Developer Cookies Blog

Generate and renew Let’s Encrypt Certificates for Apache with Certbot Docker container

In this tutorial I explain the way how to generate and renew Let’s Encrypt certificates with Docker and how to implement all needed steps into Apache web server. You need a working Docker container runtime and an installed and working Apache web server before you can start with this tutorial.

Preparations

First of all there are two directories needed. One for the certificates (cert) and one for the temporary verification data (data) which is used by Let’s Encrypt during certification process.

mkdir /home/letsencrypt
mkdir /home/letsencrypt/certs
mkdir /home/letsencrypt/data

The data folder has to be linked to the web service of the corresponding VirtualHost section of the corresponding Domain address in the Apache Config-File.

Alias "/.well-known" "/home/letsencrypt/data/.well-known"

Certbot creates a temporary verification information in the data folder and Let’s Encrypt checks this data by calling the corresponding domain in the .well-known subfolder (for example www.somedomain.com/.well-known/…). If the call can be done the certificate will be issued successfully and stored in the certs folder.

Do not forget to restart Apache for activating the Alias part.

service apache2 restart

For the last step of preparations the official build of the EFF’s certbot tool for obaining TLS/SSL certificates from Let’s Encrypt is needed. This can be done with the docker pull command.

docker pull certbot/certbot

Generate Certificate

The best way is to activate the certbot docker container once and finish it after the generation of the certificate immediately. This means the container will be only active during the certificate generation process.

Below you see how the prepared folders (certs and data) are linked into the docker container. The e-mail address has to be confirmed for the first time manually. With –agree-tos-Flag you confirm that you agree the Terms of Service.

docker run -it --rm -v /home/letsencrypt/certs:/etc/letsencrypt -v /home/letsencrypt/data:/data/letsencrypt certbot/certbot certonly --webroot --webroot-path=/data/letsencrypt -d somedomain.com -d www.somedomain.com --email info@somedomain.com --agree-tos

After the process you will find the certificates in /home/letsencrypt/certs/live/somedomain.com/ folder. These files has to be configured now in Apache Config-File.

Installation Certificates in Apache Config-File

You can find a lot of informations how you can configure SSL in Apache in the Web. In this section I give you only a short idea which parts you must include into your VirtualHost 443 section. How to configure your SSL in a secure manner and which element has to be installed is not a part of this tutorial!

...
ServerAdmin info@somedomain.com
ServerName somedomain.com
ServerAlias www.developercookies.net
...
Alias "/.well-known" "/home/letsencrypt/data/.well-known"
...
SSLCertificateFile /home/letsencrypt/certs/live/somedomain.com/cert.pem
SSLCertificateKeyFile /home/letsencrypt/certs/live/somedomain.com/privkey.pem
SSLCertificateChainFile /home/letsencrypt/certs/live/somedomain.com/fullchain.pem
...
SSLEngine on
...

If you want to redirect unencrypted http:// calls directly to your https:// configuration you can insert in your VirtualHost 80 section the following part.

...
ServerAdmin info@somedomain.com
ServerName somedomain.com
ServerAlias www.somedomain.com
Redirect / https://www.somedomain.com/
...

Again, do not forget to restart Apache for activating the SSL part and redirection command.

service apache2 restart

Your new certificate should now work correctly by calling your address in Web Browser https://www.somedomain.com.

Renewal of certificates

Let’s encrypt certificates are valid for 90 days. This means it has to be renewed at least of every three months. It makes sense to automate this renewal process by using a cron job.

In VI the crontab can be opened by the following command.

crontab -u root -e

In example below the cron job will be executed every two months for renewing the certificates. E-Mails will not be sent by using /dev/null 2>&1.

0 0 0 */2 * docker run -it --rm -v /home/letsencrypt/certs:/etc/letsencrypt -v /home/letsencrypt/data:/data/letsencrypt certbot/certbot certonly --webroot --webroot-path=/data/letsencrypt -d somedomain.com -d www.somedomain.com --email info@somedomain.com --agree-tos >/dev/null 2>&1

Everything is done now. Enjoy your encrypted web service!

Related Articles