Custom SSL Certs for unRAID and Dockers using IPv6, LetsEncrypt and Cloudflare DDNS


Recommended Posts

The following are ramblings of my journey to get a custom SSL cert for any number of hosts which I run in Docker containers or unRAID itself. This was done in unRAID 6.4 which is required due to features provided in unRAID. 

 

In my environment, I am leveraging IPv6 addresses for unRAID and Docker containers to provide a publicly routable address for all instances allowing for direct communication from clients without a need for proxying or NATing. To generate the SSL certs, I am using the acme.sh script which runs on unRAID without issue, and I am leveraging the LetsEncrypt DNS api to provide a cert so that communication with the server from LetsEncrypt is not needed. 

 

I created a share specifically for certs, and restricted it to local access only. In my use, I am hosting my DNS at Cloudflare and leveraging their API to create the necessary challenge records; all of which is built in to the acme.sh project. There are many DNS providers which are supported, and you can also use direct access as needed. 

 

So far, I have created a custom cert for unRAID and for Plex. The acme.sh script will create an individual cert directory for each cert. This allows you to restrict the container access to the cert which is applicable. 

 

I will be working on a script specific to LetsEncrypt and Cloudflare which will monitor IP address changes for hosts, and perform cert issuance and renewals. The following is the gist of what I used to get things running manually. It is performed from the cli of the unRAID server. You will need to replace ${variables} with the actual names or export them before running the command. 

 

# Show the IPv6 address of the unRAID server
ifconfig

# Show the IPv6 address of the Docker container
docker inspect --format='{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' ${dockaerContainerName}

# Create the share in the unRAID panel
# Create the directory structure for the acme.sh
mkdir -p /mnt/user/${shareName}/acme/dnsapi

# Obtain the acme.sh script and perform the install
curl -s https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > /mnt/user/${shareName}/acme.sh
chmod +x /mnt/user/${shareName}/acme.sh
/mnt/user/${shareName}/acme.sh --install --accountemail "${LetsEncryptEmail}" --home /mnt/user/${shareName}/acme

# Download the Cloudflare DNS api script and make executable
curl -s https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_cf.sh > /mnt/user/${shareName}/acme/dnsapi/dns_cf.sh
chmod +x /mnt/user/${shareName}/acme/dnsapi/dns_cf.sh

# Per usage instruction for Cloudflare api in the acme.sh: set the CF API key and email variables
export CF_Key="${yourKey}"
export CF_Email="${CloudflareEmail}"

At this point you're ready to begin issuing certs. I'll provide an example for the unRAID server and Plex container. Prior to this, you will want to create AAAA records in the Cloudflare DNS panel.

 

# Issue a cert for unRAID
/mnt/user/${shareName}/acme/acme.sh  --home /mnt/user/${shareName}/acme --issue --dns dns_cf --ecc -d ${yourFQDN} --keylength ec-256

# Backup existing cert
mv /boot/config/ssl/certs/${certName}.pem /boot/config/ssl/certs/${certName}.bak

# Create new cert using same name
cat /mnt/user/${shareName}/acme/${yourFQDN}_ecc/fullchain.cer /mnt/user/${shareName}/acme/${yourFQDN}_ecc/${yourFQDN}.key > /boot/config/ssl/certs/${certName}.pem

# Reload nginx
/etc/rc.d/rc.nginx reload

 

# Issue a cert for Plex - Plex didn't seem to support ecc certs in my testing. 
/mnt/user/${shareName}/acme/acme.sh  --home /mnt/user/${shareName}/acme --issue --dns dns_cf -d ${yourFQDN} --keylength 2048

# Convert the cert to PKCS
/mnt/user/${shareName}/acme/acme.sh --home /mnt/user/${shareName}/acme --toPkcs  -d ${yourFQDN} --password ${certEncPass}

# Configure your Docker container to add a path for the certs. 
# Configure the SSL cert settings in the Plex Netowrk Settings

# Restart the container
docker restart  ${dockaerContainerName}

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.