certbot的docker實踐

時間  2019-11-06
標籤 certbot docker 實踐 欄目 Docker 简体版
原文   原文鏈接

網站的https訪問,須要域名證書。能夠在letsencrypt上申請免費的域名證書。首先,須要向letsencrypt證實對域名的控制權。證實的方式不少,這裏採用的是,讓certbot在網站上添加一個相似 http://ooxxooxx.com/.well-known/acme-challenge/{token} 的節點,letsencrypt會去訪問這個節點,以此證實對域名的控制權。先配置一個簡單的nginx,用於申請證書, 驗證域名的控制權。獲得證書後,就能夠配置用於https訪問的nginx了。證書3個月過時,更新證書的時候,關掉https訪問的nginx,開啓證書申請的nginx。更新完成以後,再關掉證書申請的nginx,從新開啓https訪問的nginx。html

  1. 須要docker鏡像
docker pull nginx
docker pull certbot/certbot
  1. 申請證書的nginx配置letsencrypt-nginx.conf
server {
    listen       80;
    server_name  ooxxooxx.com;

    location ~ /.well-known/acme-challenge {
        allow all;
        root   /usr/share/nginx/html;
    }

    root /usr/share/nginx/html;
    index index.html;
}
  1. 文件index.html
<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title>Let's Encrypt First Time Cert Issue Site</title>
</head>
<body>
    <h1>Oh, hai there!</h1>
    <p>
        This is the temporary site that will only be used for the very first time SSL certificates are issued by Let's Encrypt's
        certbot.
    </p>
</body>
</html>
  1. 啓動申請證書的nginx
docker run --network host --rm --name nginx-letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt-nginx.conf:/etc/nginx/conf.d/default.conf \
-v /root/docker/nginx/volumes/letsencrypt/html:/usr/share/nginx/html \
-d nginx
  1. 申請證書。由於有次數限制,先測試一下命令,成功後在運行正式命令。有--staging參數是測試命令。沒有--staging參數就是正式命令。
docker run -it --rm \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \
certbot/certbot \
certonly --webroot \
--register-unsafely-without-email --agree-tos \
--webroot-path=/data/letsencrypt \
--staging \
-d ooxxooxx.com

看命令的結果,是否有證書生成。nginx

  1. https的nginx配置https-nginx.conf
server {
    listen       443;
    server_name  ooxxooxx.com;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/ooxxooxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ooxxooxx.com/privkey.pem; 

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}
  1. 啓動https的nginx
docker run --network host --rm --name nginx-https \
-v /root/docker/nginx/volumes/https-nginx.conf:/etc/nginx/conf.d/default.conf \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-d nginx
  1. 更新證書
docker run --rm -it --name certbot \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \
certbot/certbot renew --webroot -w /data/letsencrypt
  1. 參考 https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程