curlftpfs introduction and manual certificate application

by Devin Yang
(This article was automatically translated.)

Published - 2 years ago ( Updated - 2 years ago )

Situation sharing, imagine that you have WebHosting, which only provides FTP connection, and then you want to apply for a certificate manually.
In this article, I share how I use Docker to install curlftpfs, and mount the FTP folder of the remote host,
Then execute certbot in the container to apply for an SSL certificate.

Aside from the certificate application, when I first discovered the curlftpfs command, I found it very interesting, especially if you are a MacOS user,
When you don't have a satisfactory FTP software at hand. You love scrolling through the command line as much as I do, so maybe you should love this command too. 🤭

First of all, let's start by creating a Dockerfile.
The Yaml file is as follows, I am used to the terminal in the Chinese environment. 

From ubuntu:latest
RUN apt-get update && apt-get install -y \
locales curlftpfs python3 certbot vim

#Chinese environment
RUN echo "Asia/Taipei" > /etc/timezone && \
    dpkg-reconfigure -f noninteractive tzdata && \
    sed -i -e 's/# zh_TW.UTF-8 UTF-8/zh_TW.UTF-8 UTF-8/' /etc/locale.gen && \
    echo 'LANG="zh_TW.UTF-8"'>/etc/default/locale && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=zh_TW.UTF-8

ENV LANG zh_TW.UTF-8
ENV LANGUAGE zh_TW.UTF-8
ENV LC_ALL zh_TW.UTF-8

Let’s use this Dockerfile to build an ftpbot image, the command is as follows:
Please put the Dockerfile in an empty directory before building, it must Avoid unnecessary caching problems. 

docker build -t ftpbot .

Completed the creation of the image, I will build another letsencrypt in my folder directory, so I can use the command below to create a container and enter the container
etc. To use curlftpfs in the container, --privileged is required when the container starts. 

docker run --rm --privileged -v $(pwd)/letsencrypt:/etc/letsencrypt -ti ftpbot bash

Next, mount the folder of the remote host in the container to the /mnt directory of the container

curlftpfs FTP account: FTP password@FTP host/ mnt

Execute the certbot command and follow the instructions

certbot certonly --manual --email Application email --agree -tos \
-d domain.com \
-d www.domain name.com

In the above screen, the screen will stop and wait for Enter, he wants us to go to the website to create a verification file LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
At this time, we can have two kinds of processing Method
1. Ctrl+z puts the program in the background temporarily, then switches to the FTP directory of the webpage mounted on /mnt to generate the acme verification file, and then press fg to return to the foreground.
2. Open another terminal to enter the running container to operate. I use this method as my habit. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4._ZtWqdsZpgLv_TS7hHMCm0zcL8HXhJrGePNrNSSi23Y

And make it available on your web server at this URL:

http://domain.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

For example, we are in the container, type hostname, it is better to copy

root@07291c69af42:~ # hostname
07291c69af42
root@07291c69af42:~#

Then on your own Host side, you can issue commands to enter the same executing container

docker exec -ti 07291c69af42 bash
root@07291c69af42:/#

For example, the root directory of the remote website is /www, so we can create the .well-knon/acme-challenge directory with the following command.
In the case of FTP mounting, it is recommended to touch first and then echo. The operation is as follows

root@07291c69af42:~# cd /mnt/
root@07291c69af42:/mnt# mkdir -p www/.well-knon/acme-challenge
root@07291c69af42:/mnt# cd www/.well-knon/acme-challenge
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# touch LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
#Here, after the echo content, there is a > redirection
root@07291c69af42:/mnt/www/.well-knon/acme-challenge# echo LW_70m1q1QWIAtnR8rU--short---GePNrNSSi23Y > LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4
root@07291c69af42:/mnt/www/.well-knon/acme-challenge#

After completion, confirm that the URL is open to this file, and then press Enter to complete the verification of ACME . 

http://domain name.com/.well-known/acme-challenge/LW_70m1q1QWIAtnR8rU3QK4znLP9iyvp1Uf3mBsU4

After all is done, You can umount and leave, and then the certificate will be in the hanging directory (the diagram below)

cd letsencrypt/live/domain name.com< /pre>
The above is a manual method, but it is also possible to automatically apply for vouchers and RENEW. However, the space is limited, so I will introduce it again when I have the opportunity. 
Is it okay to directly let certbot save the certificate file to the /mnt directory? The answer is "no". In this case, certbot cannot directly write to the mounted remote host folder. 

Reminder, we can let certbot generate the verification file in the local folder in the container, and then use a Python watchdog file to change the program, and if the file is found to be added, copy it
Move the file Go to the verification directory on /mnt, my experience is verified, and the certificate application for six websites is done at one time. 

As for the renew part, we have the letsencrypt folder on the host side, and it should be OK to set up a crontab schedule for him to run every day. 

So at this point you should find out why my image name is called ftpbot, because in the end I want him to execute it by itself,
It is not executed manually, so I really did not make a mistake in the image name ,whee.
Tags: certbot docker ftp

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
linux,docker

How to execute X client and X Window in Container (docker gui)

Today I will talk to you about X, not iPhone X, nor X-Men, but X Window System, He is the main graphical interface display component of the current Linux system. Since it is very easy to expand and modularize, it has been used since it was established in 1986. The X Window system adopts the Client/Server architecture, which splits the application program and the display into two. The application program of X Windows is usually called X Client, and the display is the well-known X Server. The X client communicates with the X server through the X protocol (X protocol), which is an asynchronous network communication protocol.

城堡
docker,sqlserver

D-Laravel builds SQL Server environment

How to build D-Laravel's SQL Server environment

城堡
docker

Storage and retrieval of Docker image

How to archive the docker image into a tar file and load back the docker image. We can use docker save and docker load.