Public Repository

Last pushed: 2 months ago
Short Description
ZeroSSL client for obtaining Let's Encrypt certificates.
Full Description

Lightweight client for Let's Encrypt - Docker version, Alpine Linux based.

Runs as 'zerossl' user in the container, not as 'root'.

Note: To make it possible to write certificate-related files on the host file system, map /data appropriately or as shown below in the alias example.

How to use:

  • Pull the image (Note: you may need to be in docker group to use it)
    $ docker pull zerossl/client

  • Decide which host directory you will be keeping certificate files and keys in and which host directory is your 'acme-challenge' one (the latter is usually created as /webroot/.well-known/acme-challenge, where 'webroot' is the main directory with your web-server pages, often public_html). Let's say you keep files in /home/my_user/keys_and_certs and you are using /home/my_user/public_html/.well-known/acme-challenge. Those directories should be writable by your current user.

  • Run the container directly or create an alias similar to the one shown below
    $ alias'docker run -it -v /home/my_user/keys_and_certs:/data -v /home/my_user/public_html/.well-known/acme-challenge:/webroot -u $(id -u) --rm zerossl/client'

  • If you have created an alias (you can add it into your .bashrc for convenience), you can then run as normal. Without parameters you will be presented with a help screen.

  • If you are using --path option (with or without --unlink) to create verification files automatically, use the mapped path, not the real one, so in the example above it will be /webroot
    $ --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "," --generate-missing --path /webroot --unlink

If you want to include domains with different webroots on the same certificate, you should define the mappings first (as demonstrated above, using -v option in an alias command example) and then list webroots for each domain in the --path option (comma separated, in the same order as you list domains themselves).

Don't forget that by default the test certificate is generated, you will need to use --live option to generate a 'real' trusted one.

Also by default RSA encryption is used, if you want to use ECC, specify a curve name with --curve option. You can use '--curve default' to use prime256v1.

This version of the client fully supports IDN (internationalized domain names).

For additional details visit

Docker Pull Command

Comments (0)