Container para emitir Certificados Let's Encrypt, com o Dehydrated

will Farrell 6cca2b1e18 bug fix: $1 could be `sh` preventing prod from ever being used		8 years ago
.gitignore	init commit	8 years ago
.travis.yml	fix travis build path	8 years ago
Dockerfile	add healthcheck	8 years ago
LICENSE	License update	8 years ago
README.md	docs update	8 years ago
config	init commit	8 years ago
docker-entrypoint.sh	bug fix: $1 could be `sh` preventing prod from ever being used	8 years ago
letsencrypt.env.sample	init commit	8 years ago

README.md

docker-letsencrypt

container to generate letsencrypt certs using dehydrated + lexicon

Supported tags and Dockerfile links

latest (Dockerfile)

Docs

Dockerfile

Use to set your own defaults or overwrite in the command

FROM willfarrell/letsencrypt:latest

COPY config /etc/dehydrated/config

ENV

# defaults to `staging`, use `production` when ready.
LE_ENV=staging
# Only required if you plan to use dns-01 challenges (use for private services)
# CloudFlare example
PROVIDER=cloudflare
LEXICON_CLOUDFLARE_USERNAME=
LEXICON_CLOUDFLARE_TOKEN=

# Route 53 example
PROVIDER=route53
LEXICON_ROUTE53_ACCESS_KEY=
LEXICON_ROUTE53_ACCESS_SECRET=

Testing

docker build -t letsencrypt .

# private
docker run \
    --env-file letsencrypt.env \
    letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --hook dehydrated-dns \
        --challenge dns-01 \
        --force

# public
docker run -d \
    --env-file letsencrypt.env \
    letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --challenge http-01 \
        --force

# reload nginx to see changes

Deploy

Note the use of --hook dehydrated-dns, dehydrated-dns is a script wrapper to call lexicon from dehydrated.

# private
docker run \
    --volumes-from docker_nginx_1 \
    --env-file letsencrypt.env \
    willfarrell/letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --out /etc/ssl \
        --hook dehydrated-dns \
        --challenge dns-01

# public
docker run -d \
    --volumes-from docker_nginx_1 \
    --env-file letsencrypt.env \
    willfarrell/letsencrypt \
    dehydrated \
        --cron --domain letsencrypt.willfarrell.ca \
        --out /etc/ssl \
        --challenge http-01

Also worth reading is Let's Encrypts document on certificate rate limits https://letsencrypt.org/docs/rate-limits/. In short you can generate 5 duplicate certificates per 7 days.

Route53 Access Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}"
            ]
        }
    ]
}

Staging Certificate

Staging certificates are not natively trusted. If you'd like to prevent the security messages in the browser;

Mac

Download Fake LE Intermediate X1.
Open Applications -> Utilities -> Keychain Access.
Click on Certificates.
Drag fakeleintermediatex1.pem into the window to add it.
Double click Fake LE Intermediate X1.
Window will pop open. Under the Trust section, set When using this certificate to Always Trust.
Close window. Confirm window will pop open. Enter password and click Update Settings.

There should now be a blue and white plus icon associated with the certificate. You may need to restart your browser before the change takes effect.

iOS

Go to https://letsencrypt.org/docs/staging-environment click on Fake LE Intermediate X1.
You will be redirected to an Install Profile page. Click Install.
Enter device password.
Click Install, and Install again.
Click Done.

To view the certificate got to Settings -> General -> Profile.