Jump to content

[Request/Done] Let's Encrypt Container


rix

Recommended Posts

Posted

EDiT: The following container works flawlessly!

I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well.

 

It is fully ephemeral as rara1234 requested  ;)

 

At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink)

 

All the config files, as well as the www folder are available in the config folder.

 

You can find it in the Community Applications listed as Nginx-Letsencrypt

 

Just browse the Community Apps as suggested above or visit: https://hub.docker.com/r/aptalca/nginx-letsencrypt/

 

Those of us lucky enough to have gotten an invite to Let's Encrypts Closed Beta (and those soon joining the Open one) would surely be interested in a running container version of their tool.

 

What I am looking for:

 

-Simple way to give letsencrypt the information required of my server

-Access to my webroot dir (nginx) for authentification

-Access to my certificates folder (for letsencrypt to automatically renew them)

-Implementation of recurring cert renewal

  • Replies 576
  • Created
  • Last Reply
  • 1 month later...
Posted

From another thread I was pointed to their Docker Container:

 

As people are thinking about containers for these things I would like to suggest you think about adding support for Let's Encrypt https://letsencrypt.org/

 

Let's Encrypt already has an official docker here and instructions on how to use it here

Posted

any success on creating a template for this?

 

ideally it would store the certificate files to /mnt/cache/appdata/nginx/cert (a path accessible by nginx docker) and run on port 80/443

 

so one would just have to stop nginx to run lets encrypt once every three months. that would be ideal

Posted

This sounds super cool! Care to share a working template? The git page links to 5 different docker images that vary from recently updated to months old with only one referencing lets encrypt at all...

Posted

I just used letsencrypt to create a certificate for my custom domain that points to my home server. I can connect to all my unraid docker gui's with a legit SSL connection. It was very easy and straightforward once you figure out how it works.

 

You don't need a docker to do that. All you need is a (preferably linux) machine that your url of choice points to.

 

I used an Amazon aws instance running ubuntu to do that. But you can easily use the nginx container for unraid.

 

Here's how you do it:

1) point your custom domain to your machine, or a dynamic dns domain that points to your machine (I have one from duckdns, updated by the duckdns docker container)

2) Forward the ports 80 and 443 on your router to your unraid server (to the ports nginx reports to the host)

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

 

That's all

 

Posted

...

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

...

 

won't that entire configuration get lost when the container updates?

Posted

...

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

...

 

won't that entire configuration get lost when the container updates?

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.
Posted

 

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.

 

The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically.

Posted

 

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.

 

The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically.

 

Well, when you git clone, use a folder under /config so it persists. Instead of moving the certificates, leave them where they are and point the nginx config file to that location.

 

To automate it, you can add a crontab entry for letsencrypt-auto.

 

That way, if you update the container, you will only have to add the crontab entry again. Everything else should work . . . theoretically :-)

Posted

Yes but it also violates a key "rule": https://docs.docker.com/engine/articles/dockerfile_best-practices/#containers-should-be-ephemeral

 

Which makes it harder for users to safely consume - a user might be hesitant to update if they think they have some config to do, and for something like a web server or ssl certificate that could be an important issue…

Violate is such a strong word [emoji14]

 

Remember I didn't create a docker container so I don't have to abide by those rules. [emoji6]

 

Plus the rules say "absolute minimum set up and configuration". Adding a single crontab entry is pretty minimal to me. You only have to do it if the nginx container is updated. How frequently is that, really?

 

If that really bothers you, the nginx container source is open, feel free to fork it and add the instructions I listed above and share with the world [emoji6]

Posted

I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well.

 

It is fully ephemeral as rara1234 requested  ;)

 

At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink)

 

All the config files, as well as the www folder are available in the config folder.

 

You can find it in the Community Applications listed as Nginx-Letsencrypt

 

 

Posted

I was planning to but new year got in the way :D

I do however plan to try it out in the next couple of days!

Happy new year to you as well :D

Posted

I just stop my apache instance, and run the following on my server:

 

docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt \
            -v "/mnt/cache/.custom/apache/config/letsencrypt/etc:/etc/letsencrypt" \
            -v "/mnt/cache/.custom/apache/config/letsencrypt/lib:/var/lib/letsencrypt" \
            quay.io/letsencrypt/letsencrypt:latest auth

prompts for domain name(s) and a contact email address, and then generates certs etc

 

it works, but I suppose one built into an existing apache docker would be more ideal (preferred by letsencrypt too I believe). It could automatically renew as needed etc

 

Your one sounds ideal aptalca, but Ive not used nginx before, and have apache working pretty well at the mo. Maybe once I get a bit of time, I might try a changeover

Posted

No one tried it yet? [emoji17] Well, happy new year everyone

 

New Years kept me busy  ::)

 

I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure.

 

It works perfectly well (see attachment)!

LE.JPG.96cc26707f5d0af24c424a6e8d50585f.JPG

Posted

No one tried it yet? [emoji17] Well, happy new year everyone

 

New Years kept me busy  ::)

 

I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure.

 

It works perfectly well (see attachment)!

Nice [emoji3]

 

Glad to hear it worked

Posted

How would i go about creating a certificate which is also valid for xxx.example.com and xyz.example.com?

Right now when i try to pass multiple domains in the setting nothing happens.

 

The log says:

Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d example.com -d www.example.com -d xxx.example.com -d xyz.example.com

Jan 2 20:00:04 b5ad9d44859e syslog-ng[123]: syslog-ng starting up; version='3.5.3'

 

I tried both without and with the -d parameter.

 

Cheers :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...