Method for docker to obtain Let 's Encrypt permanent free SSL certificate

1. Causes

The official cerbot is too annoying. It is not recommended to use acme. sh, which is not as good as the barbaric growth. Here, it is introduced that docker runs cerbot to obtain Let 's Encrypt permanent free SSL certificate

STEP 2 Type selection

cerbot's certificate does not automatically refresh the date, but acme. sh comes with this function, which automatically detects expired domain names and automatically renews them at 0:00 am every day

Choosing docker to run cerbot is to make the server as few configurations and meaningless programs as possible, which is convenient for management. For example, Python 2.7, git and pip required by Let 's Encrypt do not need to be installed in the host machine, and the container is configured by itself

Original https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker

3. Pull the image

$ docker pull neilpang/acme.sh

Run the docker command with dns mode

$ docker run --rm -it \
 -v "$(pwd)/out":/acme.sh \
 -e Ali_Key="xxxxxx" \
 -e Ali_Secret="xxxx" \
 neilpang/acme.sh --issue --dns dns_ali -d domain.cn -d *.domain.cn

After success, the certificate will be saved in the out folder, or you can specify the path, modify the "$(pwd)/out" in line 1 above, and change it to the path you want to save

Step 4 Attention

--dns dns_ali

To choose according to the dns mode of your domain name, obviously this is Ali. So the first two configurations are Ali_Key and Ali_Secret

Ali_Key, Ali_Secret

Need to get it from Alibaba Cloud background

If you don't know your own domain name, you can find https://github.com/acmesh-official/acme.sh/wiki/dnsapi here

How to obtain the dns mode of domain name and related configuration, you can directly find the customer service of your domain name

Use Tencent as an example

$ docker run --rm -it \
 -v "$(pwd)/out":/acme.sh \
 -e DP_Id="xxxxxx" \
 -e DP_Key="xxxx" \
 neilpang/acme.sh --issue --dns dns_dp -d domain.cn -d *.domain.cn

Tencent bought DNSPod, so it is dns_dp

At first I thought it was TX_Id, TX_Key, dns_tx and so on

After looking for 1 circle, I found that my Ali server is in normal use, but the steps are no problem

So I asked the company to get the domain name account and asked Tencent customer service to know this

Of course, this has nothing to do with Tencent, and the pot of the pit company is bigger

I have nothing to do with this

5. Orders

docker run--rm command know all understand, run out, this can execute a hammer automatically update ssh certificate

Method 1

No docker run-rm, just docker run

The advantages are simple, but the disadvantages are that one container runs this one, which wastes resources too much

Method 2

Timed task run docker run-rm, and there is an example of the original text

#run cron job
docker run --rm -it \
 -v "$(pwd)/out":/acme.sh \
 --net=host \
 neilpang/acme.sh --cron

Actually-cron is the crontab parameter of linux, so the specific usage is not cumbersome

Those who like to use crontab use crontab

If you don't like it, look at 2 in the blog post

Method 3

Tie this thing with docker daemon. After all, the daemon must be opened, which is not a waste of resources

This is the recommended practice of acme. sh

Examples with the same original text

$ docker run --rm -itd \
 -v "$(pwd)/out":/acme.sh \
 --net=host \
 --name=acme.sh \
 neilpang/acme.sh daemon

6. Final results

$ docker run --rm -itd \
 -v "$(pwd)/out":/acme.sh \
 -e DP_Id="xxxxxx" \
 -e DP_Key="xxxx" \
 neilpang/acme.sh --issue --dns dns_dp -d domain.cn -d *.domain.cn daemon