mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-28 09:41:20 +00:00
101 lines
2.6 KiB
Markdown
101 lines
2.6 KiB
Markdown
certbot
|
||
=======
|
||
|
||
[Let’s Encrypt][1] is a new Certificate Authority:
|
||
It’s free, automated, and open.
|
||
|
||
## docker-compose.yml
|
||
|
||
```
|
||
certbot:
|
||
image: quay.io/letsencrypt/letsencrypt
|
||
command: certonly --standalone
|
||
ports:
|
||
- "80:80"
|
||
- "443:443"
|
||
volumes:
|
||
- /etc/letsencrypt:/etc/letsencrypt
|
||
- /var/lib/letsencrypt:/var/lib/letsencrypt
|
||
```
|
||
|
||
## up and running
|
||
|
||
```
|
||
# stop nginx (release 80/tcp and 443/tcp)
|
||
$ systemctl stop nginx
|
||
|
||
# generate keys (interactive)
|
||
$ docker-compose run --rm --service-ports certbot
|
||
>>> email: admin@easypi.info
|
||
>>> domains: easypi.info,blog.easypi.info,wiki.easypi.info
|
||
|
||
# renew keys (headless)
|
||
$ crontab -l
|
||
0 0 * * * cd ~/fig/certbot && docker-compose run --rm certbot renew >> renew.log
|
||
|
||
# list keys
|
||
$ tree /etc/letsencrypt/live/
|
||
/etc/letsencrypt/live/
|
||
└── easypi.info
|
||
├── cert.pem -> ../../archive/easypi.info/cert1.pem
|
||
├── chain.pem -> ../../archive/easypi.info/chain1.pem
|
||
├── fullchain.pem -> ../../archive/easypi.info/fullchain1.pem
|
||
└── privkey.pem -> ../../archive/easypi.info/privkey1.pem
|
||
|
||
# deploy keys
|
||
$ mkdir -p /etc/nginx/ssl/
|
||
$ cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
|
||
$ cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
|
||
|
||
# reconfig nginx
|
||
$ vi /etc/nginx/sites-enabled/default
|
||
server {
|
||
listen 80 default;
|
||
server_name _;
|
||
return 301 https://$host$request_uri;
|
||
}
|
||
|
||
server {
|
||
listen 443 ssl;
|
||
server_name easypi.info blog.easypi.info;
|
||
ssl_certificate ssl/easypi.info.crt;
|
||
ssl_certificate_key ssl/easypi.info.key;
|
||
location / {
|
||
proxy_pass http://127.0.0.1:8000;
|
||
}
|
||
}
|
||
|
||
# start nginx
|
||
$ systemctl start nginx
|
||
```
|
||
|
||
You can also generate keys without docker.
|
||
|
||
```bash
|
||
# install
|
||
apt install build-essential dialog libffi-dev libssl-dev python2.7-dev
|
||
curl -sSL https://bootstrap.pypa.io/get-pip.py | python2
|
||
pip2 install letsencrypt
|
||
|
||
# generate
|
||
letsencrypt certonly --standalone -d easypi.info -d blog.easypi.info -d wiki.easypi.info
|
||
|
||
# deploy
|
||
mkdir -p /etc/nginx/ssl
|
||
cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
|
||
cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
|
||
|
||
# renew
|
||
letsencrypt renew
|
||
```
|
||
|
||
## references
|
||
|
||
- <https://letsencrypt.readthedocs.org/en/latest/using.html#running-with-docker>
|
||
- <https://docs.docker.com/compose/reference/run/>
|
||
- <http://nginx.org/en/docs/http/configuring_https_servers.html>
|
||
- <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04>
|
||
- <http://support.ghost.org/setup-ssl-self-hosted-ghost/>
|
||
|
||
[1]: https://letsencrypt.org/
|