Docker安装Let'sEncrypt SSL证书

之前陆续写过 Linux 下的 Let’s Encrypt 证书的获取及更新 , 这里更新一篇 Docker 下的操作方式 , 更加通用且

方便维护、升级，同时也避免破坏本地的环境

Docker 安装

首次申请证书

这里是通过部署 nginx 运行静态网站来进行申请 , 这里简单展示下 nginx 的部署文件

docker-compose.yml

# 使用说明 V3.2.0
version: '3.0'
services:
  nginx:
    hostname: nginx
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
    container_name: nginx
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./conf/nginx.conf:/etc/nginx/nginx.conf
      - ./conf/custom/:/etc/nginx/conf/
      - ./www/:/etc/nginx/html/
      - ./logs/:/var/log/nginx/

这里将我们的静态网页放在 ./www 目录下, 然后解析对应域名到该服务器 , 添加域名nginx文件到配置目录并且启动容器和 reload nginx. 配置文件示例如下

server {
        listen       80;
        server_name  域名;
        charset utf-8;

        location / {
            root   html;
            index  index.html index.htm;
        }
        
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}

然后申请证书

docker run --rm -it -v /data/apps/letsencrypt/etc/letsencrypt:/etc/letsencrypt -v /data/apps/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt -v /data/apps/nginx/www:/data/letsencrypt certbot/certbot:latest certonly --webroot --email 邮箱 --agree-tos --no-eff-email --webroot-path=/data/letsencrypt -d 域名

运行结束会在 /data/apps/letsencrypt/live 目录下出生证书文件和私钥文件

生成 2048位DH

1	openssl dhparam -out ./dhparam-2048.pem 2048

拷贝到自定义目录 , 然后修改nginx文件

server {
        listen       80;
        server_name  域名;
        charset utf-8;

        location / {
            root   html;
            index  index.html index.htm;
        }
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
 
}

# 处理https请求
server {
    listen 443 ssl;
    server_name 域名;
 
    server_tokens off;
 
    ssl_certificate /letsencrypt/live/api.evdances.com/fullchain.pem;
    ssl_certificate_key /letsencrypt/live/api.evdances.com/privkey.pem;
 
    ssl_buffer_size 8k;
 
    ssl_dhparam /letsencrypt/dhparam-2048.pem; # 使用2048位DH参数，加强安全
 
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
 
    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

        location / {
            root   html;
            index  index.html index.htm;
        }
       
    error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        root   html;
    }
}

nginx的docker-compose.yml 文件修改

# 使用说明 V3.2.0
version: '3.0'
services:
  nginx:
    hostname: nginx
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
    container_name: nginx
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./conf/nginx.conf:/etc/nginx/nginx.conf
      - ./conf/custom/:/etc/nginx/conf/
      - ./www/:/etc/nginx/html/
      - ./logs/:/var/log/nginx/
      - /data/apps/letsencrypt/etc/letsencrypt/live:/letsencrypt/live        # 当前证书目录
      - /data/apps/letsencrypt/etc/letsencrypt/archive:/letsencrypt/archive  # 历史证书目录
      - ./dhparam-2048.pem:/letsencrypt/dhparam-2048.pem        # 使用2048位DH（Diffie-Hellman）参数

重启容器, reload nginx

更新证书

1
2
3

#!/bin/bash
# 更新ssl证书
docker run -it --rm -v /data/apps/letsencrypt/etc/letsencrypt:/etc/letsencrypt -v /data/apps/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt -v /data/apps/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt -v /data/apps/nginx/www:/data/letsencrypt certbot/certbot renew --webroot -w /data/letsencrypt --quiet && docker kill --signal=HUP nginx

新增定时任务 , 每月15号尝试更新证书

crontab -e