curlftpfs introduction and manual certificate application

by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

Situation sharing, imagine that you have WebHosting, which only provides FTP connection, and then you want to apply for a certificate manually.
In this article, I share how I use Docker to install curlftpfs, and mount the FTP folder of the remote host,
Then execute certbot in the container to apply for an SSL certificate.

Aside from the certificate application, when I first discovered the curlftpfs command, I found it very interesting, especially if you are a MacOS user,
When you don't have a satisfactory FTP software at hand. You love scrolling through the command line as much as I do, so maybe you should love this command too. 🤭

First of all, let's start by creating a Dockerfile.
The Yaml file is as follows, I am used to the terminal in the Chinese environment. 

From ubuntu:latest
RUN apt-get update && apt-get install -y \
locales curlftpfs python3 certbot vim

#Chinese environment
RUN echo "Asia/Taipei" > /etc/timezone && \
    dpkg-reconfigure -f noninteractive tzdata && \
    sed -i -e 's/# zh_TW.UTF-8 UTF-8/zh_TW.UTF-8 UTF-8/' /etc/locale.gen && \
    echo 'LANG="zh_TW.UTF-8"'>/etc/default/locale && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=zh_TW.UTF-8

ENV LANG zh_TW.UTF-8
ENV LANGUAGE zh_TW.UTF-8
ENV LC_ALL zh_TW.UTF-8

Let’s use this Dockerfile to build an ftpbot image, the command is as follows:
Please put the Dockerfile in an empty directory before building, it must Avoid unnecessary caching problems. 

docker build -t ftpbot .

Completed the creation of the image, I will build another letsencrypt in my folder directory, so I can use the command below to create a container and enter the container
etc. To use curlftpfs in the container, --privileged is required when the container starts. 

docker run --rm --privileged -v $(pwd)/letsencrypt:/etc/letsencrypt -ti ftpbot bash

Next, mount the folder of the remote host in the container to the /mnt directory of the container

curlftpfs FTP account: FTP password@FTP host/ mnt

Execute the certbot command and follow the instructions

certbot certonly --manual --email Application email --agree -tos \
-d domain.com \
-d www.domain name.com

In the above screen, the screen will stop and wait for Enter, he wants us to go to the website to create a verification file LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
At this time, we can have two kinds of processing Method
1. Ctrl+z puts the program in the background temporarily, then switches to the FTP directory of the webpage mounted on /mnt to generate the acme verification file, and then press fg to return to the foreground.
2. Open another terminal to enter the running container to operate. I use this method as my habit. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4._ZtWqdsZpgLv_TS7hHMCm0zcL8HXhJrGePNrNSSi23Y

And make it available on your web server at this URL:

http://domain.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

For example, we are in the container, type hostname, it is better to copy

root@07291c69af42:~ # hostname
07291c69af42
root@07291c69af42:~#

Then on your own Host side, you can issue commands to enter the same executing container

docker exec -ti 07291c69af42 bash
root@07291c69af42:/#

For example, the root directory of the remote website is /www, so we can create the .well-knon/acme-challenge directory with the following command.
In the case of FTP mounting, it is recommended to touch first and then echo. The operation is as follows

root@07291c69af42:~# cd /mnt/
root@07291c69af42:/mnt# mkdir -p www/.well-knon/acme-challenge
root@07291c69af42:/mnt# cd www/.well-knon/acme-challenge
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# touch LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
#Here, after the echo content, there is a > redirection
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# echo LW_70m1q1QWIAtnR8rU--short---GePNrNSSi23Y > LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
root@07291c69af42:/mnt/www/.well-knon/acme-challenge#

After completion, confirm that the URL is open to this file, and then press Enter to complete the verification of ACME . 

http://domain name.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

After all is done, You can umount and leave, and then the certificate will be in the hanging directory (the diagram below)

cd letsencrypt/live/domain name.com< /pre>
The above is a manual method, but it is also possible to automatically apply for vouchers and RENEW. However, the space is limited, so I will introduce it again when I have the opportunity. 
Is it okay to directly let certbot save the certificate file to the /mnt directory? The answer is "no". In this case, certbot cannot directly write to the mounted remote host folder. 

Reminder, we can let certbot generate the verification file in the local folder in the container, and then use a Python watchdog file to change the program, and if the file is found to be added, copy it
Move the file Go to the verification directory on /mnt, my experience is verified, and the certificate application for six websites is done at one time. 

As for the renew part, we have the letsencrypt folder on the host side, and it should be OK to set up a crontab schedule for him to run every day. 

So at this point you should find out why my image name is called ftpbot, because in the end I want him to execute it by itself,
It is not executed manually, so I really did not make a mistake in the image name ,whee.
Tags: certbot docker ftp

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
docker,laravel

[D-Laravel]./console node

When developing Laravel, sometimes we need to install nodejs packages through npm, but Node in our system is not new enough. It may be impossible to upgrade due to some factors, such as running an old version of nodejs program, etc. In fact, we can use docker through simple commands, so that we can use the latest version of node image to mount the /sites folder on the host side. In this way, we can execute the new version of the npm command at any time.

城堡
docker,phpenv

Unable to ping host.docker.internal on Linux

You can check with docker version, confirm that the version is Docker v20.10+, you can add extra_hosts as follows:

城堡
docker,cli

Docker container formatted display

I think if you want to write some automation functions, it may be useful to be able to format the output container content. The following are some reference examples of Docker container formatting and display instructions