Container para emitir Certificados Let's Encrypt, com o Dehydrated
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

4.4 KiB

docker-letsencrypt

container to generate letsencrypt certs using dehydrated + lexicon

Docs

Dockerfile

Use to set your own defaults or overwrite in the command

FROM willfarrell/letsencrypt:latest

COPY config /etc/dehydrated/config

ENV

# defaults to `staging`, use `production` when ready.
LE_ENV=staging
# Only required if you plan to use dns-01 challenges (use for private services)
# CloudFlare example
PROVIDER=cloudflare
LEXICON_CLOUDFLARE_USERNAME=
LEXICON_CLOUDFLARE_TOKEN=

# Route 53 example
PROVIDER=route53
LEXICON_ROUTE53_ACCESS_KEY=
LEXICON_ROUTE53_ACCESS_SECRET=

Testing

docker build -t letsencrypt .

# private
docker run \
    --env-file letsencrypt.env \
    letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --hook dehydrated-dns \
        --challenge dns-01 \
        --force

# public
docker run -d \
    --env-file letsencrypt.env \
    letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --challenge http-01 \
        --force

# reload nginx to see changes                                                                         

Deploy

Note the use of --hook dehydrated-dns, dehydrated-dns is a script wrapper to call lexicon from dehydrated.

# private
docker run \
    --volumes-from docker_nginx_1 \
    --env-file letsencrypt.env \
    willfarrell/letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --out /etc/ssl \
        --hook dehydrated-dns \
        --challenge dns-01

# public
docker run -d \
    --volumes-from docker_nginx_1 \
    --env-file letsencrypt.env \
    willfarrell/letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --out /etc/ssl \
        --challenge http-01

Also worth reading is Let's Encrypts document on certificate rate limits https://letsencrypt.org/docs/rate-limits/. In short you can generate 5 duplicate certificates per 7 days.

Route53 Access Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}"
            ]
        }
    ]
}

Staging Certificate

Staging certificates are not natively trusted. If you'd like to prevent the security messages in the browser;

Mac

  1. Download Fake LE Intermediate X1.
  2. Open Applications -> Utilities -> Keychain Access.
  3. Click on Certificates.
  4. Drag fakeleintermediatex1.pem into the window to add it.
  5. Double click Fake LE Intermediate X1.
  6. Window will pop open. Under the Trust section, set When using this certificate to Always Trust.
  7. Close window. Confirm window will pop open. Enter password and click Update Settings.

There should now be a blue and white plus icon associated with the certificate. You may need to restart your browser before the change takes effect.

iOS

  1. Go to https://letsencrypt.org/docs/staging-environment click on Fake LE Intermediate X1.
  2. You will be redirected to an Install Profile page. Click Install.
  3. Enter device password.
  4. Click Install, and Install again.
  5. Click Done.

To view the certificate got to Settings -> General -> Profile.

Android