Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

Source Code: https://github.com/stoops/dockerssl

If you want to get a wild-card certificate with let’s-encrypt then you’ll have to use the DNS verification method. I made an example Docker file and script that can quickly and easily spin up a Debian container to install and run the certbot application. You can then connect to the container via a local URL (http://127.0.0.1:8080/) and interact with the process to setup the TXT record and then verify the DNS entry and then download the signed cert chain + key pem files!

Note: I do wish Google had API access to their Domains service which would allow for automated TXT records!

$ c=fullchain.pem ; k=privkey.pem ; openssl x509 -noout -modulus -in $c | md5 ; openssl rsa -noout -modulus -in $k | md5

ca7e9eba4cde42a000038aa7dae8680b
ca7e9eba4cde42a000038aa7dae8680b

$ openssl x509 -text -noout -in fullchain.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:b3:64:ec:80:70:47:42:2a:8a:ef:b4:11:60:03:9d:23:78
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Oct  9 18:35:11 2021 GMT
            Not After : Jan  7 18:35:10 2022 GMT
        Subject: CN=*.fossjon.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:1c:f6:86:b7:b5:45:63:68:7b:e4:34:10:6e:
                    .....
                    79:0f:dd:21:13:a1:2e:da:6a:a3:92:49:e7:f1:58:
                    36:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                34:94:9E:5B:B9:3C:11:0C:F3:33:3E:A1:C4:41:DA:61:64:ED:1D:97
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.fossjon.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
    Signature Algorithm: sha256WithRSAEncryption
         48:aa:26:6c:2e:fe:ed:a8:14:3e:80:12:c3:0b:c5:f5:95:5c:
         .....
         f2:0f:4c:9d:4e:d5:df:18:4a:cd:b3:a2:be:3e:57:2f:fc:d0:
         8e:c2:03:3e

$ openssl s_client -connect lo.fossjon.com:8443

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=*.fossjon.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
subject=/CN=*.fossjon.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4628 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5A9CA7F699D780CFD9FAFBC197FDBA14FC4307F225CE6C90E55CE0658E3055F8
    Session-ID-ctx:
    Master-Key: C84D32162158587663310FB67F482AE63CA9F964158B74C1E40806D8915E1B25AFB3DC2F22E15D58450F7CFCA0FAA8B4
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 48 82 2b be 43 84 b1 13-11 7a e5 bf 39 97 89 55   H.+.C....z..9..U
    0010 - 43 41 ce 61 42 f8 16 e7-89 28 67 af 8d 73 6d 5c   CA.aB....(g..sm\
    0020 - 60 c0 13 20 cc e9 77 0d-5a 34 73 50 85 23 57 b0   `.. ..w.Z4sP.#W.
    0030 - 10 fd 8e c7 6b d4 37 8b-59 4e f4 30 b3 46 b4 d7   ....k.7.YN.0.F..
    0040 - aa c6 79 ff c0 f9 50 c2-54 f0 8e ca 64 3e 49 15   ..y...P.T...d>I.
    0050 - f5 42 fa 29 12 73 a6 f2-92 b0 a8 e0 9f 13 fa 89   .B.).s..........
    0060 - d1 8c c0 93 19 bf ea 81-32 0c 86 e7 37 42 f8 20   ........2...7B.
    0070 - f6 9d 94 d3 38 d8 c9 38-07 9f b6 99 79 b5 43 6a   ....8..8....y.Cj
    0080 - c5 11 fd a1 30 3a d6 e0-74 d3 ba b6 6f 35 47 f4   ....0:..t...o5G.
    0090 - eb c9 af c3 0f 69 95 9f-d1 4c f2 21 80 cc b5 db   .....i...L.!....
    Start Time: 1633812734
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C

2 thoughts on “Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

  1. Pingback: Links 10/10/2021: ScummVM Turns Twenty | Techrights ~

Leave a reply to Juan B. Cancel reply