An easy recipe for Let’s Encrypt

Obtaining a trusted TLS certificate has just become a lot easier, thanks to Let’s Encrypt. Still, it can be quite a winding path to get to where you want to end up. The following recipe eventually did it for me, and actually makes it fairly quick and simple.

Prerequisites

There’s four things that you need for this to work:

  1. A proper domain
  2. An account with DigitalOcean
  3. A link between the two
  4. Docker

1. Domain

Yes, for a trusted certificate, you really do need an actual domain. They come cheap or expensive; I got an .nl domain through Strato for one year for €0,84. You can settle for any domain, as long as it ends up in the public DNS.

2. DigitalOcean

Though they want your credit card details, an account with DigitalOcean is free. They only charge something when you create any virtual machines, which you don’t need for this. What you do need is their domain manager, exposing an API supported by the Let’s Encrypt tools. You also need to generate an API token.

3. Link

Domain

Tell your domain provider you’re managing the domain through DigitalOcean. With Strato, it worked like this:

  1. Add a “sub domain” (e.g. blog.wscherphof.nl under wscherphof.nl)
  2. Go to the DNS settings for the sub domain.
  3. Configure the NS-record to point to these custom name server addresses (the trailing dot proved significant):
    1. ns1.digitalocean.com.
    2. ns2.digitalocean.com.
    3. ns3.digitalocean.com.

DigitalOcean

Go to DigitalOcean’s domain manager to “Add a domain”, providing your (sub) domain, and any IP address, and clicking Create Record:

DigitalOcean "Add a domain"
DigitalOcean “Add a domain”

4. Docker

Install Docker if you don’t have it.

Do the trick

We’ll use Docker to run the excellent instant xenolf/lego image, telling it (line by line) to:

  • Automatically remove the container when it exits
  • Save the results in the current directory (i.e. ./accounts & ./certificates)
  • Provide our DigitalOcean API key
  • Accept Let’s Encrypt’s Terms Of Service
  • Check with DigitalOcean’s DNS
  • Use our email address as an account name with Let’s Encrypt
  • Generate a certificate for the given domain
$ docker run \
--rm \
--volume $PWD:/.lego \
--env DO_AUTH_TOKEN=945g4976gfg497456g4976g3t47634g9478gf480g408fg420f8g2408g08g4204 \
xenolf/lego \
--accept-tos \
--dns=digitalocean \
--email=wouter.scherphof@email.com \
--domains=blog.wscherphof.nl \
run
2016/11/02 20:14:41 No key found for account wouter.scherphof@email.com. Generating a curve P384 EC key.
2016/11/02 20:14:41 Saved key to /.lego/accounts/acme-v01.api.letsencrypt.org/wouter.scherphof@email.com/keys/wouter.scherphof@email.com.key
2016/11/02 20:14:41 [INFO] acme: Registering account for wouter.scherphof@email.com
2016/11/02 20:14:42 !!!! HEADS UP !!!!
2016/11/02 20:14:42 
 Your account credentials have been saved in your Let's Encrypt
 configuration directory at "/.lego/accounts/acme-v01.api.letsencrypt.org/wouter.scherphof@email.com".
 You should make a secure backup of this folder now. This
 configuration directory will also contain certificates and
 private keys obtained from Let's Encrypt so making regular
 backups of this folder is ideal.
2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Obtaining bundled SAN certificate
2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Could not find solver for: http-01
2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Could not find solver for: tls-sni-01
2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Trying to solve DNS-01
2016/11/02 20:14:43 [INFO][blog.wscherphof.nl] Checking DNS record propagation...
2016/11/02 20:14:48 [INFO][blog.wscherphof.nl] The server validated our request
2016/11/02 20:14:48 [INFO][blog.wscherphof.nl] acme: Validations succeeded; requesting certificates
2016/11/02 20:14:49 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
2016/11/02 20:14:49 [INFO][blog.wscherphof.nl] Server responded with a certificate.
$ ls -la certificates/
total 24
drwx------ 5 wsc staff 170  3 nov 11:10 .
drwxr-xr-x 4 wsc staff 136  3 nov 11:10 ..
-rw------- 1 wsc staff 3452 3 nov 11:10 blog.wscherphof.nl.crt
-rw------- 1 wsc staff 228  3 nov 11:10 blog.wscherphof.nl.json
-rw------- 1 wsc staff 1675 3 nov 11:10 blog.wscherphof.nl.key
$ 

 

There you go, magico fantastico.

Notes

  1. Lego supports quite a few other DNS providers besides DigitalOcean, so you’re not necessarily tied to them at all.
  2. The example uses bash to run the command. On Windows, I expect it’s fairly straightforward to port it to CMD or PowerShell; otherwise, try Git Bash.
  3. In Essix, this would just take:
$ export DIGITALOCEAN_ACCESS_TOKEN=945g4976gfg497456g4976g3t47634g9478gf480g408fg420f8g2408g08g4204
$ essix cert blog.wscherphof.nl wouter.scherphof@email.com

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s