Giter Site home page Giter Site logo

letsencrypt-docker's Introduction

DEPRECATED

Please use https://github.com/ixc/ixc-acme.sh, instead.

Overview

The interaction/letsencrypt image will:

  • Automatically create or renew certificates on startup and daily thereafter.

  • Optionally combine private keys and their full certificate chain for HAproxy and restart.

Usage

In your letsencrypt service:

  • Define a DOMAINS environment variable. Certificates are separated by newline or semi-colon (;) and domains are separated by comma (,).

    NOTE: When used with HAproxy, the first domain for which a certificate is successfully generated will be used as the default (saved to /certs/_default.pem), overriding DEFAULT_SSL_CERT.

    NOTE: Let's Encrypt has a limit of 20 certificates per registered domain per week, and 100 names per certificate. You should combine subdomains into a single certificate, wherever possible.

    See: https://letsencrypt.org/docs/rate-limits/

  • Define an EMAIL environment variable. It will be used for all certificates.

  • Define an OPTIONS environment variable, if you want to pass additional arguments to certbot (e.g. --staging).

  • Define an NGINX_PROXY_PASS=1 environment variable, if you want to access your sites over HTTP instead of redirecting to HTTPS. For example, if you are unable to generate certificates because Let's Encrypt is down or your account is rate limited.

If using with HAproxy:

  • Add volumes_from: letsencrypt to your haproxy service.

  • Define a DEFAULT_SSL_CERT environment variable to enable SSL termination. You can use a self signed certificate for this. It will only be used if no other certificates match.

    $ openssl req -x509 -newkey rsa:2048 -keyout cert0.pem -out cert0.pem -nodes -subj '/CN=*'

  • Define an HAPROXY_IMAGE=dockercloud/haproxy:1.6.3 environment variable in your letsencrypt service.

Sample compose and stack files are provided, including a wildcard self signed default certificate.

letsencrypt-docker's People

Contributors

aramgutang avatar mrmachine avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

techfutures babarinde jannhendrik valentinvieriu ellefsen zackthoutt tqangxl martolini fabiob hitomidennis devgrapher goneio alfredosc8 skycle orange888 pgaertig

letsencrypt-docker's Issues

Unknown SSL Protocol

I am having some issues getting this to work. Here is my current compose file.

