csmith / docker-letsencrypt-lexicon Goto Github PK

View Code? Open in Web Editor NEW

10.0 2.0 3.0 18 KB

Docker container to automatically obtain letsencrypt certificates using the lexicon DNS library

License: MIT License

Shell 86.96% Dockerfile 13.04%

docker docker-automatic-proxy letsencrypt lexicon

docker-letsencrypt-lexicon's Introduction

Let's Encrypt Lexicon Service

This container uses the awesome Lexicon library with dehydrated to automatically obtain SSL certs from Let's Encrypt.

Multiple domains, as well as SANs, are supported. Certificates will be renewed automatically, and obtained automatically as soon as new domains are added.

Usage

Accepting Let's Encrypt's terms

In order to issue certificates with Let's Encrypt, you must agree to the Let's Encrypt terms of service. You can do this by running the command /dehydrated --register --accept-terms from within the container.

For ease of automation, you can define the ACCEPT_CA_TERMS env var (with any non-empty value) to automatically accept the terms. Be warned that doing so will automatically accept any future changes to the terms of service.

Defining domains

The container defines one volume at /letsencrypt, and expects there to be a list of domains in /letsencrypt/domains.txt. Certificates are output to /letsencrypt/certs/{domain}.

domains.txt should contain one line per certificate. If you want alternate names on the cert, these should be listed after the primary domain. e.g.

example.com www.example.com
admin.example.com

This will request two certificates: one for example.com with a SAN of www.example.com, and a separate one for admin.example.com.

To obtain a wildcard certificate you must alias the domain:

*.example.com > star_example_com

This will request the wildcard certificate and store it under star_example_com. For more information see Dehydrated's docs.

The container uses inotify to monitor the domains.txt file for changes, so you can update it while the container is running and changes will be automatically applied.

DNS providers

To verify that you own the domain, a TXT record needs to be automatically created for it. The Lexicon library handles this, and comes with support for a variety of providers including CloudFlare, EasyDNS, DigitalOcean and Vultr.

Lexicon takes its configuration from environment variables. For full instructions, see its README.

To configure Lexicon to update DNS hosted by CloudFlare, for example, you would pass in:

docker run ... \
  -e "PROVIDER=cloudflare" \
  -e "[email protected]" \
  -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here"

Other configuration

For testing purposes, you can set the STAGING environment variable to a non-empty value. This will use the Let's Encrypt staging server, which has much more relaxed limits.

You should pass in a contact e-mail address by setting the EMAIL env var. This is passed on to Let's Encrypt, and may be used for important service announcements.

Running

Here's a full worked example:

# The directory we'll use to store the domain list and certificates.
# You could use a docker volume instead.
mkdir /tmp/letsencrypt
echo "domain.com www.domain.com" > /tmp/letsencrypt/domains.txt

docker run -d --restart=always \
  -e "[email protected]" \
  -e "STAGING=true" \
  -e "PROVIDER=cloudflare" \
  -e "[email protected]" \
  -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here" \
  -v /tmp/letsencrypt:/letsencrypt \
  csmith/letsencrypt-lexicon:latest

docker-letsencrypt-lexicon's People

Contributors

Stargazers

Watchers

Forkers

mlaihk tvollstaedt tjaena

docker-letsencrypt-lexicon's Issues

Certificate doesn't seems full

Hello,

I'm trying to get my certificates using your docker image.

I put my lexicon account, and my domains.txt seems to be taken.

When starting the container, some directory are created.
( archive, certs, accounts )
So it looks like my parameters are well passed to the container.

But inside certs, I found a directory name with my domain.
And inside that some files a generated :

-rw------- 1 root root  538 Oct 11 10:24 cert-1539246254.csr
-rw------- 1 root root    0 Oct 11 10:24 cert-1539246254.pem
-rw------- 1 root root  359 Oct 11 10:24 privkey-1539246254.pem

But the cert-*.pem is empty.

When i'm using certbot with the manual generation of my certificate, here's what I obtain:

-rw-r--r-- 1 root root 2179 Oct 10 17:19 cert1.pem
-rw-r--r-- 1 root root 1647 Oct 10 17:19 chain1.pem
-rw-r--r-- 1 root root 3826 Oct 10 17:19 fullchain1.pem
-rw-r--r-- 1 root root 1708 Oct 10 17:19 privkey1.pem

So with certbot the files are much bigger (and I have 4 of them), wherease with your docker, I get 3 files, and one of them is empty.

So I suppose that the certs generation as failed, but how can I get sure of that ?
Is there any log of action somewhere ?

Fake LE Intermediate X1 - Cert Regeneration

Hi,

During testing I set the environment variables to:

    environment:
      - [email protected]
      - STAGING=true # any value equals true. Leave blank for false
      - ACCEPT_CA_TERMS=true # any value equals true. Leave blank for false
      - PROVIDER=cloudflare
      - [email protected]
      - LEXICON_CLOUDFLARE_TOKEN=supersecrettoken

The test cert was issued and I tested the website with it. It works but it's signed by Fake LE Intermediate X1

I thought that I just had to amend the environment variable of stanging to be empty and re-compose but the certs don't regenerate against a non-stages LE CA.

    environment:
      - [email protected]
      - STAGING= # any value equals true. Leave blank for false
      - ACCEPT_CA_TERMS=true # any value equals true. Leave blank for false
      - PROVIDER=cloudflare
      - [email protected]
      - LEXICON_CLOUDFLARE_TOKEN=supersecrettoken

any help greatly appreciated.

Thanks,

Tom

ERROR: An error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/ (Status 301)

I'm getting this error and all the certificates are now invalid.
Hope it's a simple fix.
Thanks


+ Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
  + ERROR: An error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/ (Status 301)

Details:
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

*

Docker doesn't work in new installations

When I use this container, it throws an error...

ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 6)

At a guess, I would say the scripts are out of date and need to switch to use dehydate?
Thanks

Add support for wildcard certs

At the moment trying to request a wildcard cert results in the following error:

+ ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Error creating new authz :: Wildcard names not supported",
  "status": 400
}

I think we probably need to update our dependencies to support ACMEv2

RSA keys instead of EC Keys

Thanks for your Docker and it is a great idea and implementation!

But the docker currently generates EC Keys for the certs. Is there anyway to have regular RSA keys instead?

It makes it much easier for importing the certs and keys to other apps......

Lexicon Update

Would you mind updating to a later version of lexicon?

Apparently, the container doesn’t support mythicbeasts yet:

Although it does look to be supported according to lexicon.