, and it should be OK to set up a crontab schedule for him to run every day. 

So at this point you should find out why my image name is called ftpbot, because in the end I want him to execute it by itself,
It is not executed manually, so I really did not make a mistake in the image name ,whee.
Tags: certbot docker ftp

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
docker

D-Laravel on .env and docker-compsoe small classroom

This article introduces why the docker-compose ps official command cannot list all the services in use when we use D-Laravel's .env to load multiple yml files. But the ./console ps on D-Laravel can indeed display normally, so how can the official docker-compose command be used to have the same effect?

城堡
docker

The use of iptabels is required in the Docker Swarm environment

First of all, in the Linux environment, Docker uses iptables rules to provide network isolation. However, in the environment of Docker swarm mode, we cannot identify the connection port under 127.0.0.1 of the host. At this time, we can customize the rules through the DOCKER-USER chain in iptables.

城堡
d-laravel, docker, docker-compose, laravel

D-Laravel released v0.9.1 version

In order to keep D-Laravel in an operational version and a stable version. Start tagging this version Pass those tests.. This version has passed the ubuntu real and macos real machine tests, and the Container can be successfully established and executed..