container to generate letsencrypt certs using dehydrated + lexicon
- https://github.com/lukas2511/dehydrated
- https://github.com/AnalogJ/lexicon
- https://github.com/willfarrell/docker-nginx
Use to set your own defaults or overwrite in the command
FROM willfarrell/letsencrypt:latest
COPY config /etc/dehydrated/config
# Optional. Used to enable logging to file `/var/log/letsencrypt/runtime.log`.
LOG=TRUE
# defaults to `staging`, use `production` when ready.
LE_ENV=staging
# CSV list of domains
LE_DOMAIN=
# Only required if you plan to use dns-01 challenges (use for private services)
# CloudFlare example
PROVIDER=cloudflare
LEXICON_CLOUDFLARE_USERNAME=
LEXICON_CLOUDFLARE_TOKEN=
# Route 53 example
PROVIDER=route53
LEXICON_ROUTE53_ACCESS_KEY=
LEXICON_ROUTE53_ACCESS_SECRET=
docker build -t letsencrypt .
# private
docker run \
--env-file letsencrypt.env \
letsencrypt \
dehydrated \
--cron --accept-terms \
--domain letsencrypt.willfarrell.ca \
--hook dehydrated-dns \
--challenge dns-01 \
--force
# public
docker run -d \
--env-file letsencrypt.env \
letsencrypt \
dehydrated \
--cron --accept-terms \
--domain letsencrypt.willfarrell.ca \
--challenge http-01 \
--force
# reload nginx to see changes
Note the use of --hook dehydrated-dns
, dehydrated-dns is a script wrapper to call lexicon from dehydrated.
# private
docker run \
--volumes-from docker_nginx_1 \
--env-file letsencrypt.env \
willfarrell/letsencrypt \
dehydrated \
--cron --domain letsencrypt.willfarrell.ca \
--out /etc/ssl \
--hook dehydrated-dns \
--challenge dns-01
# public
docker run -d \
--volumes-from docker_nginx_1 \
--env-file letsencrypt.env \
willfarrell/letsencrypt \
dehydrated \
--cron --domain letsencrypt.willfarrell.ca \
--out /etc/ssl \
--challenge http-01
Also worth reading is Let's Encrypts document on certificate rate limits https://letsencrypt.org/docs/rate-limits/. In short you can generate 5 duplicate certificates per 7 days.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}"
]
}
]
}
Staging certificates are not natively trusted. If you'd like to prevent the security messages in the browser;
- Download
Fake LE Intermediate X1
. - Open
Applications
->Utilities
->Keychain Access
. - Click on
Certificates
. - Drag
fakeleintermediatex1.pem
into the window to add it. - Double click
Fake LE Intermediate X1
. - Window will pop open. Under the
Trust
section, setWhen using this certificate
toAlways Trust
. - Close window. Confirm window will pop open. Enter password and click
Update Settings
.
There should now be a blue and white plus icon associated with the certificate. You may need to restart your browser before the change takes effect.
- Go to https://letsencrypt.org/docs/staging-environment click on
Fake LE Intermediate X1
. - You will be redirected to an
Install Profile
page. ClickInstall
. - Enter device password.
- Click
Install
, andInstall
again. - Click
Done
.
To view the certificate got to Settings
-> General
-> Profile
.