[Request/Done] Let's Encrypt Container


rix

Recommended Posts

EDiT: The following container works flawlessly!

I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well.

 

It is fully ephemeral as rara1234 requested  ;)

 

At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink)

 

All the config files, as well as the www folder are available in the config folder.

 

You can find it in the Community Applications listed as Nginx-Letsencrypt

 

Just browse the Community Apps as suggested above or visit: https://hub.docker.com/r/aptalca/nginx-letsencrypt/

 

Those of us lucky enough to have gotten an invite to Let's Encrypts Closed Beta (and those soon joining the Open one) would surely be interested in a running container version of their tool.

 

What I am looking for:

 

-Simple way to give letsencrypt the information required of my server

-Access to my webroot dir (nginx) for authentification

-Access to my certificates folder (for letsencrypt to automatically renew them)

-Implementation of recurring cert renewal

Link to comment
  • 1 month later...

any success on creating a template for this?

 

ideally it would store the certificate files to /mnt/cache/appdata/nginx/cert (a path accessible by nginx docker) and run on port 80/443

 

so one would just have to stop nginx to run lets encrypt once every three months. that would be ideal

Link to comment

I just used letsencrypt to create a certificate for my custom domain that points to my home server. I can connect to all my unraid docker gui's with a legit SSL connection. It was very easy and straightforward once you figure out how it works.

 

You don't need a docker to do that. All you need is a (preferably linux) machine that your url of choice points to.

 

I used an Amazon aws instance running ubuntu to do that. But you can easily use the nginx container for unraid.

 

Here's how you do it:

1) point your custom domain to your machine, or a dynamic dns domain that points to your machine (I have one from duckdns, updated by the duckdns docker container)

2) Forward the ports 80 and 443 on your router to your unraid server (to the ports nginx reports to the host)

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

 

That's all

 

Link to comment

...

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

...

 

won't that entire configuration get lost when the container updates?

Link to comment

...

3) docker exec into the nginx container

4) git clone https://github.com/letsencrypt/letsencrypt

5) go into its folder

6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80)

7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates)

9) Modify nginx config and point to the certificate/key

10) Restart nginx

...

 

won't that entire configuration get lost when the container updates?

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.
Link to comment

 

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.

 

The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically.

Link to comment

 

Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.

 

The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically.

 

Well, when you git clone, use a folder under /config so it persists. Instead of moving the certificates, leave them where they are and point the nginx config file to that location.

 

To automate it, you can add a crontab entry for letsencrypt-auto.

 

That way, if you update the container, you will only have to add the crontab entry again. Everything else should work . . . theoretically :-)

Link to comment

Yes but it also violates a key "rule": https://docs.docker.com/engine/articles/dockerfile_best-practices/#containers-should-be-ephemeral

 

Which makes it harder for users to safely consume - a user might be hesitant to update if they think they have some config to do, and for something like a web server or ssl certificate that could be an important issue…

Violate is such a strong word

 

Remember I didn't create a docker container so I don't have to abide by those rules.

 

Plus the rules say "absolute minimum set up and configuration". Adding a single crontab entry is pretty minimal to me. You only have to do it if the nginx container is updated. How frequently is that, really?

 

If that really bothers you, the nginx container source is open, feel free to fork it and add the instructions I listed above and share with the world

Link to comment

I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well.

 

It is fully ephemeral as rara1234 requested  ;)

 

At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink)

 

All the config files, as well as the www folder are available in the config folder.

 

You can find it in the Community Applications listed as Nginx-Letsencrypt

 

 

Link to comment

I just stop my apache instance, and run the following on my server:

 

docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt \
            -v "/mnt/cache/.custom/apache/config/letsencrypt/etc:/etc/letsencrypt" \
            -v "/mnt/cache/.custom/apache/config/letsencrypt/lib:/var/lib/letsencrypt" \
            quay.io/letsencrypt/letsencrypt:latest auth

prompts for domain name(s) and a contact email address, and then generates certs etc

 

it works, but I suppose one built into an existing apache docker would be more ideal (preferred by letsencrypt too I believe). It could automatically renew as needed etc

 

Your one sounds ideal aptalca, but Ive not used nginx before, and have apache working pretty well at the mo. Maybe once I get a bit of time, I might try a changeover

Link to comment

No one tried it yet? Well, happy new year everyone

 

New Years kept me busy  ::)

 

I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure.

 

It works perfectly well (see attachment)!

LE.JPG.96cc26707f5d0af24c424a6e8d50585f.JPG

Link to comment

No one tried it yet? Well, happy new year everyone

 

New Years kept me busy  ::)

 

I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure.

 

It works perfectly well (see attachment)!

Nice

 

Glad to hear it worked

Link to comment

How would i go about creating a certificate which is also valid for xxx.example.com and xyz.example.com?

Right now when i try to pass multiple domains in the setting nothing happens.

 

The log says:

Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d example.com -d www.example.com -d xxx.example.com -d xyz.example.com

Jan 2 20:00:04 b5ad9d44859e syslog-ng[123]: syslog-ng starting up; version='3.5.3'

 

I tried both without and with the -d parameter.

 

Cheers :)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.