Let’s Encrypt

Setting up a stand-alone signed SSL certificate for use on personal systems, using Let’s Encrypt Docker container with DNS-01 verification.

This is for personal use only, and doesn’t account for specific nation-state attacks, which could include MITM or a compromise of Let’s Encrypt servers or the ACME protocol. Don’t consider this secure. It is better than having people accepting self-signed certificates, and it enables use of verifed SSL for things like mail and web services.

See Let’s Encrypt Docker and Documentation. Source Documentation.

Ports (Let’s Encrypt)

None. The container will automatically add a _acme_challenge TXT record to your DNS server, confirming you own the domain, and download the signed certificates. No exposed ports are required.


Docker Creation

This container will automatically pull new certificates if none are found in the mapped /etc/letsencrypt directory. Renewal requests automatically happen every 12 hours. Be sure to restart the container if changes are made.

Docker Compose
  image: adferrand/dnsrobocert:latest
  restart: unless-stopped
    - TZ=America/Los_Angeles
    - /data/services/dnsrobocert:/etc/dnsrobocert
    - /data/services/letsencrypt:/etc/letsencrypt
    - /etc/localtime:/etc/localtime:ro
  • Let’s Encrypt local mount should just point the install location of let’s encrypt, typically /etc/letsencrypt.

Initial Setup

Set configuration file before starting container. See Configuration Reference.

0400 root root /etc/dnsrobocert/config.yml
  api_version: 2
    group: root
    user: root
    dirs_mode: '0750'
    files_mode: '0640'
  email_account: {EMAIL}
  staging: false
- domains:
  - '*.example.com'
  - example.com
  name: example.com
  profile: googleclouddns
- domains:
  - mail.example2.com
  name: mail.example2.com
  profile: googleclouddns
- name: googleclouddns
  provider: googleclouddns
    auth_service_account_info: >-
      base64::asdfJDFDx99dsafd ...
  sleep_time: 150


Secure this file as it gives full control over your DNS domain. Changing or removing domains in this file will result in a request for new certificates (or deletion of existing ones) respectively on next renewal check.


Lexicon is used to modify your domains, but requires specific authentication for each differ provider.

See Lexicon Providers for specific options for each supported DNS provider.


sleep_time is the delay in seconds to validate DNS after making auth challenge change to the domain. Set to 150 as Google Cloud DNS guarantees updates in 120 seconds.

staging will run requests against the staging server, allowing the ability to test setup.

Check Status

Watch the container logs for renewal status and messages.
docker logs -f letsencrypt

Checking Certificates

See the current certificates that are being managed by the container.
docker exec -it letsencrypt sh
certbot certificates