Public | Automated Build

Last pushed: 5 months ago
Short Description
Letsencrypt cert auto renewal for nginx base image
Full Description

Let’s Encrypt (webroot) in a Docker

Letsencrypt cert auto getting and renewal script based on letsencrypt base image.

Usage

  • First, you need to set up your web server so that it gave the contents of the /.well-known/acme-challenge directory properly.
    Example, for nginx add location for your server:
      location '/.well-known/acme-challenge' {
          default_type "text/plain";
          root        /tmp/letsencrypt;
      }
    
  • Then run your web server image with letsencrypt-webroot connected volumes:
     -v /data/letsencrypt:/etc/letsencrypt
     -v /data/letsencrypt-www:/tmp/letsencrypt
    
  • Run letsencrypt-webroot image:

     docker run \
       --name some-letsencrypt \
       -v /data/letsencrypt:/etc/letsencrypt \
       -v /data/letsencrypt-www:/tmp/letsencrypt \
       -e 'DOMAINS=example.com www.example.com' \
       -e 'EMAIL=your@email.tld' \
       -e 'WEBROOT_PATH=/tmp/letsencrypt' \
       kvaps/letsencrypt-webroot
    
  • Configure your app to use certificates in the following path:

    • Private key: /etc/letsencrypt/live/example.com/privkey.pem
    • Certificate: /etc/letsencrypt/live/example.com/cert.pem
    • Intermediates: /etc/letsencrypt/live/example.com/chain.pem
    • Certificate + intermediates: /etc/letsencrypt/live/example.com/fullchain.pem

NOTE: You should connect /etc/letsencrypt directory fully, because if you connect just /etc/letsencrypt/live, then symlinks to your certificates inside it will not work!

Renew hook

You can also assign hook for your container, it will be launched after letsencrypt receive a new certificate.

  • This feature requires a passthrough docker.sock into letsencrypt container: -v /var/run/docker.sock:/var/run/docker.sock
  • Also add --link to your container. Example: --link some-nginx
  • Then add LE_RENEW_HOOK environment variable to your container:

Example hooks:

  • nginx reload: -e 'LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@'
  • container restart: -e 'LE_RENEW_HOOK=docker restart @CONTAINER_NAME@'

For more detailed example, see the docker-compose configuration

Docker-compose

This is example of letsencrypt-webroot with nginx configuration:

docker-compose.yml

nginx:
  restart: always
  image: nginx
  hostname: example.com
  volumes:
    - /etc/localtime:/etc/localtime:ro
    - ./nginx:/etc/nginx:ro
    - ./letsencrypt/conf:/etc/letsencrypt
    - ./letsencrypt/html:/tmp/letsencrypt
  ports:
    - 80:80
    - 443:443
  environment:
    - LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@

letsencrypt:
  restart: always
  image: kvaps/letsencrypt-webroot
  volumes:
    - /etc/localtime:/etc/localtime:ro
    - /var/run/docker.sock:/var/run/docker.sock
    - ./letsencrypt/conf:/etc/letsencrypt
    - ./letsencrypt/html:/tmp/letsencrypt
  links:
    - nginx
  environment:
    - DOMAINS=example.com www.example.com
    - EMAIL=your@email.tld
    - WEBROOT_PATH=/tmp/letsencrypt
    - EXP_LIMIT=30
    - CHECK_FREQ=30

Once run

You also can run it with once mode, just add once in your docker command.
With this option a container will exited right after certificates update.

Environment variables

  • DOMAINS: Domains for your certificate. Example to example.com www.example.com.
  • EMAIL: Email for urgent notices and lost key recovery. Example to your@email.tld.
  • WEBROOT_PATH Path to the letsencrypt directory in the web server for checks. Example to /tmp/letsencrypt.
  • CHOWN Owner for certs. Defaults to root:root.
  • CHMOD Permissions for certs. Defaults to 644.
  • EXP_LIMIT The number of days before expiration of the certificate before request another one. Defaults to 30.
  • CHECK_FREQ: The number of days how often to perform checks. Defaults to 30.
Docker Pull Command
Owner
lagun4ik

Comments (0)