moony/dockerfiles
1
2
Fork 0
mirror of https://github.com/vimagick/dockerfiles synced 2024-06-16 03:48:44 +00:00
Code Issues Releases Wiki Activity
cc939a0151
dockerfiles/certbot/README.md
kev fadb657195 update certbot
2017-03-27 11:07:04 +08:00

101 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

certbot
=======
[Lets Encrypt][1] is a new Certificate Authority:
Its free, automated, and open.
## docker-compose.yml
```
certbot:
image: quay.io/letsencrypt/letsencrypt
command: certonly --standalone
ports:
- "80:80"
- "443:443"
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- /var/lib/letsencrypt:/var/lib/letsencrypt
```
## up and running
```
# stop nginx (release 80/tcp and 443/tcp)
$ systemctl stop nginx
# generate keys (interactive)
$ docker-compose run --rm --service-ports certbot
>>> email: admin@easypi.info
>>> domains: easypi.info,blog.easypi.info,wiki.easypi.info
# renew keys (headless)
$ crontab -l
0 0 * * * cd ~/fig/certbot && docker-compose run --rm certbot renew >> renew.log
# list keys
$ tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
└── easypi.info
├── cert.pem -> ../../archive/easypi.info/cert1.pem
├── chain.pem -> ../../archive/easypi.info/chain1.pem
├── fullchain.pem -> ../../archive/easypi.info/fullchain1.pem
└── privkey.pem -> ../../archive/easypi.info/privkey1.pem
# deploy keys
$ mkdir -p /etc/nginx/ssl/
$ cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
$ cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
# reconfig nginx
$ vi /etc/nginx/sites-enabled/default
server {
listen 80 default;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name easypi.info blog.easypi.info;
ssl_certificate ssl/easypi.info.crt;
ssl_certificate_key ssl/easypi.info.key;
location / {
proxy_pass http://127.0.0.1:8000;
}
}
# start nginx
$ systemctl start nginx
```
You can also generate keys without docker.
```bash
# install
apt install build-essential dialog libffi-dev libssl-dev python2.7-dev
curl -sSL https://bootstrap.pypa.io/get-pip.py | python2
pip2 install letsencrypt
# generate
letsencrypt certonly --standalone -d easypi.info -d blog.easypi.info -d wiki.easypi.info
# deploy
mkdir -p /etc/nginx/ssl
cp /etc/letsencrypt/live/easypi.info/fullchain.pem /etc/nginx/ssl/easypi.info.crt
cp /etc/letsencrypt/live/easypi.info/privkey.pem /etc/nginx/ssl/easypi.info.key
# renew
letsencrypt renew
```
## references
- <https://letsencrypt.readthedocs.org/en/latest/using.html#running-with-docker>
- <https://docs.docker.com/compose/reference/run/>
- <http://nginx.org/en/docs/http/configuring_https_servers.html>
- <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04>
- <http://support.ghost.org/setup-ssl-self-hosted-ghost/>
[1]: https://letsencrypt.org/
Reference in New Issue View Git Blame Copy Permalink