목차
Get Let's Encrypt Certificates using Docker
With docker, you can get TLS certificates from Let's Encrypt with a single command.
💡 이 글은 작성된지 1년 이상 지났습니다. 정보글의 경우 최신 내용이 아닐 수 있음에 유의해주세요.
Let's Encrypt is a certificate authority that provides TLS encryption certificates with free. They established to encrypt every web service, without any charges and any complicated process.
The most general way to issue certificates is using certbot. Certbot is an official python client from EFF, one of the major sponsors of Let's Encrypt.
Certbot provides automated processes to issue and deploy certificates with a single command. But it requires some troublesome management of native libraries and python dependencies. Because the version of libraries is different by OS, you will face unexpected issues when using this native client.
We already know a solution for this situation - Docker!
How certbot trust your domain ownership
To issue certificates, the authority must confirm that you own domains to certify. Certbot uses one of two ways to confirm this: using a local webserver or using DNS records.
Using local webserver
Certbot runs a webserver on your local server, and Let's Encrypt try to access the server by the domain.
- Pros
- Easy and simple. You need just one line of command.
- Cons
- If you want to issue a certificate for running service, you have to stop the webserver. This is because certbot requires 80/443 ports to run its verification server.
- Let's Encrypt's server would access your server directly. In some cases, you have to change firewall rules to accept the connection.
- If you use a load balancer, it is not guaranteed that the connection from Let's Encrypt's goes into the server that you trying.
Using DNS records
You register the verification code as the TXT record.
- Pros
- You don't have to change any settings of servers.
- Cons
- If you don't have permission to access DNS records (especially in companies), the process of registering records could be cumbersome.
- You have to wait until the DNS record propagates.
Getting Started
Certbot provides an official docker image certbot/certbot. With the docker image, you don't have to install any native dependencies on your computer.
Let's start with this command:
docker run -it --rm --name certbot \
-v '/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
certbot/certbot certonly -d 'yourdomain.com' -d '*.yourdomain.com' --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Here are some explanations of the options of the certbot command.
-d 'yourdomain.com' -d '*.yourdomain.com': Domains to issue a certificate. You can use the wildcard domain as you can see at the example. Change <yourdomain.com> into your address.--manual --preferred-challenges dns: Use DNS records to prove domain ownership.--server ~~~: Address of authority server.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
Enter your email address. In a few days before the certificate's expiration date, a notification will be sent to the email address you entered here.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Type 'A' to agree.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Agree/disagree to share your email address with the EFF. There is no penalty if you disagree with this.
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
The IP address of the machine will be publicly logged. If you don't agree with this, try again on another machine.
If you type 'Y', the verification code has issued.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Deploy this token with a TXT record.
It takes some time to propagate. There is a limit on attempts, you must check if the record propagated using nslookup or dig command before to continue.
Finally, when you press enter:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
Your cert will expire on 2019-04-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
That's it! Your certificate and chain have been saved at the volume you mounted.
Renew certificates
The certificate will expire after 90 days. Yes, you may think this is too short, but there are some reasons:
- To encourage automation
- Limit damage from key compromise and miss-issuance
So I recommend you to automate renewing processes using tools like crontab.
Certificates issued by certbot can be renew using certbot.
>>> docker run -it --rm --name certbot \
-v '/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
certbot/certbot renew --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem expires on 2019-04-12 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
They say it is too early to renew. When certificates expire soon, this command will work well.
.
.
.
This is all. You need just a few lines of command (... and some agreement) to issue certificates for your domains. So, if your sites yet not encrypted, why not try this now?
관련된 글
Rails와 GitHub Actions에 커버리지 레포트를 달아보자
이 블로그의 CMS이기도 한 Shiori를 대폭 리팩토링하면서 테스트가 얼마나 잘 작성되어있는지 궁금해졌습니다.
Rails Global ID로 전역 객체 식별하기
Global ID는 Rails의 모든 객체를 식별할 수 있는 URI(Uniform Resource Identifier)입니다.
Ruby on WebAssembly: 살짝 맛보기
Ruby 3.2에 추가된 WebAssembly 지원을 간단하게 테스트해봅시다.
작성한 댓글은 giscus를 통해 GitHub Discussion에 저장됩니다.