curlftpfs introduction and manual certificate application

by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

Situation sharing, imagine that you have WebHosting, which only provides FTP connection, and then you want to apply for a certificate manually.
In this article, I share how I use Docker to install curlftpfs, and mount the FTP folder of the remote host,
Then execute certbot in the container to apply for an SSL certificate.

Aside from the certificate application, when I first discovered the curlftpfs command, I found it very interesting, especially if you are a MacOS user,
When you don't have a satisfactory FTP software at hand. You love scrolling through the command line as much as I do, so maybe you should love this command too. 🤭

First of all, let's start by creating a Dockerfile.
The Yaml file is as follows, I am used to the terminal in the Chinese environment. 

From ubuntu:latest
RUN apt-get update && apt-get install -y \
locales curlftpfs python3 certbot vim

#Chinese environment
RUN echo "Asia/Taipei" > /etc/timezone && \
    dpkg-reconfigure -f noninteractive tzdata && \
    sed -i -e 's/# zh_TW.UTF-8 UTF-8/zh_TW.UTF-8 UTF-8/' /etc/locale.gen && \
    echo 'LANG="zh_TW.UTF-8"'>/etc/default/locale && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=zh_TW.UTF-8

ENV LANG zh_TW.UTF-8
ENV LANGUAGE zh_TW.UTF-8
ENV LC_ALL zh_TW.UTF-8

Let’s use this Dockerfile to build an ftpbot image, the command is as follows:
Please put the Dockerfile in an empty directory before building, it must Avoid unnecessary caching problems. 

docker build -t ftpbot .

Completed the creation of the image, I will build another letsencrypt in my folder directory, so I can use the command below to create a container and enter the container
etc. To use curlftpfs in the container, --privileged is required when the container starts. 

docker run --rm --privileged -v $(pwd)/letsencrypt:/etc/letsencrypt -ti ftpbot bash

Next, mount the folder of the remote host in the container to the /mnt directory of the container

curlftpfs FTP account: FTP password@FTP host/ mnt

Execute the certbot command and follow the instructions

certbot certonly --manual --email Application email --agree -tos \
-d domain.com \
-d www.domain name.com

In the above screen, the screen will stop and wait for Enter, he wants us to go to the website to create a verification file LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
At this time, we can have two kinds of processing Method
1. Ctrl+z puts the program in the background temporarily, then switches to the FTP directory of the webpage mounted on /mnt to generate the acme verification file, and then press fg to return to the foreground.
2. Open another terminal to enter the running container to operate. I use this method as my habit. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4._ZtWqdsZpgLv_TS7hHMCm0zcL8HXhJrGePNrNSSi23Y

And make it available on your web server at this URL:

http://domain.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

For example, we are in the container, type hostname, it is better to copy

root@07291c69af42:~ # hostname
07291c69af42
root@07291c69af42:~#

Then on your own Host side, you can issue commands to enter the same executing container

docker exec -ti 07291c69af42 bash
root@07291c69af42:/#

For example, the root directory of the remote website is /www, so we can create the .well-knon/acme-challenge directory with the following command.
In the case of FTP mounting, it is recommended to touch first and then echo. The operation is as follows

root@07291c69af42:~# cd /mnt/
root@07291c69af42:/mnt# mkdir -p www/.well-knon/acme-challenge
root@07291c69af42:/mnt# cd www/.well-knon/acme-challenge
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# touch LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
#Here, after the echo content, there is a > redirection
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# echo LW_70m1q1QWIAtnR8rU--short---GePNrNSSi23Y > LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
root@07291c69af42:/mnt/www/.well-knon/acme-challenge#

After completion, confirm that the URL is open to this file, and then press Enter to complete the verification of ACME . 

http://domain name.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

After all is done, You can umount and leave, and then the certificate will be in the hanging directory (the diagram below)

cd letsencrypt/live/domain name.com< /pre>
The above is a manual method, but it is also possible to automatically apply for vouchers and RENEW. However, the space is limited, so I will introduce it again when I have the opportunity. 
Is it okay to directly let certbot save the certificate file to the /mnt directory? The answer is "no". In this case, certbot cannot directly write to the mounted remote host folder. 

Reminder, we can let certbot generate the verification file in the local folder in the container, and then use a Python watchdog file to change the program, and if the file is found to be added, copy it
Move the file Go to the verification directory on /mnt, my experience is verified, and the certificate application for six websites is done at one time. 

As for the renew part, we have the letsencrypt folder on the host side, and it should be OK to set up a crontab schedule for him to run every day. 

So at this point you should find out why my image name is called ftpbot, because in the end I want him to execute it by itself,
It is not executed manually, so I really did not make a mistake in the image name ,whee.
Tags: certbot docker ftp

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
laravel storage,sftp

Use tinker to test Laravel's sftp custom Storage::path and Storage::url

Today, I will test the use of sftp driver on Laravel. If you have never used it, come and see the results of my test. By the way, it is very convenient for us to perform Storage functions in the tinker environment of Laravel, whether it is local or remote. After adjusting the settings, remember to leave and enter again.

城堡
docker

How to start HAProxy with Docker on Raspberry

Raspberry is very cheap and has quite a lot of applications, for example, some people use it as a Wi-Fi router, For game consoles, monitors and many other IoT-related applications, I use it as a HAProxy. Long story short, since I have an old Windows server running old versions of PHP and Apache, and can't set up HTTPS certificates, I wanted to say Help through HAProxy. Let this old server also have https URL, So to share my docker-compose.yml configuration.

城堡
docker,polymer,seo

Solving Polymer SEO Problems with Rendertron (Polymer Summit 2017)

The video below the article introduces how to use rendertron to solve Polymer SEO optimization problems. In the source of my fork, it has been adjusted to support the Chinese environment. And also added the API interface of pdf, which can also be used to convert pdf.