Get Let's Encrypt Certificates using Docker

With docker, you can get TLS certificates from Let's Encrypt with a single command.

2020. 05. 17. #docker #security

이 포스트는 한국어로도 읽을 수 있습니다.

Let's Encrypt is a certificate authority that provides TLS encryption certificates with free. They established to encrypt every web service, without any charges and any complicated process.

Logo of Let's Encrypt

The most general way to issue certificates is using certbot. Certbot is an official python client from EFF, one of the major sponsors of Let's Encrypt.

Certbot provides automated processes to issue and deploy certificates with a single command. But it requires some troublesome management of native libraries and python dependencies. Because the version of libraries is different by OS, you will face unexpected issues when using this native client.

We already know a solution for this situation - Docker!

How certbot trust your domain ownership

To issue certificates, the authority must confirm that you own domains to certify. Certbot uses one of two ways to confirm this: using a local webserver or using DNS records.

Using local webserver

Certbot runs a webserver on your local server, and Let's Encrypt try to access the server by the domain.

  • Pros
    • Easy and simple. You need just one line of command.
  • Cons
    • If you want to issue a certificate for running service, you have to stop the webserver. This is because certbot requires 80/443 ports to run its verification server.
    • Let's Encrypt's server would access your server directly. In some cases, you have to change firewall rules to accept the connection.
    • If you use a load balancer, it is not guaranteed that the connection from Let's Encrypt's goes into the server that you trying.

Using DNS records

You register the verification code as the TXT record.

  • Pros
    • You don't have to change any settings of servers.
  • Cons
    • If you don't have permission to access DNS records (especially in companies), the process of registering records could be cumbersome.
    • You have to wait until the DNS record propagates.

Getting Started

Certbot provides an official docker image certbot/certbot. With the docker image, you don't have to install any native dependencies on your computer.

Let's start with this command:

docker run -it --rm --name certbot \
  -v '/etc/letsencrypt:/etc/letsencrypt' \
  -v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
  certbot/certbot certonly -d 'yourdomain.com' -d '*.yourdomain.com' --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

Here are some explanations of the options of the certbot command.

  • -d 'yourdomain.com' -d '*.yourdomain.com': Domains to issue a certificate. You can use the wildcard domain as you can see at the example. Change <yourdomain.com> into your address.
  • --manual --preferred-challenges dns: Use DNS records to prove domain ownership.
  • --server ~~~: Address of authority server.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 

Enter your email address. In a few days before the certificate's expiration date, a notification will be sent to the email address you entered here.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

Type 'A' to agree.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Agree/disagree to share your email address with the EFF. There is no penalty if you disagree with this.

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for yourdomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

The IP address of the machine will be publicly logged. If you don't agree with this, try again on another machine.

If you type 'Y', the verification code has issued.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Deploy this token with a TXT record.

It takes some time to propagate. There is a limit on attempts, you must check if the record propagated using nslookup or dig command before to continue.

Finally, when you press enter:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2019-04-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That's it! Your certificate and chain have been saved at the volume you mounted.

Renew certificates

The certificate will expire after 90 days. Yes, you may think this is too short, but there are some reasons:

  • To encourage automation
  • Limit damage from key compromise and miss-issuance

So I recommend you to automate renewing processes using tools like crontab.

Certificates issued by certbot can be renew using certbot.

>>> docker run -it --rm --name certbot \
  -v '/etc/letsencrypt:/etc/letsencrypt' \
  -v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
  certbot/certbot renew --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem expires on 2019-04-12 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

They say it is too early to renew. When certificates expire soon, this command will work well.

. .
.

This is all. You need just a few lines of command (... and some agreement) to issue certificates for your domains. So, if your sites yet not encrypted, why not try this now?

크리에이티브 커먼즈 라이선스

이 저작물은 크리에이티브 커먼즈 저작자표시-동일조건변경허락 4.0 국제 라이선스에 따라 이용할 수 있습니다.

© 2011 - 2020 Do Hoerin, LYnLab