Obtaining a trusted TLS certificate has just become a lot easier, thanks to Let’s Encrypt. Still, it can be quite a winding path to get to where you want to end up. The following recipe eventually did it for me, and actually makes it fairly quick and simple.
There’s four things that you need for this to work:
- A proper domain
- An account with DigitalOcean
- A link between the two
Yes, for a trusted certificate, you really do need an actual domain. They come cheap or expensive; I got an .nl domain through Strato for one year for €0,84. You can settle for any domain, as long as it ends up in the public DNS.
Though they want your credit card details, an account with DigitalOcean is free. They only charge something when you create any virtual machines, which you don’t need for this. What you do need is their domain manager, exposing an API supported by the Let’s Encrypt tools. You also need to generate an API token.
Tell your domain provider you’re managing the domain through DigitalOcean. With Strato, it worked like this:
- Add a “sub domain” (e.g. blog.wscherphof.nl under wscherphof.nl)
- Go to the DNS settings for the sub domain.
- Configure the NS-record to point to these custom name server addresses (the trailing dot proved significant):
Go to DigitalOcean’s domain manager to “Add a domain”, providing your (sub) domain, and any IP address, and clicking Create Record:
Install Docker if you don’t have it.
Do the trick
We’ll use Docker to run the excellent instant xenolf/lego image, telling it (line by line) to:
- Automatically remove the container when it exits
- Save the results in the current directory (i.e. ./accounts & ./certificates)
- Provide our DigitalOcean API key
- Accept Let’s Encrypt’s Terms Of Service
- Check with DigitalOcean’s DNS
- Use our email address as an account name with Let’s Encrypt
- Generate a certificate for the given domain
$ docker run \ --rm \ --volume $PWD:/.lego \ --env DO_AUTH_TOKEN=945g4976gfg497456g4976g3t47634g9478gf480g408fg420f8g2408g08g4204 \ xenolf/lego \ --accept-tos \ --dns=digitalocean \ --email@example.com \ --domains=blog.wscherphof.nl \ run 2016/11/02 20:14:41 No key found for account firstname.lastname@example.org. Generating a curve P384 EC key. 2016/11/02 20:14:41 Saved key to /.email@example.comfirstname.lastname@example.org 2016/11/02 20:14:41 [INFO] acme: Registering account for email@example.com 2016/11/02 20:14:42 !!!! HEADS UP !!!! 2016/11/02 20:14:42 Your account credentials have been saved in your Let's Encrypt configuration directory at "/.firstname.lastname@example.org". You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Obtaining bundled SAN certificate 2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Could not find solver for: http-01 2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Could not find solver for: tls-sni-01 2016/11/02 20:14:42 [INFO][blog.wscherphof.nl] acme: Trying to solve DNS-01 2016/11/02 20:14:43 [INFO][blog.wscherphof.nl] Checking DNS record propagation... 2016/11/02 20:14:48 [INFO][blog.wscherphof.nl] The server validated our request 2016/11/02 20:14:48 [INFO][blog.wscherphof.nl] acme: Validations succeeded; requesting certificates 2016/11/02 20:14:49 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert 2016/11/02 20:14:49 [INFO][blog.wscherphof.nl] Server responded with a certificate. $ ls -la certificates/ total 24 drwx------ 5 wsc staff 170 3 nov 11:10 . drwxr-xr-x 4 wsc staff 136 3 nov 11:10 .. -rw------- 1 wsc staff 3452 3 nov 11:10 blog.wscherphof.nl.crt -rw------- 1 wsc staff 228 3 nov 11:10 blog.wscherphof.nl.json -rw------- 1 wsc staff 1675 3 nov 11:10 blog.wscherphof.nl.key $
There you go, magico fantastico.
- Lego supports quite a few other DNS providers besides DigitalOcean, so you’re not necessarily tied to them at all.
- The example uses bash to run the command. On Windows, I expect it’s fairly straightforward to port it to CMD or PowerShell; otherwise, try Git Bash.
- In Essix, this would just take:
$ export DIGITALOCEAN_ACCESS_TOKEN=945g4976gfg497456g4976g3t47634g9478gf480g408fg420f8g2408g08g4204 $ essix cert blog.wscherphof.nl email@example.com