Get Let’s Encrypt Certificate With Certbot

Categories

Get Let’s Encrypt Wildcard Certificates with Certbot with Cloudflare DNS Plugin

Introduction

Create an SSL certificate can be costly and painful to maintain. Since Let’s Encrypt start providing free SSL for each domain, the only thing needs to spend is your time now. But we can improves it further by automating the creation steps. This page shows how I did this.

Tools you need

  • Docker
  • certbot
  • Cloudflare - You need to fetch API key so the automation script can config the domain proving you own the domain
  • certbot-dns-cloudflare
  • Nginx - this is the web server I choose to host the website and off-load the https requests.

Step 1: Prerequisites

  • Docker: In MacOS, you can run brew cask install docker if you don’t know homebrew, you can check this page Installation on Mac
  • Git
  • Cloudflare account and API key. You need to register with an email address, then find Global API Key in you profile page in cloudflare.com. You need both email address and key to authentiate your account.

Step 2: Clone the repository

You can clone this repository sunsong/cerbot which contains a Dockerfile to build a Docker image with cloudflare plugin.

git clone https://github.com/sunsongxp/certbot

Copy cloudflare.ini.sample and name it cloudflare.ini, Edit cloudflare.ini and type your cloudflare email and key

Step 3: Build the image

Go to the root of the repository, then run the build command

docker build . -t certbot/certbot:cloudflare

Step 4: Generate the SSL certificate

Edit filecommand, which contains the content like this:

docker run -ti \
  -v "$(pwd)/cloudflare.ini:/cloudflare.ini" \
  -v "$(pwd)/etc/letsencrypt:/etc/letsencrypt" \
  certbot/certbot:cloudflare certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /cloudflare.ini \
  --register-unsafely-without-email \
  -d *.sunsong.org \
  -d sunsong.org \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --keep-until-expiring

The content of this snippet is the command to create an SSL certificate, you only need to repliace the domain with yours. Please be noted that if you want to use the same SSL certificate matching domain like xyz.domain.com and domain.com, you need to use wildcard symbol and the one without it.

At last, you can run the command by copying the snippet above or you can just run ./command. The keys will be generated in the etc/letsencrypt in the root of this repo.

In conclusion, we’ve managed to automate the steps to create an SSL certificates with common used tools. We should be able to make this tool available as an API endpoint and you can use web development framework like Django or Ruby on Rails to manage your domain entries and certificates. The domains you own can be recorded in the database and make the creation steps managed by the web app and use cron job to check the status of the certificate and renew them periodically.

Reference

  • https://certbot-dns-cloudflare.readthedocs.io/en/latest/
  • https://certbot.eff.org/docs/using.html#dns-plugins
  • https://gist.github.com/sunsongxp/3e185b63473a9c4c415b273226cb9a38
  • https://letsencrypt.org/how-it-works/
  • https://certbot.eff.org/docs/challenges.html
  • https://letsencrypt.org/docs/challenge-types/