This project extends the official certbot docker image and made with some practices from ketchoop/letsencrypt-to-vault. The key features are:
- Automatic renewal with built-in cron daemon.
No longer need to set up an external cron job for renewal. Just run certbot-service with no arguments and it will start built-in renewal cron job for you. - Automatic upload of obtained certificates to Hashicorp Vault.
If you would like, certbot-service could upload the content of all .pem files into Vault. It will be done for each domain only if its certificate is changed (obtained or renewed). - Running of custom hook command when renewal is succeeded.
Set up the hook command and certbot-service will run it on each renewal is succeeded. For example, you can use this feature to reload web server after certificates are renewed (docker-cli is inside to do it!). - Availability of all certbot DNS plugins.
Doesn't matter which way you use to verify your domain. You can use any certbot DNS plugin with certbot-service at the same time (webroot, route53, google, etc.)!
certbot-service could be configured using environment variables, which are:
CERTBOT_FLAGS
(default--webroot --webroot-path=/usr/share/letsencrypt
) — options implicitly passed to certbot command.CRON_SCHED
(default0 */12 * * *
) — schedule for cron daemon renew job.HOOK_CMD
— hook command executed when renewal is succeeded (e.g.docker exec nginx nginx -s reload
).VAULT_ADDR
— address of Hashicorp Vault (e.g.https://vault.example.com:8200
). Non-empty value activates saving certificates to Vault.VAULT_TOKEN
— access token to Vault.VAULT_CERT_PATH
(defaultssl-cert/letsencrypt
) — path to certificates data in Vault (KV-V2 is only supported).- All other environment variables which certbot or its plugins understand
(
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, etc.).
Use docker-compose project from examples/nginx.
-
Run the project:
docker-compose up -d
-
Obtain the certificate for the domain:
docker-compose run --rm certbot-service certonly --email admin@example.com -d example.com
-
Enable and prepare SSL server config for the domain:
mv conf.d/domain.conf.sample conf.d/domain.conf && sed -i 's/DOMAIN/example.com/g' conf.d/domain.conf
-
Reload nginx:
docker-compose kill -s SIGHUP nginx
That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.
Use docker-compose project from examples/standalone.
-
Configure certbot-service with environment variables in
.env
file (setVAULT_ADDR
,VAULT_TOKEN
,AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, etc.). -
Run the project:
docker-compose up -d
-
Obtain the certificate for the domain:
docker-compose run --rm certbot-service certonly --dns-route53 --email admin@example.com -d example.com
That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.