1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-24 05:17:06 +02:00

certbot

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

docker-compose.yml

certbot:
  image: quay.io/letsencrypt/letsencrypt
  command: certonly --standalone
  ports:
    - "80:80"
    - "443:443"
  volumes:
    - /etc/letsencrypt:/etc/letsencrypt
    - /var/lib/letsencrypt:/var/lib/letsencrypt

up and running

# stop nginx (release 80/tcp and 443/tcp)
$ systemctl stop nginx

# generate keys (interactive)
$ docker-compose run --rm --service-ports certbot
>>> email: admin@easypi.info
>>> domains: easypi.info,blog.easypi.info,wiki.easypi.info

# renew keys (headless)
$ docker-compose run --rm --service-ports certbot renew

# list keys
$ tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
└── easypi.info
    ├── cert.pem -> ../../archive/easypi.info/cert1.pem
    ├── chain.pem -> ../../archive/easypi.info/chain1.pem
    ├── fullchain.pem -> ../../archive/easypi.info/fullchain1.pem
    └── privkey.pem -> ../../archive/easypi.info/privkey1.pem

# deploy keys
$ mkdir -p /etc/nginx/ssl/
$ cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
$ cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key

# reconfig nginx
$ vi /etc/nginx/sites-enabled/default
server {
    listen 80 default;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name easypi.info blog.easypi.info;
    ssl_certificate ssl/easypi.info.crt;
    ssl_certificate_key ssl/easypi.info.key;
    location / {
        proxy_pass http://127.0.0.1:8000;
    }
}

# start nginx
$ systemctl start nginx

You can also generate keys without docker.

# install
apt install build-essential dialog libffi-dev libssl-dev python2.7-dev
curl -sSL https://bootstrap.pypa.io/get-pip.py | python2
pip2 install letsencrypt

# generate
letsencrypt certonly --standalone -d easypi.info -d blog.easypi.info -d wiki.easypi.info

# deploy
mkdir -p /etc/nginx/ssl
cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key

# renew
letsencrypt renew

references