Letsencrypt cert auto getting and renewal script based on letsencrypt base image. (Forked by P711)
- First, you need to set up your web server so that it gave the contents of the
/.well-known/acme-challenge
directory properly. Example, for nginx add location for your server:
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /tmp/letsencrypt;
}
- Then run your web server image with letsencrypt-webroot connected volumes:
-v /data/letsencrypt:/etc/letsencrypt
-v /data/letsencrypt-www:/tmp/letsencrypt
- Run letsencrypt-webroot image:
docker run \
--name some-letsencrypt \
-v /data/letsencrypt:/etc/letsencrypt \
-v /data/letsencrypt-www:/tmp/letsencrypt \
-e 'DOMAINS=example.com www.example.com' \
-e '[email protected]' \
-e 'WEBROOT_PATH=/tmp/letsencrypt' \
kvaps/letsencrypt-webroot
-
Configure your app to use certificates in the following path:
- Private key:
/etc/letsencrypt/live/example.com/privkey.pem
- Certificate:
/etc/letsencrypt/live/example.com/cert.pem
- Intermediates:
/etc/letsencrypt/live/example.com/chain.pem
- Certificate + intermediates:
/etc/letsencrypt/live/example.com/fullchain.pem
- Private key:
NOTE: You should connect /etc/letsencrypt
directory fully, because if you connect just /etc/letsencrypt/live
, then symlinks to your certificates inside it will not work!
You can also assign hook for your container, it will be launched after letsencrypt receive a new certificate.
- This feature requires a passthrough docker.sock into letsencrypt container:
-v /var/run/docker.sock:/var/run/docker.sock
- Also add
--link
to your container. Example:--link some-nginx
- Then add
LE_RENEW_HOOK
environment variable to your container:
Example hooks:
- nginx reload:
-e 'LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@'
- container restart:
-e 'LE_RENEW_HOOK=docker restart @CONTAINER_NAME@'
For more detailed example, see the docker-compose configuration
This is example of letsencrypt-webroot with nginx configuration:
docker-compose.yml
nginx:
restart: always
image: nginx
hostname: example.com
volumes:
- /etc/localtime:/etc/localtime:ro
- ./nginx:/etc/nginx:ro
- ./letsencrypt/conf:/etc/letsencrypt
- ./letsencrypt/html:/tmp/letsencrypt
ports:
- 80:80
- 443:443
environment:
- LE_RENEW_HOOK=docker kill -s HUP @CONTAINER_NAME@
letsencrypt:
restart: always
image: kvaps/letsencrypt-webroot
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt/conf:/etc/letsencrypt
- ./letsencrypt/html:/tmp/letsencrypt
links:
- nginx
environment:
- DOMAINS=example.com www.example.com
- [email protected]
- WEBROOT_PATH=/tmp/letsencrypt
- EXP_LIMIT=30
- CHECK_FREQ=30
You also can run it with once mode, just add once
in your docker command.
With this option a container will exited right after certificates update.
- DOMAINS: Domains for your certificate. Example to
example.com www.example.com
. - EMAIL: Email for urgent notices and lost key recovery. Example to
[email protected]
. - WEBROOT_PATH Path to the letsencrypt directory in the web server for checks. Example to
/tmp/letsencrypt
. - CHOWN Owner for certs. Defaults to
root:root
. - CHMOD Permissions for certs. Defaults to
644
. - EXP_LIMIT The number of days before expiration of the certificate before request another one. Defaults to
30
. - CHECK_FREQ: The number of days how often to perform checks. Defaults to
30
.