Docker获取Let`s Encrypt SSL 证书

文中的操作都是在CentOS Stream release 9下执行的，使用的是root用户。

1. 安装docker

# 卸载原有的docker

yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

# 安装依赖

yum install -y yum-utils device-mapper-persistent-data lvm2

# 配置docker-ce源

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

# 安装docker

yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin

# 安装docker-compose

wget https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64

chmod +x docker-compose-linux-x86_64 && mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose && ldconfig

2. Let`s Encrypt及Certbot介绍

关于Let`s Encrypt可以参见这里。

certbot安装使用参加这里。

3. Docker运行Certbot获取证书

为了方便维护、升级，同时也避免破坏本地的开发环境，我这里使用docker方式来运行certbot。整个过程分为两步：首次申请证书和证书更新。

3.1 首次申请证书

因为我的文章都是通过jekyll运行的静态网站，之后会通过nginx来运行，所以这里就以nginx为例来配置网站的tls证书。

default.conf

server {

    listen      80;

    server_name example.com www.example.com;
# 高优先级，仅用于更新证书

    location ~ /.well-known/acme-challenge {

        allow all;

        root /data/letsencrypt;

    }

}

1. docker-compose文件：

version: '3.3'
services:

  nginx:

    image: nginx:1.23.4-alpine

    container_name: frontend

    volumes:

      - ./default.conf:/etc/nginx/conf.d/default.conf

      - ./frontend:/usr/share/nginx/html

    ports:

      - 80:80

docker-compse up -dcertbot

docker run --rm -it -v ./certbot/etc/letsencrypt:/etc/letsencrypt -v ./certbot/var/log/letsencrpt:/var/log/letsencrypt -v ./frontend:/data/letsencrypt certbot/certbot:latest certonly --webroot --email your@eamil.com --agree-tos --no-eff-email --webroot-path=/data/letsencrypt -d example.com -d example.com

./certbot/etc/letsencrypt/liveexample.comfullchain.pemprivkey.pem

docker-compose down

version: '3.3'
services:

  nginx:

    image: nginx:1.23.4-alpine

    container_name: frontend

    volumes:

      - ./default.conf:/etc/nginx/conf.d/default.conf

      # - ./frontend:/usr/share/nginx/html

      - ./certbot/etc/letsencrypt/live:/letsencrypt/live        # 当前证书目录

      - ./certbot/etc/letsencrypt/archive:/letsencrypt/archive  # 历史证书目录

      - ./dhparam-2048.pem:/letsencrypt/dhparam-2048.pem        # 使用2048位DH（Diffie-Hellman）参数

    ports:

      - 80:80

      - 443:443

openssl dhparam -out ./dhparam-2048.pem 2048

1. 更新nginx配置文件

# 处理http请求

server {

    listen      80;

    server_name example.com www.example.com;
# 重定向到https

    location / {

        rewrite ^ https://$host$request_uri? permanent;

    }
# 高优先级，仅用于更新证书

    location ~ /.well-known/acme-challenge {

        allow all;

        root /data/letsencrypt;

    }

}
# 处理https请求

server {

    listen 443 ssl http2;

    server_name example.com www.example.com;
server_tokens off;
ssl_certificate /letsencrypt/live/example.com/fullchain.pem;

    ssl_certificate_key /letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /letsencrypt/dhparam-2048.pem; # 使用2048位DH参数，加强安全
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;

    ssl_session_tickets off;
# OCSP stapling

    ssl_stapling on;

    ssl_stapling_verify on;

    resolver 8.8.8.8;
root /usr/share/nginx/html;

    index index.html;

}

docker-compose up -d

3.2 证书更新

1. 通过以下脚本可以实现证书更新：

#!/bin/bash
docker run -it --rm \

-v ./certbot/etc/letsencrypt:/etc/letsencrypt \

-v ./certbot/var/lib/letsencrypt:/var/lib/letsencrypt \

-v ./certbot/var/log/letsencrypt:/var/log/letsencrypt \

-v ./site:/data/letsencrypt \

certbot/certbot \

renew --webroot -w /data/letsencrypt --quiet && docker kill --signal=HUP frontend

0 0 1 * * {{YOURPATH}}/renew.sh