Method for docker to obtain Let 's Encrypt permanent free SSL certificate
- 2021-10-11 20:03:29
- OfStack
1. Causes
The official cerbot is too annoying. It is not recommended to use acme. sh, which is not as good as the barbaric growth. Here, it is introduced that docker runs cerbot to obtain Let 's Encrypt permanent free SSL certificate
STEP 2 Type selection
cerbot's certificate does not automatically refresh the date, but acme. sh comes with this function, which automatically detects expired domain names and automatically renews them at 0:00 am every day
Choosing docker to run cerbot is to make the server as few configurations and meaningless programs as possible, which is convenient for management. For example, Python 2.7, git and pip required by Let 's Encrypt do not need to be installed in the host machine, and the container is configured by itself
Original https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker
3. Pull the image
$ docker pull neilpang/acme.sh
Run the docker command with dns mode
$ docker run --rm -it \
-v "$(pwd)/out":/acme.sh \
-e Ali_Key="xxxxxx" \
-e Ali_Secret="xxxx" \
neilpang/acme.sh --issue --dns dns_ali -d domain.cn -d *.domain.cn
After success, the certificate will be saved in the out folder, or you can specify the path, modify the "$(pwd)/out" in line 1 above, and change it to the path you want to save
Step 4 Attention
--dns dns_ali
To choose according to the dns mode of your domain name, obviously this is Ali. So the first two configurations are Ali_Key and Ali_Secret
Ali_Key, Ali_Secret
Need to get it from Alibaba Cloud background
If you don't know your own domain name, you can find https://github.com/acmesh-official/acme.sh/wiki/dnsapi here
How to obtain the dns mode of domain name and related configuration, you can directly find the customer service of your domain name
Use Tencent as an example
$ docker run --rm -it \
-v "$(pwd)/out":/acme.sh \
-e DP_Id="xxxxxx" \
-e DP_Key="xxxx" \
neilpang/acme.sh --issue --dns dns_dp -d domain.cn -d *.domain.cn
Tencent bought DNSPod, so it is dns_dp
At first I thought it was TX_Id, TX_Key, dns_tx and so on
After looking for 1 circle, I found that my Ali server is in normal use, but the steps are no problem
So I asked the company to get the domain name account and asked Tencent customer service to know this
Of course, this has nothing to do with Tencent, and the pot of the pit company is bigger
I have nothing to do with this
5. Orders
docker run--rm command know all understand, run out, this can execute a hammer automatically update ssh certificate
Method 1
No docker run-rm, just docker run
The advantages are simple, but the disadvantages are that one container runs this one, which wastes resources too much
Method 2
Timed task run docker run-rm, and there is an example of the original text
#run cron job
docker run --rm -it \
-v "$(pwd)/out":/acme.sh \
--net=host \
neilpang/acme.sh --cron
Actually-cron is the crontab parameter of linux, so the specific usage is not cumbersome
Those who like to use crontab use crontab
If you don't like it, look at 2 in the blog post
Method 3
Tie this thing with docker daemon. After all, the daemon must be opened, which is not a waste of resources
This is the recommended practice of acme. sh
Examples with the same original text
$ docker run --rm -itd \
-v "$(pwd)/out":/acme.sh \
--net=host \
--name=acme.sh \
neilpang/acme.sh daemon
6. Final results
$ docker run --rm -itd \
-v "$(pwd)/out":/acme.sh \
-e DP_Id="xxxxxx" \
-e DP_Key="xxxx" \
neilpang/acme.sh --issue --dns dns_dp -d domain.cn -d *.domain.cn daemon