Saving account credentials from docker


#1

I ran the LE client successfully in Docker. (manual mode) It tells me:

Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.

These are in the docker machine, of course. I pulled out the certificates needed to enable HTTPS, so fine. But being new to both Docker and LE, I wasn’t able to figure out how to back up the directory, because file/folder permissions are set to be locked down, and my linux skills are rudimentary.

This morning, my Mac crashed, and the letsencrypt directory is lost. What credentials have been lost, and what will I need to do in 90 days to renew the cert? I couldn’t find any documentation.

Feature request: please make it easy to pull all the cert info out of the docker container!


#2

When you renew your certificate in 90 days, a new account key will be created and validation happens again. It’s just your private account key that’s lost basically, and the certificate history (if you ever need old certificates and keys). You can also recover your account, but I’m not sure if that’s implemented in the client yet.

Usually, you’d just give the Docker container access to your host system in specific directories with the -v flag.

Have also a look into the official documentation.


#3

…for small values of the word “usually”.

Doesn’t do any good to save the credentials in a host instance, since they’re dynamically created by elastic beanstalk.


#4

An easy way to handle this in docker is by using a host directory as data volume.

docker run -it --rm --name letsencrypt \
            -v "/etc/letsencrypt:/etc/letsencrypt" ........

This way the /etc/letsencrypt folder of your current system is mounted into the docker container to /etc/letsencrypt and all generated files will be written to the filesystem of the host system.


#5

That’s what I did. but files only get written to the host in virtualbox.


#6

You add to use Docker’s volume in order to get data live more longer than Docker’s machine.

For example:

mkdir -p /Users/username/letsencrypt/etc/letsencrypt
mkdir -p /Users/username/letsencrypt/var/lib/letsencrypt
mkdir -p /Users/username/letsencrypt/var/log/letsencrypt

docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt \
    -v "/Users/username/letsencrypt/etc/letsencrypt:/etc/letsencrypt" \
    -v "/Users/username/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt" \
    -v "/Users/username/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt" \
    quay.io/letsencrypt/letsencrypt:latest certonly --authenticator manual \
	--agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory \
	--email username@mydomain.tld --agree-tos --rsa-key-size 4096 \
	--renew-by-default  --domain mycert.mydomain.tld

This way data will remain on your machine under /Users/username/letsencrypt folder.

log folder is useful with --debug and --verbose parameters when trying to understand why something is going wrong.


#7

Thanks, that’s really helpful!


#8

Tested it and it works.