acmetool with DNS challenge hook (libcloud)

Bundling acmetool with a libcloud DNS challenge hook. See the list of supported DNS providers.

How to use this image

Prepare acmetool state folder

mkdir -p /my/acme/conf
wget -O /my/acme/conf/responses https://raw.githubusercontent.com/hlandau/acme/master/_doc/response-file.yaml
# Edit /my/acme/conf/responses file according to your needs

Define your desired domains and DNS provider

cat <<EOF > /my/acme/desired/my.example.com-desire
satisfy:
  names:
    - my.example.com

request:
  key:
    type: rsa|ecdsa
    rsa-size: 2048
    ecdsa-curve: nistp256
  ocsp-must-staple: true
  # Use staging for testing. Replace provider with:
  # https://acme-staging.api.letsencrypt.org/directory
  provider: https://acme-v01.api.letsencrypt.org/directory
  challenge:
    dns-01:
      provider: vultr
      key: 781472cf1d657a9bf46b61dee83c4
EOF

# Make sure you lower the file permission of this file 
# because it contains sensitive information.

The libcloud hook needs to know the DNS provider and a provider specific configuration like username, access token, hostname, ... . This information must be stored in the desired file under the section 'challenge'. For the provider configuration please consult the provider specific documentation.

E.g. PowerDNS setup:

request:
  challenge:
    dns-01:
      # 'Provider Constant' from https://libcloud.readthedocs.io/en/latest/dns/supported_providers.html#supported-providers
      provider: powerdns
      # Provider specific configuration
      key: mykey
      host: powerdns4.example.com
      port: 8081
      api_version: v1

Get the desired certificates

docker run --rm -v /my/acme:/var/lib/acme cyon/acmetool-libcloud:latest

Get the desired certificates and show debug output

docker run --rm -v /my/acme:/var/lib/acme cyon/acmetool-libcloud:latest -- --xlog.severity=debug

Inspect certificates and keys

The live folder always contains all the certificates, chains and keys. A reissue of the certificate will update the certificate and chain files.

$ tree /my/acme/live/my.example.com
> live/my.example.com
> ├── cert
> ├── chain
> ├── fullchain
> ├── privkey -> ../../keys/s4cy32o8kaucxkb37k9kajkq7atof8x0/privkey
> └── url
>
> 0 directories, 5 files

Use a data volume container

If you want to share the certificates and keys between containers it's best to create a named Data Volume Container. The volume destination inside the container is '/var/lib/acme'.

Create a named data volume container

docker create --name acmetool cyon/acmetool-libcloud:latest echo "Data-only container for acmetool with libcloud hook"

Copy your configurations and desired setting into the volume

# Run once to create all the acmetool state folders
docker run --rm --volumes-from acmetool cyon/acmetool-libcloud:latest

docker cp responses acmetool:/var/lib/acme/conf/
docker cp my.example.com-desire acmetool:/var/lib/acme/desired/

Get the desired certificates

docker run --rm --volumes-from acmetool cyon/acmetool-libcloud:latest

Use certificate from a nginx container

docker run --volumes-from acmetool:ro --name nginx-with-acme-certs -d nginx