Skip to content

Latest commit

 

History

History
86 lines (62 loc) · 3.37 KB

README.md

File metadata and controls

86 lines (62 loc) · 3.37 KB
Raw

Certbot Service

This project extends the official certbot docker image and made with some practices from ketchoop/letsencrypt-to-vault. The key features are:

  1. Automatic renewal with built-in cron daemon.
    No longer need to set up an external cron job for renewal. Just run certbot-service with no arguments and it will start built-in renewal cron job for you.
  2. Automatic upload of obtained certificates to Hashicorp Vault.
    If you would like, certbot-service could upload the content of all .pem files into Vault. It will be done for each domain only if its certificate is changed (obtained or renewed).
  3. Running of custom hook command when renewal is succeeded.
    Set up the hook command and certbot-service will run it on each renewal is succeeded. For example, you can use this feature to reload web server after certificates are renewed (docker-cli is inside to do it!).
  4. Availability of all certbot DNS plugins.
    Doesn't matter which way you use to verify your domain. You can use any certbot DNS plugin with certbot-service at the same time (webroot, route53, google, etc.)!

Configuration

certbot-service could be configured using environment variables, which are:

  1. CERTBOT_FLAGS (default --webroot --webroot-path=/usr/share/letsencrypt) — options implicitly passed to certbot command.
  2. CRON_SCHED (default 0 */12 * * *) — schedule for cron daemon renew job.
  3. HOOK_CMD — hook command executed when renewal is succeeded (e.g. docker kill --signal=SIGHUP nginx).
  4. VAULT_ADDR — address of Hashicorp Vault (e.g. https://vault.example.com:8200). Non-empty value activates saving certificates to Vault.
  5. VAULT_TOKEN — access token to Vault.
  6. VAULT_CERT_PATH (default ssl-cert/letsencrypt) — path to certificates data in Vault (KV-V2 is only supported).
  7. All other environment variables which certbot or its plugins understand (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.).

Usage Examples

Certbot with webroot plugin and nginx

Use docker-compose project from examples/nginx.

  1. Run the project:

    docker-compose up -d

  2. Obtain the certificate for the domain:

    docker-compose run --rm certbot-service certonly --email [email protected] -d example.com

  3. Enable and prepare SSL server config for the domain:

    mv conf.d/domain.conf.sample conf.d/domain.conf && sed -i 's/DOMAIN/example.com/g' conf.d/domain.conf

  4. Reload nginx:

    docker-compose kill -s SIGHUP nginx

That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.

Standalone certbot with route53 DNS plugin and Vault

Use docker-compose project from examples/standalone.

  1. Configure certbot-service with environment variables in .env file (set VAULT_ADDR, VAULT_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.).

  2. Run the project:

    docker-compose up -d

  3. Obtain the certificate for the domain:

    docker-compose run --rm certbot-service certonly --dns-route53 --email [email protected] -d example.com

That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.