  web:
    image: zthoutt/me
    restart: always
    environment:
      - My_SETTINGS=staging
      - VIRTUAL_HOST=*,https://*
      - FORCE_SSL="yes"
    depends_on:
      - db
    volumes:
      - /home/docker/persistent/media/:/home/docker/code/media/
  lb:
    image: dockercloud/haproxy:1.6.7
    links:
      - web
    environment:
      - |
        DEFAULT_SSL_CERT-----BEGIN RSA PRIVATE KEY-----
        MIIEpgIBAAKCAQEAw1eKk+lF6jw4lgP17PRuZBWds3P/H0bSXWy811Y4VS10aQm8
        4NQ5bLX0B0tM4XN0UKU/kp/j3yskeUuxUhI5oYCCglknYkpSvw4CNVjNbs9Ok2Hh
        153LB9PCbN/bz59JRJba2Mq/1R1jHvZk1xrTqhyDiY50OCEKXdsWBRz8quL09ZcY
        muXdUYlgK6LZQEK1ghGNT2kXzLxvIWF0pazlhxwHwJosgajGfJTli3XTwZoObXSi
        r6j1DI2xhUMSCmX1t1eiaK9b1LeGt8RtaCgNWy15dZNQD0epALlLCSIZhKpHjypl
        VZWAI8vC9yyNN0WtVcKROUlIAB3CGwgoiwopmQIDAQABAoIBAQCn9Xdj4mmJE6qb
        4l/sE+dvCt8D07MDE4QBbGOay7m4E1NKlWLf9dpCTNi8BNTf7MOQK+XTjsMBujis
        Spb2uFDxOmv84+dnLfyj5cmkUOyiYIFxW/Ix0K0n174OmxSHGrCG1ybozLvQ5Gm7
        z6O5CIoCdG3tMp1fPZmKRbxTPS9LRkUH2pGATzgLxDQU9zMgLfrUonN0D1DYWbU1
        mIrWwAYGjeCfUc3TQ0RSCqQZFoNcxyUryHyVd7sfwyBeXXcme/KoXXe6K8QO4PJC
        GriCG+SnXPbuhKHWvtHjQbue9fvdj4P7zs4tPS0JYwXRissTJkO2p1zLx0G8ROwU
        4Al0wexhAoGBAOfBjXRVNbbimxxDnqVR3qXgnkq5kdOSsro7CLxV4yWYkXnllk7c
        XN6Qip0YJROBWhRgJ32M1BfANuNKC8jWOJKTYZHx22tg3J8Cv9xpxj/OLtzEbNDl
        krLd9BFSbL6YjWED77Gy3Dq3UAGmbgZWup0Hknrda/3Z4XEHP5QrGOLtAoGBANfG
        0NtPx4k7E0z/BDrNmB6hBHItAuvEKW2YcZh8g8+MUj4OZRczerzI1hwz2LHX/CZF
        BxukLeoRAYOZxC+SfqqCl49Hs2RVVuprR6oKSsQrERCGB6XdAiUOUcPIT1eUqYu/
        9hVybNQueIGFASlKdmg6Je5+OkmrgdCAUOogH+/dAoGBALAw1fm7TjrbzFCQl+vX
        cg1p1u24ZsUSog4zE1EberT6aJ7jjIInxfLusHL+CDHsBS+4ak1o41WrLA9gG9V0
        B05n/aWW2dmoqhG5ZWOMhsu7VKVCL/ggkIardwI0R7gfAlzfQTs3X3bEJm8auErZ
        ZMY9G3+NFqzHGD115UAgA6uBAoGBAIv1VJF8TPPRUrKVkxvFMU9kp6qbUZK1mR2S
        TNRYp3KfFNVVpvKGnK0JJAAFDSBF9TKpgXPHaVSylSXUPjGRNwHIVSBFpLGGvSqu
        TTyZEmfte1MZbKqEERkSEa0JJ5WqQtL3v1mn77ktL1Lrf5ZVyznNxb7NN2eDjF8+
        a72A+tYtAoGBAMCV9EhQFnWekkLpUh2LO8Lcl8uNe1Ifj2TazTz3qDbs/bN8lPto
        +C30MbaTVladHHcGkR95aQ7uQi1e44tBgl+odkB7B4lXJXeDfQJixathhbJsSp8k
        /5WSelnsfdfeQzstlSK3oIDW0C38UAvfkDHxTc3KYJd/HDneU0UAVULn
        -----END RSA PRIVATE KEY-----
        -----BEGIN CERTIFICATE-----
        MIIDCDCCAfCgAwIBAgIJAKeCqHUsfW9FMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNV
        BAMUASowHhcNMTcwOTA5MTcyNzAxWhcNMTcxMDA5MTcyNzAxWjAMMQowCAYDVQQD
        FAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1eKk+lF6jw4lgP1
        7PRuZBWds3P/H0bSXWy811Y4VS10aQm84NQ5bLX0B0tM4XN0UKU/kp/j3yskeUux
        UhI5oYCCglknYkpSvw4CNVjNbs9Ok2Hh153LB9PCbN/bz59JRJba2Mq/1R1jHvZk
        1xrTqhyDiY50OCEKXdsWBRz8quL09ZcYmuXdUYlgK6LZQEK1ghGNT2kXzLxvIWF0
        pazlhxwHwJosgajGfJTli3XTwZoObXSir6j1DI2xhUMSCmX1t1eiaK9b1LeGt8Rt
        aCgNWy15dZNQD0epALlLCSIZhKpHjyplVZWAI8vC9yyNN0WtVcKROUlIAB3CGwgo
        iwopmQIDAQABo20wazAdBgNVHQ4EFgQUANeRrzUb+OeUu7SW+I0QyeaqJJUwPAYD
        VR0jBDUwM4AUANeRrzUb+OeUu7SW+I0QyeaqJJWhEKQOMAwxCjAIBgNVBAMUASqC
        CQCngqh1LH1vRTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQDApdlK
        M20A5hVv+xSYHhRog9gjzVg3vDf5kyGvXHt/DwekY5a4lnJlsGtP2BAeheXu688j
        5AJ9pT16qlrLWehQ4yeaX1eyZclaM5mmrGkwG8HZZB0hPOdjcjhdxfLBzRVVNz65
        H38AuS8RRMwX9rlD58UZ9UUdy5JaveB7j3kHi34uRjzm1vJLYEVJ9c2g/BbB54yx
        KpWBOWdyNbBWqaMZJarKByneI1Qq2S+OGq1nEGlIAiK9cuQ53o3DJQmRJHeJxe6x
        /f22CviSLu5vrtOyco6wKUa5OX049hepjvuzqnJzPR2WHFGFukc2zkpLETfLcwVb
        Nbwv5sRlp4YxX6zU
        -----END CERTIFICATE-----
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    volumes_from:
      - letsencrypt
    ports:
      - 443:443
  letsencrypt:
    image: interaction/letsencrypt:master
    environment:
      - DOMAINS=zackthoutt.com,www.zackthoutt.com
      - [email protected]
      - HAPROXY_IMAGE=dockercloud/haproxy:1.6.7
      - OPTIONS=--staging
    ports:
      - 80:80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

When I run docker-compose up everything seems to run fine and letsencrypt says that it installs the certs. When I try to visit the site via curl I get (35) Unknown SSL protocol error in connection to zackthoutt.com:-9847.

