Sample config files to demonstrate seup that creates and updates free SSL certificates from Let's Encrypt given that the domains are maintained at CloudFlare service.
Certbot verifies domains ownership by accessing CloudFlare API that adds temporary TXT DNS records. To enable it You must provide your CloudFlare API token. More details in documentation for dns-cloudflare Certbot plugin.
Certbot saves created certificates in Docker volume certbot_etc
. Pay attention to output of the certbot run - it mentions path to the created certificates.
-
Setup docker, docker-compose, domains, nginx – make your website work via plain HTTP.
-
docker-compose run certbot
to create certificates. It will wait for 60 seconds in the middle. Note the output of the command – it will contain actual paths to certificates. -
Update
nginx.conf
to use the right paths to certificates. -
ssl-dhparams.pem
is like a cryptographic "salt" - required by some of algorithms. Copy that file from somewhere or generate one with command:openssl dhparam -out ssl-dhparams.pem 2048
- that will take some minutes to generate.Copy the file into
certbot_etc
volume by command similar to:docker cp ./ssl-dhparams.pem my_app_nginx_1:/etc/letsencrypt/ssl-dhparams.pem
supposing the running NGINX container name is "my_app_nginx_1" - check withdocker ps
-
Test if NGINX config is OK:
docker-compose exec nginx nginx -t
-
Make NGINX reload the updated config:
docker-compose exec nginx nginx -s reload
Hello, it would seem I'm missing something somewhere along the way. I have created the API key that has read and edit permissions on DNS, I have run the CURL to confirm that the key authenticates correctly.
However, when I run the certbot container with the following config:
and then I check the certbot logs I see the following error (Image keeps failing to attach)
`Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for DOMAIN1 and SUBDOMAIN1
Unsafe permissions on credentials configuration file: /root/cloudflare.ini
Waiting 15 seconds for DNS changes to propagate
Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
Domain: DOMAIN1
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.DOMAIN - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 15 seconds).
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.`
I blurred the domain, but yes, it's referencing it in a .env file and it's pulling the correct domain that's managed by cloudflare.
Unless I'm missing something, I thought the certbot container using the API key that has read and edit permissions to DNS was supposed to validate with CF and then make the TXT record for the challenge success?
This is what the API Key perms look like in CF (Yes, I've verified the domain in the error matches exactly with the domain in the below CF screenshot).
Can someone please point me in the right direction as to what detail I'm missing?
[Edit] - I missed a blur!
Update:
After removing the '-' after "Command: >" (Line 9 in the example YAML) seems to have corrected the issue. Time to make sure I have the certs landing where the webserver conf is looking.