Lightweight client for Let's Encrypt - Docker version, Alpine Linux based.
Runs as 'zerossl' user in the container, not as 'root'.
To make it possible to write certificate-related files on the host file system, map /data appropriately or as shown below in the alias example.
How to use:
Pull the image (Note: you may need to be in docker group to use it)
$ docker pull zerossl/client
Decide which host directory you will be keeping certificate files and keys in and which host directory is your 'acme-challenge' one (the latter is usually created as /webroot/.well-known/acme-challenge, where 'webroot' is the main directory with your web-server pages, often public_html). Let's say you keep files in /home/my_user/keys_and_certs and you are using /home/my_user/public_html/.well-known/acme-challenge. Those directories should be writable by your current user.
Run the container directly or create an alias similar to the one shown below
$ alias le.pl='docker run -it -v /home/my_user/keys_and_certs:/data -v /home/my_user/public_html/.well-known/acme-challenge:/webroot -u $(id -u) --rm zerossl/client'
If you have created an alias (you can add it into your .bashrc for convenience), you can then run le.pl as normal. Without parameters you will be presented with a help screen.
If you are using --path option (with or without --unlink) to create verification files automatically, use the mapped path, not the real one, so in the example above it will be /webroot
$ le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "my.domain1.com,my.domain2.com" --generate-missing --path /webroot --unlink
If you want to include domains with different webroots on the same certificate, you should define the mappings first (as demonstrated above, using -v option in an alias command example) and then list webroots for each domain in the --path option (comma separated, in the same order as you list domains themselves).
Don't forget that by default the test certificate is generated, you will need to use --live option to generate a 'real' trusted one.
Also by default RSA encryption is used, if you want to use ECC, specify a curve name with --curve option. You can use '--curve default' to use prime256v1.
For additional details visit https://zerossl.com/#package