This project provides the excellent cerbot-dns-transip plugin wrapped in a Docker container. This plugin is used for performing the dns challenge in the certbot tool, in order to obtain a let's encrypt certificate. The DNS challenge is currently the only challenge that will result in a wildcard certificate.
The challenge will add a TXT dns record, using the API exposed by TransIP. After creating this record, the let's encrypt servers will verify if this record is present. On success the ownership of the domain name is proven (including its subdomains) and a certificate is obtained.
This project wraps the tools and commands into a single docker container to make obtaining wilcard certificates from TransIP as easy as possible.
Before we can start the container, we should first get an API key from TransIP which allows the dns plugin to add the TXT dns record. Follow these steps:
Tip: If you intend to run this container from a server with a static IP address, enable "Whitelisted IP" and add that server's public IP address to the "IP-adres whitelist" list after step 5.
- Navigate to the TransIP home page.
- Click on "Controlepaneel"
- Log in to TransIP.
- Click the account button in the upper right corner, and select "Mijn account" in the dropdown.
- Click the "API" tab.
- Enter a descriptive name in the "Label" text field.
- Copy the API key to a new file saved in a new empty directory. Call this variable
transip.key
.
This container requires 2 volumes to be mounted to the host. The first volume will
contain the transip.key
file. This directory should be mounted on the /transip
path.
The second volume will mount to the directory that the certificates are
dumped to. This volume is not only required for acquiring the certificate after the
challenge, but also to hold onto certificates for additional runs. If a certificate is
present which doesn't expire soon, no new certificate will be generated. This volume
should be mounted on the /etc/letsencrypt
path.
Run the following command to obtain a certificate:
docker run --rm \
-e TRANSIP_USERNAME={{USERNAME}} \
-e DOMAIN={{DOMAIN}} \
-e CERTBOT_EMAIL={{EMAIL}} \
-v "{{HOST_TRANSIP_KEY}}:/transip" \
-v "{{HOST_CERT_LOCATION}}:/etc/letsencrypt" \
thomaskleinendorst/certbot-transip-dns-docker
- TRANSIP_USERNAME: Username of TransIP account.
- CERTBOT_EMAIL: Email passed to certbot. Used for urgent renewal and security notices.
- DOMAIN: Domain to obtain certificates for should not contain sub-domains. Notice that the
created certificate will be valid for the main domain (
example.com
) and a wildcard for a single sub-domain (*.example.com
).
- There is an issue, on Windows only, where the certificate cannot be dumped in a mounted directory.
The error reads:
OSError: [Errno 71] Protocol error
. This error seams to be caused by mounting issues in Docker. Linux hosts should not be affected.