Generate let's Encrypt certificate using Docker

Concept

1. What is Container?
   Www.docker.com/resources/what-container
   Www.docker.com/why-docker
2. What is let ' s Encrypt?
   Let's Encrypt is a free, automated, and open Certificate authority.

Installation

1. Installing Docker

   docs.docker.com/install/linux/docker-ce/ubuntu/

2. Get images
   docker pull linuxserver/letsencrypt

Details of the main characters and how to use:

Hub.docker.com/r/linuxserver/letsencrypt

Github.com/linuxserver/docker-letsencrypt

Brief description of Chinese

This image contains the Nginx server, the reverse proxy, PHP, and the Letsencrypt client used to generate or renew the certificate, as well as the fail2ban used to defend against the intrusion.
This article uses the method of http requesting a certificate, so use tls-sni or method dns of the reader, please refer to the "Detailed introduction and use" link in the original text

How to use

<>add the appropriate value in the.

docker run \  --cap-add=NET_ADMIN \  --name=letsencrypt \  -v <path to data>:/config \  -e PGID=<gid> -e PUID=<uid>  \  -e EMAIL=<email> \  -e URL=<url> \  -e SUBDOMAINS=<subdomains> \  -e VALIDATION=http \  -p 80:80 -p 443:443 \  -e TZ=Asia/Shanghai \  linuxserver/letsencrypt

Parameter introduction

Reference from github.com, there are modifications.

• -p 80 -p 443-Port number
• -v /config-All the configuration files and Web site root directory path (author: Just specify a read-write path, the container will generate a heap of files on this path), the following <your-path> refers to this.
• -e URL-top-level domains, such astest.com
• -e SUBDOMAINS-Two-level domain name, such as www,ftp,cloud multiple two-level domain name with " , " "separated, the http way does not support the pan domain name, if you want to use, please use the dns way, this article does not introduce.
• -e VALIDATION-the method used to verify the Letsencrypt
• -e PGIDFor GroupID-see instructions below for details不可使用root的GID
• -e PUIDFor UserID-see below for details不可使用root的UID
• -e TZ-TimeZone ie.Asia/Shanghai

User/group identification

Sometimes permissions problems may occur between the host operating system and the container when using the data volume (the-v flag). We avoid this problem by allowing you to specify user Puid and group Pgid. Make sure that the data volume directory on the host is owned by the same user you specified and that it "works".

In this case, puid=1001 and pgid=1001. To find your ID user, use the ID user as follows:

id <dockeruser>

Run

Typing the above command (Docker run ...) , you need to wait patiently for the first use to generate a DH parameter.
View status

docker logs -f letsencrypt

If you see the below, you're done.

..................Server ready

So, where is the certificate of application?
In the state of the output: The certificate exists in the <your-path> /config/etc/letsencrypt/live/<domain>, as for the inside of the certificate is used to do, please refer to the directory of the README. This article does not make a description

Reverse Proxy

The default settings for this image have been optimized for reverse proxies (thanks to the big guy), the simplest way is to find the <your-path> /config/nginx/proxy-confs to fit their own configuration file, remove it .sample . But I found that it seems that the configuration is not suitable for all situations, it is also to write their own configuration files ....

Note: The reverse proxy is divided into two ways, the first is through the same domain name different paths as the reverse proxy, the second is different domain names to different virtual hosts as a reverse proxy. This article uses the second kind, the detail can see <your-path> /config/nginx/proxy-confs/_readme

Toggle Path

cd <your-path>/config/nginx/site-confs

Ignore the default, of course, directly modify the file inside the line, the author for brevity, directly new file

Create files <your-domain> such as

touch test.com

Modify a file

vi test.com

The file contents are as follows

server {    listen 443 ssl;    server_name <your-domain>;    charset utf-8;    include /config/nginx/ssl.conf;    client_max_body_size 0;    location / {        include /config/nginx/proxy.conf;        proxy_pass <Web-OR-ContainerName>;    }}

Note <your-domain> fill in the domain name, <Web-OR-ContainerName> in order to fill in the reverse proxy URL or container name, for example proxy_pass http://gogsWeb:3000/; , as to how the container interconnection, please see the next section. If you need to create multiple reverse proxies, do the same, then create a file, and then new virtual host, to server_name distinguish.

Container interconnection

Reference docs.docker.com

docker network create cert_networkdocker network connect cert_network <other-container>docker network connect cert_network letsencrypt

Note that a container that needs to be interconnected does not need to specify '-P ' that is, port-to-host port binding!!! Just make sure the ports inside the container are open.

It's time to end it all

docker restart letsencrypt

Reference

Github.com/linuxserver/docker-letsencrypt
hub.docker.com/r/linuxserver/letsencrypt/
letsencrypt.org/
Docs.docker.com/engine/reference/commandline
Http://nginx.org/en/docs/http/configuring_https_servers.html
www.zybuluo.com/phper/note/89391
1190000009583997
8552324

Statement

This article uses the Creative Commons Attribution-NonCommercial use-same way to share 2.5 Chinese mainland license agreements for licensing, published in CSDN and blog Park, welcome readers, but without the author's consent must retain this statement, and in the article page obvious location to the original link! Please respect the reader/crawler版权