While building a couple of browser based prototypes, I’ve hit an interesting problem. Basically, I am trying to replicate a full remote setup with a reverse proxy and TLS SNI while running everything on localhost. Getting the DNS functioning is pretty easy—I just add the required hosts to the /etc/hosts file and I’m done with it.
However, I still need actual certificates trusted by the browser. In 2021, Let’s Encrypt is the way to go. Turns out, this is also pretty easy to do. There’s a Let’s Encrypt client and ACME library written in Go[1] which can be used via Docker on any operating system.
Here’s how to use it with AWS Route53:
|
|
This command starts a Docker container using thr latest LEGO Docker image and requests a certificate for two subdomains. It mounts two volumes:
- current working directory as /lego in the container, this is where the retrieved data will land
- ${HOME}/.aws/credentials as /root/.aws/credentials
The command assumes that AWS profiles are used and there is a profile named lego. The profile must have the following IAM permissions:
|
|
As I have not specified the hosted zone ID in the command, LEGO client will figure it out from the --domains flags. The output directory is configured with the --path flag pointing to the first volume target.
To fetch the real production certificate, use https://acme-v02.api.letsencrypt.org/directory as the --server value.
Pretty neat. I now have LE real certificates without messing with remote HTTP servers.
Full documentation is available here[2].
§use as a library
The LEGO client can be used as a library in any go program. Here’s a repository[3] wrapping the library in a more high level client. Very decent sample can be found in the examples folder.