Post

Scheduled update Lets Encrypt

Creating wild card certificates with LetsEncrypt

Scheduled update Lets Encrypt

The Brief

I run a number of containers on my Raspberry Pi for home assistant, monitoring etc and I use nginx as a reverse proxy to access them the internet. I have my domain owenrumney.co.uk and a subdomain of home.owenrumney.co.uk which I use a wildcard cert provided by Lets Encrypt.

LetsEncrypt certificates last for 90 days and you get an email in decent time to tell you it needs renewing but I want to have it happen automatically on a schedule.

I’m using Gandi for my domain, so I need to create a PAT token

The Solution

To do this I’m using certbot in a docker container that it run on a schedule.

There is a plugin available for certbot that works with Gandi to do the required steps creating the TXT entries to verify domain ownership.

The Dockerfile

My Dockerfile is really simple, just uses certbot as the base image then installs the certbot plugin for Gandi

1
2
3
4
5
6
7
FROM certbot/certbot

RUN pip3 install certbot-plugin-gandi

COPY cert.sh /cert.sh

ENTRYPOINT /cert.sh

The cert script

I have a cert.sh script as the entry point which does all of the work. The gist of it is to run the certbot command with the gandi authenticate plugin and a mounted gandi.ini file which has a single entry for dns_gandi_token=xxxxxxxxxxxxxxxxxxxxxxxx.

The command creates a cert for the domain (in my case wild card) and email the finally copies the resultant cert to the mount. In my case the mount is the local nginx containers config.

1
2
3
4
5
6
7
8
9
10
#!/bin/sh -u

REGISTER_DOMAIN=$DOMAIN

certbot certonly --non-interactive \
        --agree-tos --authenticator dns-gandi \
        --dns-gandi-credentials /gandi/gandi.ini \
        -d ${REGISTER_DOMAIN} -m "${EMAIL}"

cp /etc/letsencrypt/live/${REGISTER_DOMAIN}/* /certmount

The Compose file

The compose file has a mount for my ini file and for the nginx config and simple env vars for the DOMAIN and EMAIL. The local Dockerfile from above is used for each run.

1
2
3
4
5
6
7
8
9
10
11
name: letsencrypt-renew

services:
  owencertbot:
    volumes:
      - ./gandi.ini:/gandi/gandi.ini:ro
      - ./../nginx/letsencrypt:/certmount
    environment:
      - DOMAIN=*.home.owenrumney.co.uk
      - EMAIL=owen@owenrumney.co.uk
    build: . 

The schedule

Finally, there is the schedule - I run this on the Raspberry pi from a cron job with the below schedule.

This runs a docker compose up at 3am on the 1st day of every second month

1
0 3 1 */2 * 

Conclusion

It hasn’t escaped me that I could just install the plugin and the certbot tool on my pi and run the renewal directly there in the cron schedule… its a combination of reasons.

  • trying to do most things with Docker.. just because
  • being able to move everything to a new pi or bigger with limited setup
  • it was interesting
This post is licensed under CC BY 4.0 by the author.