之前陆续写过 Linux 下的 Let’s Encrypt 证书的获取及更新 , 这里更新一篇 Docker 下的操作方式 , 更加通用且
方便维护、升级,同时也避免破坏本地的环境
Docker 安装
这里请参考 过往文章
首次申请证书
这里是通过部署 nginx 运行静态网站来进行申请 , 这里简单展示下 nginx 的部署文件
docker-compose.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| # 使用说明 V3.2.0 version: '3.0' services: nginx: hostname: nginx restart: always logging: driver: "json-file" options: max-size: "500m" container_name: nginx image: nginx:latest ports: - 80:80 - 443:443 volumes: - ./conf/nginx.conf:/etc/nginx/nginx.conf - ./conf/custom/:/etc/nginx/conf/ - ./www/:/etc/nginx/html/ - ./logs/:/var/log/nginx/
|
这里将我们的静态网页放在 ./www
目录下, 然后解析对应域名到该服务器 , 添加域名nginx文件到配置目录并且启动容器和 reload nginx. 配置文件示例如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| server { listen 80; server_name 域名; charset utf-8;
location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
|
然后申请证书
1
| docker run --rm -it -v /data/apps/letsencrypt/etc/letsencrypt:/etc/letsencrypt -v /data/apps/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt -v /data/apps/nginx/www:/data/letsencrypt certbot/certbot:latest certonly --webroot --email 邮箱 --agree-tos --no-eff-email --webroot-path=/data/letsencrypt -d 域名
|
运行结束会在 /data/apps/letsencrypt/live
目录下出生证书文件和私钥文件
生成 2048位DH
1
| openssl dhparam -out ./dhparam-2048.pem 2048
|
拷贝到自定义目录 , 然后修改nginx文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| server { listen 80; server_name 域名; charset utf-8;
location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
# 处理https请求 server { listen 443 ssl; server_name 域名; server_tokens off; ssl_certificate /letsencrypt/live/api.evdances.com/fullchain.pem; ssl_certificate_key /letsencrypt/live/api.evdances.com/privkey.pem; ssl_buffer_size 8k; ssl_dhparam /letsencrypt/dhparam-2048.pem; # 使用2048位DH参数,加强安全 ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_ecdh_curve secp384r1; ssl_session_tickets off; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8;
location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
|
nginx的docker-compose.yml 文件修改
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| # 使用说明 V3.2.0 version: '3.0' services: nginx: hostname: nginx restart: always logging: driver: "json-file" options: max-size: "500m" container_name: nginx image: nginx:latest ports: - 80:80 - 443:443 volumes: - ./conf/nginx.conf:/etc/nginx/nginx.conf - ./conf/custom/:/etc/nginx/conf/ - ./www/:/etc/nginx/html/ - ./logs/:/var/log/nginx/ - /data/apps/letsencrypt/etc/letsencrypt/live:/letsencrypt/live # 当前证书目录 - /data/apps/letsencrypt/etc/letsencrypt/archive:/letsencrypt/archive # 历史证书目录 - ./dhparam-2048.pem:/letsencrypt/dhparam-2048.pem # 使用2048位DH(Diffie-Hellman)参数
|
重启容器, reload nginx
更新证书
1 2 3
| #!/bin/bash
docker run -it --rm -v /data/apps/letsencrypt/etc/letsencrypt:/etc/letsencrypt -v /data/apps/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt -v /data/apps/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt -v /data/apps/nginx/www:/data/letsencrypt certbot/certbot renew --webroot -w /data/letsencrypt --quiet && docker kill --signal=HUP nginx
|
新增定时任务 , 每月15号尝试更新证书
crontab -e
1
| 0 0 15 * * root sh /data/deploy/renew.sh
|
参考链接