Using Certbot Docker Image
Prerequisites
This tutorial assumes you have installed Docker.
Table Of Contents
- Single Domain - Web Challenge
- Wildcard Certificate - DigitalOcean DNS Challenge
- Multi-Domain Certificate - Cloudflare DNS Challenge
- Multi-Domain Certificate - AWS Route53 DNS Challenge
- Extra Info - RSA vs ECDSA Keys
Single Domain - Web Challenge
This will show you how to use the Certbot Docker image to generate Lets Encrypt SSL certificates through a web based challenge whereby this serves up a webpage with a token LetsEncrypt will look for on your domain. If it is able to find the token, it proves that you have control of the domain and thus can be provided with SSL certificates for that domain.
Thus, this method requires that this action be taken on the server that the domain points to, and also requires ports 80 and 443 whilst it runs, so your website will likely be unavailable whilst this runs.
Run the command below on your server (after changing the DOMAIN variable)
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
LETSENCRYPT_VOLUME_DIR=$DIR/letsencrypt
DOMAIN="www.mydomain.com"
EMAIL="my-email@gmail.com"
sudo docker run \
--rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$LETSENCRYPT_VOLUME_DIR:/etc/letsencrypt" \
certbot/certbot \
certonly \
-d $DOMAIN \
--standalone \
--email=$EMAIL \
--agree-tos \
--no-eff-email
# Copy the certificate files to local folder and set permissions
sudo cp --recursive --dereference $DIR/letsencrypt/live/$DOMAIN .
sudo chown $USER:$USER --recursive $DOMAIN
$LETSENCRYPT_VOLUME_DIR/archive with a symlink to the latest ones in $LETSENCRYPT_VOLUME_DIR/live,
so that's why we can copy them using --dereference.
Wildcard Certificate - DigitalOcean DNS Challenge
If one uses a DNS provider, that has a supported Certbot DNS plugin, then you can easily generate wildcard certificates for your domain using the relevant plugin image. You can find the list of Certbot DNS Plugins on the Certbot Dockerhub page.
In this case, I am using DigitalOcean to manage my DNS records, and thus will be using the certbot/dns-digitalocean image.
If you are using a different provider, swap out the image name, and update the credentials as required.
The following script will create a wildcard certificate for your domain, and place it in a folder named after your domain, on the same level of the script's location.
#!/bin/bash
# Specify your domain here (make sure there is no subdomain/wildcard)
DOMAIN="mydomain.com"
# Specify your email address for Lets encrypt to send you expiry reminders on
EMAIL="me@mydomain.com"
# Put your DigitalOcean token here.
DO_TOKEN="58xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9"
# Get the path to the directory ths script is in.
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
# Specify where to store the Lets Encrypt volume, where all of Certbot's state will be kept.
LETSENCRYPT_VOLUME_DIR=$DIR/letsencrypt
# Create our DigitalOcean credentials file for Certbot to use.
echo "dns_digitalocean_token = ${DO_TOKEN}" > $DIR/certbot-creds.ini
chmod 600 $DIR/certbot-creds.ini
sudo docker run \
--rm \
--name certbot \
-v "$DIR/certbot-creds.ini:/certbot-creds.ini:ro" \
-v "$LETSENCRYPT_VOLUME_DIR:/etc/letsencrypt" \
certbot/dns-digitalocean \
certonly \
--dns-digitalocean \
--email=$EMAIL \
--agree-tos \
--no-eff-email \
--keep-until-expiring \
--dns-digitalocean-credentials /certbot-creds.ini \
-d "*.${DOMAIN}"
sudo cp --recursive --dereference $DIR/letsencrypt/live/$DOMAIN .
sudo chown $USER:$USER --recursive $DOMAIN
# cleanup
rm $DIR/certbot-creds.ini
---dns-digitaloceantells certbot we want a DNS based challenge using DigitalOcean--agree-tos- tells certbot that we agree to the terms of service.--no-eff-email- tells certbot we do not want to be used for statistics.--keep-until-expiring- tells certbot to do nothing if we were to run again before the certificate is even close to expiring.--dns-digitalocean-credentialsspecifies the path to our credentials file (which needs to line up with the volume declaration).
