Available on dockerhub here.
This image runs certbot
under the hood to automate issuance and renewal of letsencrypt certificates.
Initial certificate requests are run at container first launch, once the image responds on a specified health check url.
Then certificates validity is checked at 02:00 on every 7th day-of-month from 1 through 31, and certificates are renewed only if expiring in less that 28 days, preventing from being rate limited by letsencrypt.
Issued certificates are made available in the container's /certs
directory which can be mounted on the docker host or as a docker volume to make them available to other applications.
- docker
- docker-compose
Adapt the provided docker-compose.yml
file to fit your requirements. The required/optional parameters are described here after:
- Either build image with provided docker file
- -or- fetch the image from dockerhub located at
ebarault/letsencrypt-autorenew-docker
The software in the docker container exposes internally the 443
port, which you should expose back on the docker host with no translation, such as in "443:443"
The following volumes of interest can be mounted on the docker host or as docker volumes:
- /certs : location of certificates generated by letsencrypt, this is the main directory of interest to expose to your application
- /etc/letsencrypt : location of letsencrypt install dir (optional, for debug purposes)
- /var/log/letsencrypt : location of letsencrypt logs (optional, for debug purposes)
- WEBROOT : (optional) path to the host's web server root. If provided, letsencrypt will use the given existing web server to request and validate the certificates. If not provided, letsencrypt will launch it's own web server for this purpose
- PLUGIN : (optional, defaults to
standalone
) Acertbot
plugin to use (e.g.manual
) - PREFERRED_CHALLENGES : (optional, defaults to http-01) A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (eg. "dns" or "tls-alpn-01,http,dns"). NOTE: tls-alpn-01 challenge is yet not supported by certbot 0.31.0
- CUSTOM_ARGS : (optional) Additional
certbot
command-line options (e.g.--redirect
), refer to certbot documentation - LOGFILE : (optional) path of a file where to write the logs from the certificate request/renewal script. When not provided both stdout/stderr are directed to console which is convenient when using a docker log driver
- DEBUG : (optional) whether to run letsencrypt in debug mode, refer to certbot documentation
- STAGING : (optional) whether to run letsencrypt in staging mode, refer to certbot documentation
- DOMAINS : space separated list of comma separated subdomains to register the certificate with, for example:
my.domain.com
sub.domain1.com,sub.domain2.com
my.other.domain.com sub.domain1.com,sub.domain2.com
- EMAIL : email of the certificates supplicant
- CONCAT : whether to concatenate the full chain of the certificate authority with the certificate's private key. This is required for example for haproxy. Otherwise the full chain and private key are kept in separate files which is required for example for nginx and apache
- HEALTH_CHECK_URL : a publicly accessible health check url on which the software in the docker container can verify and wait for the docker host to be up and ready to accept connections
As in the provided docker-compose.yml
file, the expected configuration should look similar to this:
version: '2'
services:
certbot:
build: .
# image: ebarault/letsencrypt-autorenew-docker:latest
container_name: certbot
ports:
- "443:443"
volumes:
- ./certs:/certs
- ./letsencrypt:/etc/letsencrypt
- ./var_log_letsencrypt:/var/log/letsencrypt
restart: always
environment:
# - WEBROOT=/path/to/web_root
- LOGFILE=/var/log/letsencrypt/certrenewal.log
- DEBUG=false
- STAGING=false
- DOMAINS=my.domain.com
- EMAIL=user@my.domain.com
- CONCAT=false
- HEALTH_CHECK_URL=my.domain.com:80
When using a docker logging driver, the LOGFILE
environment variable should not be set to make sure all the container logs (stdout/stderr) are directed to the console, and hence to the logging driver.
An example is provided for aws logging driver. This should be
version: '2'
services:
certbot:
# ...
environment:
# ...
# LOGFILE should not be set when working with a docker logging driver
# - LOGFILE=/var/log/letsencrypt/certrenewal.log
logging:
driver: "awslogs"
options:
awslogs-region: "${AWS_REGION}"
awslogs-group: "hooly-search"
awslogs-stream: "letsencrypt"
Build and run the container as follows:
docker-compose build
docker-compose up -d
docker-compose up -d