Let’s Encrypt

Setting up a stand-alone signed SSL certificate for use on personal systems, using Let’s Encrypt Docker container with DNS-01 verification.

This is for personal use only, and doesn’t account for specific nation-state attacks, which could include MITM or a compromise of Let’s Encrypt servers or the ACME protocol. Don’t consider this secure. It is better than having people accepting self-signed certificates, and it enables use of verifed SSL for things like mail and web services.

See Let’s Encrypt Docker and Documentation. Source Documentation.

Ports (Let’s Encrypt)

None. The container will automatically add a _acme_challenge TXT record to your DNS server, confirming you own the domain, and download the signed certificates. No exposed ports are required.

Files

Let’s Encrypt Files

Location

Purpose

/etc/letsencrypt

Standard letencrypt directory. Can be imported.

/etc/dnsrobocert/config.yml

Certificate configuration settings

Updated: None

Docker Creation

This container will automatically pull new certificates if none are found in the mapped /etc/letsencrypt directory. Renewal requests automatically happen every 12 hours. Be sure to restart the container if changes are made.

Docker Compose

letsencrypt:
  image: adferrand/dnsrobocert:latest
  restart: unless-stopped
  environment:
    - TZ=America/Los_Angeles
  volumes:
    - /data/services/dnsrobocert:/etc/dnsrobocert
    - /data/services/letsencrypt:/etc/letsencrypt
    - /etc/localtime:/etc/localtime:ro

• Let’s Encrypt local mount should just point the install location of let’s encrypt, typically /etc/letsencrypt.

Initial Setup

Set configuration file before starting container. See Configuration Reference.

0400 root root /etc/dnsrobocert/config.yml

acme:
  api_version: 2
  certs_permissions:
    group: root
    user: root
    dirs_mode: '0750'
    files_mode: '0640'
  email_account: {EMAIL}
  staging: false
certificates:
- domains:
  - '*.example.com'
  - example.com
  name: example.com
  profile: googleclouddns
- domains:
  - mail.example2.com
  name: mail.example2.com
  profile: googleclouddns
profiles:
- name: googleclouddns
  provider: googleclouddns
  provider_options:
    auth_service_account_info: >-
      base64::asdfJDFDx99dsafd ...
  sleep_time: 150

Danger

Secure this file as it gives full control over your DNS domain. Changing or removing domains in this file will result in a request for new certificates (or deletion of existing ones) respectively on next renewal check.

Important

Lexicon is used to modify your domains, but requires specific authentication for each differ provider.

See Lexicon Providers for specific options for each supported DNS provider.

Note

sleep_time is the delay in seconds to validate DNS after making auth challenge change to the domain. Set to 150 as Google Cloud DNS guarantees updates in 120 seconds.

staging will run requests against the staging server, allowing the ability to test setup.

Check Status

Watch the container logs for renewal status and messages.

docker logs -f letsencrypt

Checking Certificates

See the current certificates that are being managed by the container.

docker exec -it letsencrypt sh
certbot certificates