Requiring Let’sEncrypt TLS cert

Let’sEncrypt provides free TLS certs, and their CA root certificate is accepted by Firefox and other popular browsers. You need to use certbot application to require TLS cert. Fortunately, there is a docker image for it.

Let’s see certbot’s help (use –rm for ephemeral/auto-removed containers):

docker run --rm  certbot/certbot certbot --help

Not too much. Let’s encrypt! This time, mount some directory to store keys and certs:

docker run -it -v /home/user/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --manual -d mydomain.org -d \
*.mydomain.org

In the example above wildcard domain certificate required as well, so a dns challenge have to be done. It means that you have to create a specific dns record.

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.org with the following value: ...
Before continuing, verify the record is deployed.

You have to do a http challenge as well, which means, you should make available a specified file on a specified url path.

Create a file containing just this data: ...
And make it available on your web server at this URL:
http://mydomain.org/.well-known/acme-challenge/...

The certificate created is valid for 3 months. But the reneval process is easier. To non-interactively renew all of your certificates, run “certbot renew”.

Note: I needed to add a CAA record with value ‘letsencrypt.org’. Check it with command:

dig mydomain.org caa