[Rocky9] LetsEncrypt + nginx + docker

URL Link //n.sfs.tw/16425

2024-06-10 13:39:05 By 張○○

此次主要根據[1]的文章進行letsencrypt設置,原文可能因為版本的問題?設置上略有不同,完全照抄會無法運作,經過修改後筆記下來。

系統

Rocky Linux release 9.4 (Blue Onyx)

# docker -v
Docker version 26.1.3, build b72abbb

 

Docker Compose

# vi docker-compose.yml

services:
  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx:/etc/nginx/conf.d/:ro
      - ./certbot/www/:/var/www/certbot/:ro
      - ./certbot/conf/:/etc/nginx/ssl:ro

    restart: always
  certbot:
    image: certbot/certbot:latest
    container_name: certbot
    restart: no
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

別急著啟動 docker,先完成下面的nginx設置
 

 

NGINX 設置

virtual.conf 的內容:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    charset UTF-8;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot/;
   }
}

整個目錄的架構是這樣的:

docker-compose.yml
  └── nginx
      └── virtual.conf

上面預先建立 nginx的目錄,並建立 virtural.conf

 

啟動 nginx 和 certbot

啟動你的 nginx

# docker compose up -d nginx

此時的目錄是這樣的:

docker-compose.yml
├── certbot
│   ├── conf
│   └── www
└── nginx
    └── virtual.conf

測試啟動 certbot 認證

# docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d [your.domain.name]

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for your.domain.name
The dry run was successful.

一切ok後,拿掉 --dry-run 再執行一次:

# docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d [your.domain.name]

執行時會要求你輸入eamil(非必要)及閱讀條款(按Y)

建立完畢後會自動在目錄中產生憑證公私鑰,certbot目錄大概像這樣,以下的內容都會自動產生,你不必手動建立

certbot/
├── conf
│   ├── accounts
│   │   ├── acme-staging-v02.api.letsencrypt.org
│   │   │   └── directory
│   │   │       └── ba16f4b9a2cc1973c20a6c299c2f2e47
│   │   │           ├── meta.json
│   │   │           ├── private_key.json
│   │   │           └── regr.json
│   │   └── acme-v02.api.letsencrypt.org
│   │       └── directory
│   │           └── af0e69ef49234e19b730f171df485212
│   │               ├── meta.json
│   │               ├── private_key.json
│   │               └── regr.json
│   ├── archive
│   │   └── your.domain.name
│   │       ├── cert1.pem
│   │       ├── cert2.pem
│   │       ├── chain1.pem
│   │       ├── chain2.pem
│   │       ├── fullchain1.pem
│   │       ├── fullchain2.pem
│   │       ├── privkey1.pem
│   │       └── privkey2.pem
│   ├── live
│   │   ├── your.domain.name
│   │   │   ├── cert.pem -> ../../archive/your.domain.name/cert2.pem
│   │   │   ├── chain.pem -> ../../archive/your.domain.name/chain2.pem
│   │   │   ├── fullchain.pem -> ../../archive/your.domain.name/fullchain2.pem <== 全鍊結
│   │   │   ├── privkey.pem -> ../../archive/your.domain.name/privkey2.pem  <== 私鑰
│   │   │   └── README
│   │   └── README
│   ├── renewal
│   │   └── your.domain.name.conf
│   └── renewal-hooks
│       ├── deploy
│       ├── post
│       └── pre
└── www
    └── .well-known
        └── acme-challenge
            ├── jqg-9mj9NtpQzfzJcUa1Fy5UMy3_5YFLuaQ-gAOzNGU
            └── yGpYbhP6Uv--vKt4wOZOWTKKtOhEKLQYclOq5fY12dY

 

設置 https 的連線

修改 virtual.conf 在後面加上

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2  on;
    server_name your.domain.com

    ssl_certificate /etc/nginx/ssl/live/n.sfs.tw/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/n.sfs.tw/privkey.pem;

    location / {
       proxy_pass http://somewhere.doamin.name:80/;
       # or
       root /path/to/your/site;
    }
}

重啟 nginx 生效。

用瀏覽器查看憑證

lets的憑證一次三個月,得手動或自動更新

 

自動更新 CERTBOT

手動更新

# docker compose run --rm certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/n.sfs.tw.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/your.domain.name/fullchain.pem expires on 2024-09-08 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

排程更新

crontab -e

# 每二個月更新一次
* * * */2 * /usr/bin/docker compose -f /home/docker/docker-compose.yml run --rm certbot renew

 

 

參考資料

[1] https://phoenixnap.com/kb/letsencrypt-docker

[2] 攻略docker版Let's Encrypt憑證申請 https://www.ccc.tc/article/letsencrypt