waja revidoval tento gist 10 years ago. Přejít na revizi
1 file changed, 56 insertions
letsencrypt_docker.md(vytvořil soubor)
| @@ -0,0 +1,56 @@ | |||
| 1 | + | # Deploying [Letsencrypt](https://letsencrypt.org/) certificates with [Docker](http://docker.org). | |
| 2 | + | ||
| 3 | + | ## Preparing Docker environment and configure letsencrypt | |
| 4 | + | ```sh | |
| 5 | + | mkdir -p /srv/docker/letsencrypt/etc/ | |
| 6 | + | mkdir -p /srv/docker/letsencrypt/log | |
| 7 | + | chmod 700 /srv/docker/letsencrypt/log | |
| 8 | + | mkdir -p /srv/docker/letsencrypt/lib/webrootauth | |
| 9 | + | mkdir /etc/letsencrypt/ | |
| 10 | + | ln -s /srv/docker/letsencrypt/etc/live/ /etc/letsencrypt/ | |
| 11 | + | cat > /srv/docker/letsencrypt/etc/webroot.ini <<EOF | |
| 12 | + | # Use a 4096 bit RSA key instead of 2048 | |
| 13 | + | rsa-key-size = 4096 | |
| 14 | + | ||
| 15 | + | # Always use the staging/testing server | |
| 16 | + | server = https://acme-v01.api.letsencrypt.org/directory | |
| 17 | + | ||
| 18 | + | # Uncomment and update to register with the specified e-mail address | |
| 19 | + | email = <email> | |
| 20 | + | ||
| 21 | + | # Use the text output instead of the curses UI. | |
| 22 | + | text = True | |
| 23 | + | ||
| 24 | + | # Agree Terms of Service | |
| 25 | + | agree-tos = True | |
| 26 | + | ||
| 27 | + | # Select renewal by default | |
| 28 | + | # renew-by-default = True | |
| 29 | + | ||
| 30 | + | # Use webroot authenticator plugin | |
| 31 | + | authenticator = webroot | |
| 32 | + | ||
| 33 | + | # Define webroot path for authenticator plugin | |
| 34 | + | webroot-path = /var/lib/letsencrypt/webrootauth | |
| 35 | + | EOF | |
| 36 | + | ``` | |
| 37 | + | ||
| 38 | + | ## Request certificate | |
| 39 | + | ||
| 40 | + | ```sh | |
| 41 | + | docker run --rm --name letsencrypt -v "/srv/docker/letsencrypt/log:/var/log/letsencrypt" -v "/srv/docker/letsencrypt/etc:/etc/letsencrypt" -v "/srv/docker/letsencrypt/lib:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest --webroot-path "/var/lib/letsencrypt/webrootauth" -c "/etc/letsencrypt/webroot.ini" -d <domain> certonly | |
| 42 | + | ``` | |
| 43 | + | ||
| 44 | + | ## Renew | |
| 45 | + | ||
| 46 | + | ```sh | |
| 47 | + | cat > /etc/cron.daily/letsencrypt_autorenew << EOF | |
| 48 | + | #!/bin/bash | |
| 49 | + | ||
| 50 | + | docker run --rm --name letsencrypt -v "/srv/docker/letsencrypt/log:/var/log/letsencrypt" -v "/srv/docker/letsencrypt/etc:/etc/letsencrypt" -v "/srv/docker/letsencrypt/lib:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest --webroot-path "/var/lib/letsencrypt/webrootauth" -c "/etc/letsencrypt/webroot.ini" renew | grep -v -E "(^Processing|certs are not due for renewal|skipped|^No renewals were attempted|^$)" | |
| 51 | + | if [ $(find /etc/letsencrypt/live/*/cert.pem -mmin -5|wc -l) -gt 0 ]; then | |
| 52 | + | /etc/init.d/nginx reload; | |
| 53 | + | fi | |
| 54 | + | EOF | |
| 55 | + | chmod +x /etc/cron.daily/letsencrypt_autorenew | |
| 56 | + | ``` | |
Novější
Starší