This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license. Signature 4.0 International (CC BY 4.0)

Author: Su Yang

Statistical word count: 2655 words reading time: 6 minutes to read this article links: soulteary.com/2018/08/30/…

---

Obtain the SSL certificate using Docker CertBot

Let’s Encrypt has been applying for certificates for free for a long time. However, as APIS have been upgraded and enhanced, the operation of obtaining certificates with the acme.sh script has become more and more difficult. In addition, with the increasing number of configuration items, it is difficult to browse through documents to quickly understand the current best practices.

Original plan

After updating the server’s operating system, acme.sh, which I had been using, had a problem: IT could not read the DNS account name I configured, whether OR not I had written the account directly into the execution script. Considering that there will be upgrades to the certificate retrieval client in the future, it is obviously not a sensible choice to continue to modify it.

Use an official recommended client

Traefik, which I use, supports automatic certificate application, but FOR one thing I would like to have more configuration options, such as encryption scheme selection and saving certificates separately for reuse.

Secondly, after checking the official document, I found that the official recommended a set of client named Certbot, and provided the Docker image, the official document.

After browsing through the documentation, we found that the client is very simple to use, only need two commands, a few input confirmation. It looks good, so give it a try.

Obtaining a certificate in DNS mode

To ensure decoupling, individuals use non-intrusive DNS mode, but it is also the same to use the site root to place authentication files.

Official provides more than a dozen mainstream DNS service provider images, but also provides a sample to support your own encapsulation.

Here I choose Cloudflare, so the corresponding image is Certbot/DNS-Cloudflare. You can change it at your discretion.

In DNS mode, you need to provide the DNS authentication file (including the email address and private key), so you need to create a authentication file.

mkdir -p /data/letsencrypt/
touch /data/letsencrypt/cloudflare.ini
Copy the code

Then write your data to Cloudflare.ini, for example:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = e89af204ab0e06def9c0846c202d1dec40e80
Copy the code

Then use Docker’s one-time execution mode to start a client container:

docker run -it --rm --name certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            -v "/data/letsencrypt:/.secrets" \
            certbot/dns-cloudflare certonly \
            --dns-cloudflare-credentials /.secrets/cloudflare.ini \
            --dns-cloudflare-propagation-seconds 60 \
            --server https://acme-v02.api.letsencrypt.org/directory \
            -d soulteary.com -d '*.soulteary.com'
Copy the code

If you don’t need to sign a wildcard certificate, then can remove – https://acme-v02.api.letsencrypt.org/directory server parameter, in addition, if the domain name for you a long time, Consider appropriately increasing the wait time in — dnS-Cloudflare-Propagation-seconds 60 (in seconds).

After executing the script, will ask you a few simple questions, in turn, is to choose to apply for the certificate of verification way (DNS records, temporary validation of Web services, Web root directory static files), user agreement whether agree, ask your mailbox, and share to the foundation, if you don’t use the -d parameter statement to sign the website domain name also will ask what is your website domain name.

If all goes well, your certificates, public keys, private keys, and other files will be neatly placed in our mapped directory:

/etc/letsencrypt/live
Copy the code

By checking the file directory, you can see that this is where the soft chain of the latest certificate is stored.

lrwxrwxrwx 1 root root 37 Aug 30 12:49 cert.pem -> .. /.. /archive/soulteary.com/cert1.pem lrwxrwxrwx 1 root root 38 Aug 30 12:49 chain.pem -> .. /.. /archive/soulteary.com/chain1.pem lrwxrwxrwx 1 root root 42 Aug 30 12:49 fullchain.pem -> .. /.. /archive/soulteary.com/fullchain1.pem lrwxrwxrwx 1 root root 40 Aug 30 12:49 privkey.pem -> .. /.. /archive/soulteary.com/privkey1.pemCopy the code

So you don’t have to worry if you fail to update the certificate and have no chance to roll back.

As for how to renew the certificate, the answer is also very simple, the above section of docker run application command, rerun, after entering the domain name, select [renew] can be.

Of course, the client also provides an interactive solution. If the parameter after docker Run image is changed to renew, all certificates can be renewed at one time.

other

There’s really no need to tweak the encryption algorithm, unless you’re deliberately trying to work with older devices, just use the default Settings.

With Traefik, or should I say Golang already supports CHACHA20_POLY1305 (documentation), check out certificates that can be mounted directly into Traefik to support all current mainstream devices.

See the certificate test report below:

• SSL Lab certificate analysis

–EOF

---

I now have a small toss group, which gathered some like to toss small partners.

In the case of no advertisement, we will talk about software, HomeLab and some programming problems together, and also share some technical salon information in the group from time to time.

Like to toss small partners welcome to scan code to add friends. (Please indicate source and purpose, otherwise it will not be approved.

All this stuff about getting into groups