Skip to content

Obtain and renew Let's Encrypt SSL certificates without external cron jobs

Notifications You must be signed in to change notification settings

hydra-billing/certbot-service

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Certbot Service

This project extends the official certbot docker image and made with some practices from ketchoop/letsencrypt-to-vault. The key features are:

  1. Automatic renewal with built-in cron daemon.
    No longer need to set up an external cron job for renewal. Just run certbot-service with no arguments and it will start built-in renewal cron job for you.
  2. Automatic upload of obtained certificates to Hashicorp Vault.
    If you would like, certbot-service could upload the content of all .pem files into Vault. It will be done for each domain only if its certificate is changed (obtained or renewed).
  3. Running of custom hook command when renewal is succeeded.
    Set up the hook command and certbot-service will run it on each renewal is succeeded. For example, you can use this feature to reload web server after certificates are renewed (docker-cli is inside to do it!).
  4. Availability of all certbot DNS plugins.
    Doesn't matter which way you use to verify your domain. You can use any certbot DNS plugin with certbot-service at the same time (webroot, route53, google, etc.)!

Configuration

certbot-service could be configured using environment variables, which are:

  1. CERTBOT_FLAGS (default --webroot --webroot-path=/usr/share/letsencrypt) — options implicitly passed to certbot command.
  2. CRON_SCHED (default 0 */12 * * *) — schedule for cron daemon renew job.
  3. HOOK_CMD — hook command executed when renewal is succeeded (e.g. docker exec nginx nginx -s reload).
  4. VAULT_ADDR — address of Hashicorp Vault (e.g. https://vault.example.com:8200). Non-empty value activates saving certificates to Vault.
  5. VAULT_TOKEN — access token to Vault.
  6. VAULT_CERT_PATH (default ssl-cert/letsencrypt) — path to certificates data in Vault (KV-V2 is only supported).
  7. All other environment variables which certbot or its plugins understand (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.).

Usage Examples

Certbot with webroot plugin and nginx

Use docker-compose project from examples/nginx.

  1. Run the project:

    docker-compose up -d
    
  2. Obtain the certificate for the domain:

    docker-compose run --rm certbot-service certonly --email admin@example.com -d example.com
    
  3. Enable and prepare SSL server config for the domain:

    mv conf.d/domain.conf.sample conf.d/domain.conf && sed -i 's/DOMAIN/example.com/g' conf.d/domain.conf
    
  4. Reload nginx:

    docker-compose kill -s SIGHUP nginx
    

That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.

Standalone certbot with route53 DNS plugin and Vault

Use docker-compose project from examples/standalone.

  1. Configure certbot-service with environment variables in .env file (set VAULT_ADDR, VAULT_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.).

  2. Run the project:

    docker-compose up -d
    
  3. Obtain the certificate for the domain:

    docker-compose run --rm certbot-service certonly --dns-route53 --email admin@example.com -d example.com
    

That's all! You do not need to set up any additional cron job for certificates renewal, certbot-serivce will do it for you while it is running.

About

Obtain and renew Let's Encrypt SSL certificates without external cron jobs

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published