Multi-Domain Certificate - Cloudflare DNS Challenge
The following example will show you how you can use certbot to provision an SSL certificate that covers www.mydomain.com and mydomain.com, which is a common case.
#!/bin/bash
#specify your domain (e.g. without the www subdomain)
DOMAIN="mydomain.org"
# Specify your email address for Lets encrypt to send you expiry reminders on
EMAIL="my.email@gmail.com"
# Put your cloudflare token here (needs zone edit permissions to the relevant domain)
CLOUDFLARE_TOKEN="putYourCloudflareTokenHere"
# Get the path to the directory ths script is in.
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
# Specify where to store the Lets Encrypt volume, where all of Certbot's state will be kept.
LETSENCRYPT_VOLUME_DIR=$DIR/letsencrypt
# Create our DigitalOcean credentials file for Certbot to use.
echo "dns_cloudflare_api_token = ${CLOUDFLARE_TOKEN}" > $DIR/certbot-creds.ini
chmod 600 $DIR/certbot-creds.ini
sudo docker run \
--rm \
--name certbot \
-v "$DIR/certbot-creds.ini:/certbot-creds.ini:ro" \
-v "$LETSENCRYPT_VOLUME_DIR:/etc/letsencrypt" \
certbot/dns-cloudflare \
certonly \
--dns-cloudflare \
--email=$EMAIL \
--agree-tos \
--no-eff-email \
--keep-until-expiring \
--dns-cloudflare-propagation-seconds 30 \
--dns-cloudflare-credentials /certbot-creds.ini \
-d "${DOMAIN},www.${DOMAIN}"
sudo cp --recursive --dereference $DIR/letsencrypt/live/$DOMAIN .
sudo chown $USER:$USER --recursive $DOMAIN
# cleanup
rm $DIR/certbot-creds.ini
--dns-cloudflare-propagation-seconds 30 but I find that I quite often do.
Multi-Domain Certificate - AWS Route53 DNS Challenge
The following example will show you how you can use certbot to provision an SSL certificate that covers
www.mydomain.com and mydomain.com, using AWS Route53 which is a common case.
#!/bin/bash
#specify your domain (e.g. without the www subdomain)
DOMAIN="mydomain.org"
# Specify your email address for Lets encrypt to send you expiry reminders on
EMAIL="my.email@gmail.com"
# Put your cloudflare token here (needs zone edit permissions to the relevant domain)
AWS_ACCESS_KEY_ID="AKIAIXXXXXXXXXXXXXXXX"
AWS_SECRET_ACCESS_KEY="putYourSecretHere"
# Get the path to the directory ths script is in.
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
# Specify where to store the Lets Encrypt volume, where all of Certbot's state will be kept.
LETSENCRYPT_VOLUME_DIR=$DIR/letsencrypt
# Create our Route53 credentials file for Certbot to use.
echo "AWS_ACCESS_KEY_ID=${IAM_KEY_ID}" > $DIR/certbot-creds.ini
echo "AWS_SECRET_ACCESS_KEY=${IAM_KEY_SECRET}" >> $DIR/certbot-creds.ini
chmod 600 $DIR/certbot-creds.ini
sudo docker run \
--rm \
--name certbot \
--env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-v "$LETSENCRYPT_VOLUME_DIR:/etc/letsencrypt" \
certbot/dns-route53 \
certonly \
--dns-route53 \
--email=$EMAIL \
--agree-tos \
--no-eff-email \
--keep-until-expiring \
-d "${DOMAIN},www.${DOMAIN}"
sudo cp --recursive --dereference $DIR/letsencrypt/live/$DOMAIN .
sudo chown $USER:$USER --recursive $DOMAIN
Extra Info - RSA vs ECDSA Keys
Certbot 2.0 has switched to using ECDSA private keys by default, rather than the traditional RSA keys. This means that the contents of the private key file is much shorter (and still secure). However, if this causes issues for you for whatever reason, you can tell certbot to use RSA instead by adding the following parameter to the examples above:
--key-type rsa
References
- Certbot.eff.org Docs - Running With Docker
- Certbot command-line options
- DigitalOcean - How To Create Let's Encrypt Wildcard Certificates with Certbot
- Certbot DNS Cloudflare Docs
- https://eff-certbot.readthedocs.io/en/latest/install.html#running-with-docker
First published: 12th March 2021
