Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Aug 28, 2023. It is now read-only.

Let's Encrypt DNS for DigitalOcean CDN

License

NotificationsYou must be signed in to change notification settings

metala/lego-dns-digitalocean

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Let's Encrypt with DNS provider for DigitalOcean CDN endpoints

Motivation

DigitalOcean does not support Let's Encrypt for delegated subdomains or CNAMEs, at the moment of writing. If you are using CloudFlare or different DNS provider, it leaves you with the only option to use custom certificate for your CDN endpoint.This tool extends that option and allows you to acquire Let's Encrypt certificate for your endpoint CNAME records using lego and DNS-01 challenge. The certificate is pushed to DigitalOcean and it is set as a custom certificate to your endpoint.The tool is dockerized and is designed to run in a container. However, you can run it throughmain.sh, but it requires you to havelego,jq andcurl installed in your system.

Commands

$ docker run --rm metala/lego-dns-digitalocean helpCommands:  run (default)   Setup or renew, whichever is necessary  setup           Run to setup account and domain  renew           Renew the domain and endpoint certificate  loop            Execute run every $LOOP_INTERVAL (default: 1h)  help            Show this helpNamespaces:  endpoints       Endpoints namespace subcommands  certificates    Certificates namespace subcommands$ docker run --rm metala/lego-dns-digitalocean endpoints helpEndpoints namespace subcommands:  ls                List all endpoints  get               Get selected endpoint details  get-cert          Get endpoint certficate  set-cert CERTID   Set endpoint certficate  refresh-cert      Verify and update endpoint certficate  help              Show this help$ docker run --rm metala/lego-dns-digitalocean certificates helpCertificates namespace subcommands:  ls             List all certificates  rm ID          Delete certificate with ID  push           Push current certificate  help           Show this help

Example

Start with setting up an environment file.env:

LEGO_EMAIL=mail@example.comLEGO_DOMAIN=subdomain.example.comCLOUDFLARE_EMAIL=mail@example.comCLOUDFLARE_API_KEY=DIGITALOCEAN_API_KEY=DIGITALOCEAN_ENDPOINT_ID=LOOP_INTERVAL=1h

If you don't have theDIGITALOCEAN_ENDPOINT_ID, you can look it up usingendpoints ls command.

$ docker run --rm -e "DIGITALOCEAN_API_KEY=<key>" metala/lego-dns-digitalocean endpoints ls{  "endpoints": [    {      "id": "3c327329-722b-4106-87c8-b3cf287beddd",      "origin": "example.ams3.digitaloceanspaces.com",      "endpoint": "example.ams3.cdn.digitaloceanspaces.com",      "created_at": "2019-05-31T18:24:26Z",      "ttl": 3600    }  ],  "meta": {    "total": 1  }}

Then you run the container with volume mounted at/app/.lego where the certificate is stored. You need to setup a volume for/app/.lego, otherwise you will recreate a new private key and you will hit theLet's Encrypt rate limits very fast.

$ docker run --rm --env-file .env -v "$PWD/volume:/app/.lego" metala/lego-dns-digitalocean run> Executing 'run'...2019/06/01 17:36:09 No key found for account mail@example.com. Generating a P384 key.2019/06/01 17:36:09 Saved key to /app/.lego/accounts/acme-v02.api.letsencrypt.org/mail@example.com/keys/mail@example.com.key2019/06/01 17:36:10 [INFO] acme: Registering account for mail@example.com<... truncated log ...>2019/06/01 17:36:20 [INFO] [subdomain.example.com] acme: Cleaning DNS-01 challenge2019/06/01 17:36:21 [INFO] [subdomain.example.com] acme: Validations succeeded; requesting certificates2019/06/01 17:36:23 [INFO] [subdomain.example.com] Server responded with a certificate.Refreshing endpoint certificate...Pushing a certificate...Setting endpoint certificate...Updating endpoint '3c327329-722b-4106-87c8-b3cf287beddd' with certificate '63a741b1-6973-4a4f-a314-ae0737872bb5'...{"endpoint": {"id": "3c327329-722b-4106-87c8-b3cf287beddd","origin": "example.ams3.digitaloceanspaces.com","endpoint": "example.ams3.cdn.digitaloceanspaces.com","created_at": "2019-05-31T18:24:26Z","certificate_id": "63a741b1-6973-4a4f-a314-ae0737872bb5","custom_domain": "subdomain.example.com","ttl": 3600}}

Running in a loop

The common way to use this tool is to run it forever in a loop. The commandloop does just that, it executes the commandrun every$LOOP_INTERVAL, which defaults to1h.

$ docker run -d --rm --restart always --env-file .env -v "$PWD/volume:/app/.lego" metala/lego-dns-digitalocean loopbf7a96e0b3d65afaf02091dd4df0fbe794bc0ab5e40a7e1a6389a4127e671b78$ docker logs -f bf7a96e0b3d65afaf02091dd4df0fbe794bc0ab5e40a7e1a6389a4127e671b78> Executing certificate update in a loop (interval: 1h )> Running '/app/main.sh run'...> Executing 'renew'...2019/06/01 18:39:36 [subdomain.example.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.> Next run will be on 'Sat Jun  1 19:39:36 UTC 2019' (in '1h').

Contribution

If you want to contribute, go ahead. You can open an issue or a pull request in GitHub and I will be happy to take a look.

License

MIT license

About

Let's Encrypt DNS for DigitalOcean CDN

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp