NGINX acme-challenge validation
This repo contains the steps and code to register free domain, generate free ssl certificate, valid for 3 months, and store them in GCP TLS secret (optional).
For this example I'll explain on example.com domain.
- Register free domain in no-ip.com. You should redirect the new domain (can be temporarily) to the server (AKA registration server) which will respond to the acme-challenge by Let's Encrypt (check out the acme description page).
Make sure you have port 80 open on the selected registration server for incoming HTTP requests. - On your local machine, Install certbot.
# Add apt repo sudo add-apt-repository ppa:certbot/certbot # update apt sudo apt-get update # install certbot sudo apt-get install python-certbot-apache
- Create the acme-challenge.
Using certbot tool run the following command.Now, the challenge is created and you should see data and specific link for the challenge requests. Something like this:sudo certbot certonly --manual -d example.com # you can supply more then one -d flags for multiple domain like (www.example.com) # sudo certbot certonly --manual -d example.com -d www.example.com
Link:example.com/.well-known/acme-challenge/2NKiiETgQdPmmjlM88mH5uo6jM98PrgWwsDslaN8
The '2NKiiETgQdPmmjlM88mH5uo6jM98PrgWwsDslaN8' should be static file.
Data within the file:2NKiiETgQdPmmjlM88mH5uo6jM98PrgWwsDslaN8.BBz59IBHlymZfSj1S9mOlQkts7LXG8-gkycr7njT
.
This screen will hold and wait for you to finish setup your registration server. - Setup NGINX on docker on any webserver expose to the internet (on the registration server).
Clone this repo, enter it's root directory, create the extended path which requested by the active acme-challenge, continue using the
# install docker and add current user to docker group curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo usermod -aG docker $USER # you need to refresh your shell for this to take effect # install docker-compose sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
.well-known/acme-challenge
directory.
Then, create the challenge file with the challenge data in it.
Finally, go back to the repo root directory and run the docker-compose file.docker-compose up -d
- Test the server file response with
curl
command or your browser.If all configure correctly you should see the challenge data.curl http://example.com/.well-known/acme-challenge/YOUR_CHALLENGE_FILE_NAME
- Start the challenge.
On your active challenge (with the certbot) terminal, press theenter
key.
The certbot using the Let's encrypt server will verify your domain and challenge file. If all goes smooth, you should get the success challenge message and the certs files will be created in the following path owning by root.# /etc/letsencrypt/live/example.com/fullchain.pem # /etc/letsencrypt/live/example.com/privkey.pem
- Optional - configure certs file in GCP TLS secret.
sudo cp /etc/letsencrypt/live/example.com/fullchain.pem . sudo cp /etc/letsencrypt/live/example.com/privkey.pem . chown $USER:$USER fullchain.pem chown $USER:$USER privkey.pem # create secrets - secret name is web-tls ./create_gcp_ssl_cert_secret.sh
More useful command
kubectl delete secret web-tls