How to create cert for local development environment

Hi,

I am developing (on Windows 7 ) a PHP application using Docker (Debian 9). I wish to use HTTPS in development.

How can I create a certificate?

I guess I use Certbot but where do I run it? I guess it needs to talk to my webserver (Apache) in the Docker container.

If I was developing on a Linux machine, I guess that I could run Certbot on that and use my hosts file, so that it could see the token on the Docker container?

Mick

Hi,

It depend on the domain you want to obtain the cert.

If the domain is public resolvable and accessible, you could apply for certificate using acme.sh or other program listed in the ACME Client Implementations - Let's Encrypt

Its better to use certbot on your web server...

Certbot doesn't read host file, it only query directly from the name server that domain registered to...

Thank you

If you want to use Docker, you should store your keys and certificates permanent.

--
Storing and Reusing Certificates and Keys
...

As an example, many sites are starting to use Docker to provision new frontend instances as needed. If you set up your Docker containers to issue when they start up, and you don’t store your certificates and keys durably, you are likely to hit rate limits if you bring up too many instances at once. In the worst case, if you have to destroy and re-create all of your instances at once, you may wind up in a situation where none of your instances is able to get a certificate, and your site is broken for several days until the rate limit expires.

--

I own a domain: myDomain.co.uk

Can I then use Certbot to create a certificate for this, then use this certificate locally (by adding myDomain.co.uk to my hosts file, which will point to my Docker webserver?)

I don't know enough about Certbot and Docker, because I don't use them.

But I use my own Wildcard-certificate *.example.com (not Letsencrypt) of my webservice local to connect my dev-version of my domain. And a host-entry 127.0.0.1 dummy.example.com.

Same should work with other configurations.

Two options:

A) DNS Challenge

  1. Use DNS-01 challenge to create a certificate for myDomain.co.uk (or a wildcard cert)
  2. Set the DNS for myDomain.co.uk as 127.0.0.1 *

B) HTTP Challenge

  1. Create a certificate for myDomain.co.uk from a computer on the public internet
  2. Update the DNS for myDomain.co.uk to 127.0.0.1 *
  3. Copy the certificate to your local machine.
  • instead of setting public DNS to 127.0.0.1, you can also just use a local DNS resolver/server to route the domain to 127.0.0.1. This way people in your lan/computer think the domain is 127.0.0.1 but it points elsewhere outside of your network.
1 Like

Hi,

Thanks. I am completely new to letsencrypt so could you please add more detail or point me to the documentation please.

I am working through this on my webserver (in Docker):

Is that the correct think to do?

Thanks for your help.

Mick

I am running certbot and get this on my webserver:

IMPORTANT NOTES:

Hi @ArtisanTinkerer,

It looks like you have a GoDaddy domain parking service enabled. In this case you should change your GoDaddy DNS settings or other domain settings to make sure that the something.co.uk name points directly to your web server, not to a parking service.

(If that’s not the case, then you should ensure that no other GoDaddy options are enabled that would cause GoDaddy to receive or intermediate web connections to your domain. )

I’m trying DNS authorisation now and I am getting:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: blahblahblah.co.uk
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.blahblah.co.uk

What I don’t get is that when I add the TXT record, the minimum TTL is 600 seconds. How can I get certbot to wait for this amount of time, before doing the check?

Are you using --manual or some other method? If you're using --manual, it waits for you to press Enter before telling the CA that the challenge is ready.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.