I know that in your sample docker compose file you have a build section as part of your letsencrypt service and a .:/opt/letsencrypt volume, but when I add that I get [FATAL tini (5)] Executing child process 'entrypoint.sh' failed: 'No such file or directory' and the service exits without starting.

Make Let's Encrypt certificate updates more robust across docker versions

We have seen failures in certbot.sh updating certificates caused by a mismatch between the agent and docker versions, more details here: harness/gitness#2048

Look into this in more detail and come up with a way to ensure the agent will run in a way that is compatible with the rest of the Docker environment, which might mean hardcoding something like a DOCKER_API_VERSION=1.23 envvar before invoking certbot.sh or maybe detected the right version number to apply in this way.

Wild card DOMAINS example?

While testing out the letsencrypt-docker/docker-cloud.yml example in docker cloud. I keep getting "Your connection is not private" - NET::ERR_CERT_AUTHORITY_INVALID.

letsencrypt:
  environment:
    - 'DOMAINS=example.com,www.example.com,sync.example.com,data.example.com'
    - [email protected]
    - 'HAPROXY_IMAGE=dockercloud/haproxy:1.6.3'
    - OPTIONS=--staging

Checking the logs I can see it completes the challenges for these,

Congratulations! Your certificate and chain have been saved at...

I'm not sure what I'm doing wrong, perhaps I should be using a wildcard?

If I inspect the cert on the error page I can see it states Fake LE Intermediate X1:

Subject: example.com
Issuer: Fake LE Intermediate X1
Expires on: Apr 16, 2018
Current date: Jan 16, 2018
PEM encoded chain:
...

I've commented out the - OPTIONS=--staging option and forced the certs to be regenerated using:

certbot renew --force-renewal

...but I'm still seeing the issue after re-deploying both the haproxy and this.

What's the goal?

Looks interesting. But I'm not sure what exact the goal of the project is.
I'm looking for a solution for automatic certificate registration and allocation on docker base.

The official letsencrypt docker image certbot/certbot don't works for me, because dockercloud/haproxy uses the needed ports already and it's not the easiest to configure a forwarding for the tls-sni-01 challenge.
But with certbot image the automatic allocation would still not possible in this setup.

Domain not matched (sends default, self signed certificate)

I have an A name record pointing to my docker cloud stack IP address (see below) from api.coolclimatenetwork.net.

It seems like my letsenscrypt container doesn't match or never sees this request, since it sends back the default, self-signed SSL certificate (which browsers reject of course).

Is there something else I need to do here?

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.coolclimatenetwork.net
Using the webroot path /opt/www for all unmatched domains.
Waiting for verification...
66.133.109.36 - - [06/Nov/2017:02:58:09 +0000] "GET /.well-known/acme-challenge/5nfg6FYiW38MGKOTp9iIQxzEK9I7cG5gXdGnC_iN4A4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/api.coolclimatenetwork.net/fullchain.pem.
   Your cert will expire on 2018-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

199.116.72.70 - - [06/Nov/2017:03:00:24 +0000] "GET / HTTP/1.1" 302 161 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
199.116.72.70 - - [06/Nov/2017:03:01:30 +0000] "GET / HTTP/1.1" 302 161 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

Docker cloud stack:

haproxy:
  environment:
    - |
      DEFAULT_SSL_CERT=...
  image: 'dockercloud/haproxy:1.6.3'
  links:
    - user-api
  ports:
    - '443:443'
  restart: on-failure
  roles:
    - global
  tags:
    - nodecluster-name=mycluster
  volumes_from:
    - letsencrypt
letsencrypt:
  environment:
    - 'DOMAINS=api.coolclimatenetwork.net'
    - [email protected]
    - 'HAPROXY_IMAGE=dockercloud/haproxy:1.6.3'
  image: 'interaction/letsencrypt:master'
  ports:
    - '80:80'
  restart: on-failure
  roles:
    - global
  tags:
    - nodecluster-name=mycluster
  volumes:
    - '/var/run/docker.sock:/var/run/docker.sock'
postgres:
  environment:
    - POSTGRES_DB=user
    - 'POSTGRES_PASSWORD=yada'
  expose:
    - '5432'
  image: 'postgres:9.4.5'
  tags:
    - nodecluster-name=mycluster
user-api:
  deployment_strategy: high_availability
  image: 'myimage:latest'
  links:
    - postgres
  ports:
    - '8082'
  restart: on-failure
  tags:
    - nodecluster-name=mycluster

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.