Activating staging ACME servers¶
During development it is not advised to generate certificates against production ACME servers, as one could reach easily the weekly limit of Let’s Encrypt and could not generate certificates for a certain period of time. Staging ACME servers do not have this limit.
To use them, set the parameter
true in your DNSroboCert YAML configuration file.
You will need to wipe content of /etc/letsencrypt volume before container re-creation when enabling or disabling staging. Otherwise accounts and/or certificates may be in conflict between their staging and production versions.
Executing the DNSroboCert docker in a specific timezone¶
The default timezone is UTC.
You can set a local timezone in the docker adferrand/dnsrobocert by populating the
TIMEZONE environment variable.
In this case, automated renewal will be done in this timezone, and logs will use the local date.
Migration from docker-letsencrypt-dns¶
In this section we will discuss about how to migrate from
Indeed DNSroboCert started as a pure Docker implementation named
adferrand/letsencrypt-dns. It was coded in bash,
and was using both environment variables and a file named
domains.conf for its configuration.
holding the list of certificates to create and renew, and also the
autocmd features for each
certificate. On the other hand, environment variables were configuring the DNS provider to use, the specific options
for Let’s Encrypt (account email address, staging servers) and some custom operations on the certificate assets
(like specific users and permissions).
DNSroboCert supports all these features, improves them, and stores its configuration in one structured central file,
located by default at
/etc/dnsrobocert/config.yml. As said by DNSroboCert in the logs, usage of the old environment
variables and the
domains.conf file is deprecated, and you should move as soon as possible to the
file. You should also use
adferrand/dnsrobocert instead of
adferrand/letsencrypt-dns starting from now.
If you followed the link displayed in logs from
adferrand/letsencrypt-dns, then this section is for you:
your instance of
letsencrypt-dns has been upgraded to DNSroboCert, and you should migrate
Let’s see this migration in details now.
Writing configuration files is boring. Do you agree? If so, you will be pleased to know that DNSroboCert handles
this migration for you. Indeed if you start an
adferrand/dnsrobocert instance with the legacy configuration
(environment variables +
domains.conf), DNSroboCert will automatically pick them and generate the new configuration
Its location is /etc/dnsrobocert/config-generated.yml. It contains the necessary configuration to make DNSroboCert
behave exactly like your
adferrand/docker-letsencrypt-dns instance before.
Here are the steps to achieve the migration.
- Pull the latest version of
docker pull adferrand/docker-letsencrypt-dns docker pull adferrand/docker-dnsrobocert
- Restart your up-to-date instance of
docker-composeto ensure the new configuration file has been generated:
- Extract this file from the docker into your host machine (assuming your docker is named
mkdir -p /etc/dnsrobocert docker cp letsencrypt-dns:/etc/dnsrobocert/config-generated.yml /etc/dnsrobocert/config.yml
Restart your Docker container with the new configuration file mounted at the right place:
- With docker command line, add the following flag:
- Or with docker-compose, add the mount directive in your
volumes: - /etc/dnsrobocert/config.yml:/etc/dnsrobocert/config.yml
DNSroboCert will automatically pick the new configuration file.
- Once you confirmed that everything is working as before, you can restart the Docker without the environment
domains.confmount. Please take this occasion to change the image name from
adferrand/dnsrobocert. For instance:
docker run \ --name dnsrobocert \ --volume /var/docker-data/letsencrypt:/etc/letsencrypt \ --volume /etc/dnsrobocert/config.yml:/etc/dnsrobocert/config.yml \ adferrand/dnsrobocert
adferrand/letsencrypt-dns is deprecated and is replaced by
If you want to go berserk, you can migrate yourself by writing the new
config.yml file to fit your needs, following
the documentation of the User guide and Configuration reference.
Once done, you can follow the previous section to restart your Docker container.
Former configuration of
If needed, the former configuration for
adferrand/letsencrypt-dns is available on GiHub.
What is new?¶
At this point, you may ask yourself what you gain by migrating from
Well, thanks to this migration a lot of new features are planned, since this is a complete refactoring of the tool into a proper programming language, Python. Basically it becames a real program that I name DNSroboCert, with code quality control and good extensibility to add all the features the community asks for.
You can check in particular the Project V3 specifications that drove this migration and gives key points for the incoming features.
But beyond promises you will get immediate advantages that I already implemented in DNSroboCert:
- the big one: you can now define multiple DNS providers in one single instance of DNSroboCert
- the custom deploy scripts and PFX exports are defined per certificate
- force renew can be set for specific certificates
Stay tuned for the new features!