Get a certificate with CertBot and Let’s Encrypt
I decided to try with CertBot because this solution looks like fully automated and doesn’t require any maintenance. But, in another hand I was not sure that this way is the best.
So, I decided to use the bot in Docker container, but do not install it on my home server.
Please follow this article if you need to install Docker and Docker Composer on your host.
1. Prepare working directories:
host:# mkdir /opt/certbot
host:# cd /opt/certbot
2. Prepare docker-compose.yml:
host:# touch /opt/certbot/docker-compose.yml
Please open your preferred text editor and configure your certbor container.
Please be aware that this is an example and you have to replace following values with your real info:
- line6: please choose docker image appropriate to your platform
- line 12: YourTimeZone
- line 16: mail@gmail.com
- line 16: example.com and www.example.com
version: '3.8'
services:
certbot:
image: certbot/certbot:arm64v8-latest
container_name: certbot
hostname: certbot
ports:
- '80:80'
environment:
- TZ='YourTimeZone'
volumes:
- /opt/certbot:/etc/letsencrypt
command: certonly --renew-by-default --standalone --email mail@gmail.com --agree-tos --no-eff-email -d example.com -d www.example.com
networks:
- certbot
networks:
certbot:
driver: bridge
3. Run certbot and create a certificate:
Save your file and try to run container.
I’d like to draw your attention to “standalone” mode of certbot!
It means that it runs as a web-server. So, your real web-server must be stopped at the moment. Otherwise 80th port be occupated and certbot can’t be launched.
Second significant aspect is accessible your certbot from the Internet. So, you should configure port-forwarding on your router and assign your IP address to your domain on a DNS setting of your domain provider (GoDaddy for an example).
host:# docker-compose up
Running 1/1
Container certbot Created 1.0s
Attaching to certbot
certbot | Account registered.
certbot | Requesting a certificate for example.com and www.example.com
certbot |
certbot | Successfully received certificate.
certbot | Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
certbot | Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
certbot | This certificate expires on 2022-01-01.
certbot | These files will be updated when the certificate renews.
certbot | NEXT STEPS:
certbot | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot |
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | If you like Certbot, please consider supporting our work by:
certbot | * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
certbot | * Donating to EFF: https://eff.org/donate-le
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot exited with code 0
This is output with successfully created certificates.
Please pay attention to paths:
/etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem
They are relevant inside of your container. But, you will have other paths on your host’s file system accordingly to following setting in your compose file:
volumes:
– /opt/certbot:/etc/letsencrypt
So, real paths will be:
/opt/certbot/etc/letsencrypt/live/example.com/fullchain.pem
/opt/certbot/etc/letsencrypt/live/example.com/privkey.pem
4. further steps:
As a result you have got certificates for HTTPS configuration of your web-server.
Please don’t forget to disable port forwarding on your router until you complete your setup and site.
Also, you will need a script to renew your certificates each 90 days.