How to host your own acme Cert Server

To host your own ACME server (e.g., using the ACME protocol to issue certificates), you can run an ACME server in a Docker container. There are several open-source implementations of ACME servers that you can use, such as Pebble (a reference implementation of ACME) or Smallstep.

Here’s how to set up your own ACME server using Pebble (an ACME server from the Let's Encrypt team) with Docker Compose. This setup will allow you to issue SSL/TLS certificates using the ACME protocol from your own server.

Step-by-Step Guide to Host an ACME Server with Docker Compose

1. Install Docker and Docker Compose

Ensure that you have Docker and Docker Compose installed on your machine. If you haven't already done so, you can follow the installation guides here:

• Install Docker
• Install Docker Compose

2. Set Up Docker Compose Configuration

First, create a directory for your ACME server project:

mkdir acme-server
cd acme-server

Inside this directory, create a docker-compose.yml file to define the services needed for your ACME server.

3. Create the docker-compose.yml File for Pebble

Below is a basic configuration to run Pebble using Docker Compose. Pebble is an ACME v2 server that simulates a production-like environment for testing and development.

Create a file named docker-compose.yml in the acme-server directory:

version: '3.7'

services:
  pebble:
    image: pebble:latest
    container_name: pebble
    environment:
      - ACME_CA_URI=http://pebble:4000/dir  #  Set Pebble's ACME endpoint URL
      - STAGING=true  #  Use the staging environment (for testing)
    volumes:
      - ./config:/etc/pebble  #  Persistent storage for Pebble configuration and data
    ports:
      - "4000:4000"  #  ACME server endpoint
      - "14000:14000"  #  Pebble HTTP interface
    networks:
      - pebble-net
    command: pebble -dns --acme-dir /etc/pebble/acme/directory --ca-dir /etc/pebble/ca --http-port 14000

  #  Optional: Add a web service to interact with your ACME server
  web:
    image: nginx:latest
    container_name: acme-web
    ports:
      - "80:80"
    networks:
      - pebble-net

networks:
  pebble-net:
    driver: bridge

Explanation of the docker-compose.yml:

• Pebble Service: This is the core ACME server (Pebble) that handles ACME requests for issuing certificates.

  • ACME_CA_URI: This sets the URL of the ACME directory. Pebble will use this to interact with your clients.
  • STAGING=true: This uses Pebble in "staging" mode, which is useful for testing. You can switch this to false for production use.
  • command: Runs the Pebble ACME server with the necessary configuration and opens it on port 4000.
  • Ports: Exposes port 4000 for the ACME protocol and 14000 for Pebble’s HTTP interface for testing and debugging.

• Web Service (Optional): The web service runs nginx for web traffic. It’s optional but could be useful if you need to simulate HTTP-01 challenges for domain validation.

• Networks: Both services are on a private network (pebble-net) so they can communicate with each other.

4. Running the ACME Server

After saving the docker-compose.yml file, run the following command in the acme-server directory to start your ACME server:

docker-compose up -d

This will start the Pebble ACME server in the background. You can check the logs using:

docker-compose logs -f pebble

You should see the Pebble server initializing and ready to accept ACME requests.

5. Testing the ACME Server with Certbot

You can use Certbot or any ACME client to interact with your ACME server. Here’s how you can use Certbot to request a certificate from your local Pebble ACME server.

1. Install Certbot on your local machine if you haven’t already.

2. Request a Certificate: Use the following Certbot command to request a certificate from your local ACME server (assuming it's running on http://localhost:4000):

   sudo certbot certonly --server http://localhost:4000/dir --email [email protected] --agree-tos --test-cert --standalone -d your-domain.com
   

   Replace your-domain.com with the domain you want to test with. This will interact with your local ACME server (Pebble) to issue a certificate.

6. Accessing the Pebble Server’s ACME Directory

The ACME server exposes an endpoint that you can interact with to issue certificates. In the case of Pebble, this endpoint is http://localhost:4000/dir, and it implements the ACME protocol.

• You can visit http://localhost:14000 to access Pebble's HTTP interface, which provides logs and allows for debugging.

7. Stopping the ACME Server

When you're done, you can stop the services using:

docker-compose down

8. Advanced Configuration (Optional)

If you want to deploy this setup for a production-like environment, you will need to adjust several settings:

• Set STAGING=false to use Pebble in production mode (keep in mind this is not recommended for actual production; Pebble is mainly for testing).
• You may want to configure a real web server (e.g., Nginx) to serve HTTP-01 challenges and use a real domain.

Summary

By following these steps, you will have set up your own ACME server using Docker Compose. This setup allows you to issue certificates for testing purposes using the Pebble ACME server.

You can customize the Docker Compose configuration to suit your needs, including adding DNS-01 challenge support or creating additional services for production environments. The key benefit is that you're running your own ACME server, which gives you full control over certificate issuance and testing.