목차
Get Let's Encrypt Certificates using Docker
With docker, you can get TLS certificates from Let's Encrypt with a single command.
💡 이 글은 작성된지 1년 이상 지났습니다. 정보글의 경우 최신 내용이 아닐 수 있음에 유의해주세요.
Let's Encrypt is a certificate authority that provides TLS encryption certificates with free. They established to encrypt every web service, without any charges and any complicated process.
The most general way to issue certificates is using certbot. Certbot is an official python client from EFF, one of the major sponsors of Let's Encrypt.
Certbot provides automated processes to issue and deploy certificates with a single command. But it requires some troublesome management of native libraries and python dependencies. Because the version of libraries is different by OS, you will face unexpected issues when using this native client.
We already know a solution for this situation - Docker!
To issue certificates, the authority must confirm that you own domains to certify. Certbot uses one of two ways to confirm this: using a local webserver or using DNS records.
Certbot runs a webserver on your local server, and Let's Encrypt try to access the server by the domain.
You register the verification code as the TXT record.
Certbot provides an official docker image certbot/certbot. With the docker image, you don't have to install any native dependencies on your computer.
Let's start with this command:
docker run -it --rm --name certbot \
-v '/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
certbot/certbot certonly -d 'yourdomain.com' -d '*.yourdomain.com' --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Here are some explanations of the options of the certbot
command.
-d 'yourdomain.com' -d '*.yourdomain.com'
: Domains to issue a certificate. You can use the wildcard domain as you can see at the example. Change <yourdomain.com> into your address.--manual --preferred-challenges dns
: Use DNS records to prove domain ownership.--server ~~~
: Address of authority server.Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
Enter your email address. In a few days before the certificate's expiration date, a notification will be sent to the email address you entered here.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Type 'A' to agree.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Agree/disagree to share your email address with the EFF. There is no penalty if you disagree with this.
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
The IP address of the machine will be publicly logged. If you don't agree with this, try again on another machine.
If you type 'Y', the verification code has issued.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Deploy this token with a TXT record.
It takes some time to propagate. There is a limit on attempts, you must check if the record propagated using nslookup
or dig
command before to continue.
Finally, when you press enter:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
Your cert will expire on 2019-04-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
That's it! Your certificate and chain have been saved at the volume you mounted.
The certificate will expire after 90 days. Yes, you may think this is too short, but there are some reasons:
So I recommend you to automate renewing processes using tools like crontab.
Certificates issued by certbot can be renew using certbot.
>>> docker run -it --rm --name certbot \
-v '/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
certbot/certbot renew --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem expires on 2019-04-12 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
They say it is too early to renew. When certificates expire soon, this command will work well.
.
.
.
This is all. You need just a few lines of command (... and some agreement) to issue certificates for your domains. So, if your sites yet not encrypted, why not try this now?
관련된 글
Rails와 GitHub Actions에 커버리지 레포트를 달아보자
이 블로그의 CMS이기도 한 Shiori를 대폭 리팩토링하면서 테스트가 얼마나 잘 작성되어있는지 궁금해졌습니다.
Rails Global ID로 전역 객체 식별하기
Global ID는 Rails의 모든 객체를 식별할 수 있는 URI(Uniform Resource Identifier)입니다.
Ruby on WebAssembly: 살짝 맛보기
Ruby 3.2에 추가된 WebAssembly 지원을 간단하게 테스트해봅시다.
본 사이트의 저작물은 별도의 언급이 없는 한 크리에이티브 커먼즈 저작자표시-동일조건변경허락 4.0 국제 라이선스에 따라 이용할 수 있습니다.
© 2011 - 2024 Hoerin Doh, All rights reserved.
작성한 댓글은 giscus를 통해 GitHub Discussion에 저장됩니다.