1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-20 04:59:27 +02:00
dockerfiles/certbot/README.md

101 lines
2.6 KiB
Markdown
Raw Normal View History

2016-07-29 14:51:39 +08:00
certbot
=======
2015-12-21 22:50:38 +08:00
[Let’s Encrypt][1] is a new Certificate Authority:
It’s free, automated, and open.
## docker-compose.yml
```
2016-07-29 14:51:39 +08:00
certbot:
2015-12-21 22:50:38 +08:00
image: quay.io/letsencrypt/letsencrypt
2016-07-29 14:51:39 +08:00
command: certonly --standalone
2015-12-21 22:50:38 +08:00
ports:
- "80:80"
- "443:443"
volumes:
2016-07-29 14:51:39 +08:00
- /etc/letsencrypt:/etc/letsencrypt
- /var/lib/letsencrypt:/var/lib/letsencrypt
2015-12-21 22:50:38 +08:00
```
## up and running
```
2016-01-16 13:39:09 +08:00
# stop nginx (release 80/tcp and 443/tcp)
2015-12-21 22:50:38 +08:00
$ systemctl stop nginx
2016-07-29 14:51:39 +08:00
# generate keys (interactive)
$ docker-compose run --rm --service-ports certbot
2016-05-01 09:06:20 +08:00
>>> email: admin@easypi.info
2016-05-06 15:03:51 +08:00
>>> domains: easypi.info,blog.easypi.info,wiki.easypi.info
2015-12-21 22:50:38 +08:00
2016-07-29 14:51:39 +08:00
# renew keys (headless)
2017-03-27 11:07:04 +08:00
$ crontab -l
0 0 * * * cd ~/fig/certbot && docker-compose run --rm certbot renew >> renew.log
2016-07-29 14:51:39 +08:00
# list keys
$ tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
└── easypi.info
├── cert.pem -> ../../archive/easypi.info/cert1.pem
├── chain.pem -> ../../archive/easypi.info/chain1.pem
├── fullchain.pem -> ../../archive/easypi.info/fullchain1.pem
└── privkey.pem -> ../../archive/easypi.info/privkey1.pem
2016-05-06 15:03:51 +08:00
# deploy keys
2015-12-21 22:50:38 +08:00
$ mkdir -p /etc/nginx/ssl/
2016-07-29 14:51:39 +08:00
$ cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
$ cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
2015-12-21 22:50:38 +08:00
# reconfig nginx
$ vi /etc/nginx/sites-enabled/default
server {
2016-01-16 13:39:09 +08:00
listen 80 default;
server_name _;
return 301 https://$host$request_uri;
2015-12-21 22:50:38 +08:00
}
server {
2016-01-16 13:39:09 +08:00
listen 443 ssl;
2016-05-01 09:06:20 +08:00
server_name easypi.info blog.easypi.info;
ssl_certificate ssl/easypi.info.crt;
ssl_certificate_key ssl/easypi.info.key;
2016-01-16 13:39:09 +08:00
location / {
proxy_pass http://127.0.0.1:8000;
}
2015-12-21 22:50:38 +08:00
}
# start nginx
$ systemctl start nginx
```
2016-05-06 15:03:51 +08:00
You can also generate keys without docker.
```bash
# install
apt install build-essential dialog libffi-dev libssl-dev python2.7-dev
curl -sSL https://bootstrap.pypa.io/get-pip.py | python2
pip2 install letsencrypt
# generate
letsencrypt certonly --standalone -d easypi.info -d blog.easypi.info -d wiki.easypi.info
# deploy
mkdir -p /etc/nginx/ssl
cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
# renew
letsencrypt renew
```
2015-12-21 22:50:38 +08:00
## references
2016-05-06 15:03:51 +08:00
- <https://letsencrypt.readthedocs.org/en/latest/using.html#running-with-docker>
- <https://docs.docker.com/compose/reference/run/>
- <http://nginx.org/en/docs/http/configuring_https_servers.html>
2016-05-25 09:36:06 +08:00
- <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04>
2016-05-06 15:03:51 +08:00
- <http://support.ghost.org/setup-ssl-self-hosted-ghost/>
2015-12-21 22:50:38 +08:00
[1]: https://letsencrypt.org/