11notes/certbot Docker 镜像 - 轩辕镜像 | Docker 镜像高效稳定拉取服务

!Banner

🏔️ Alpine - Certbot

!size !version !pulls

SYNOPSIS

With this image you can create certificates from Let’s Encrypt via different modules. This image will start a Nginx webserver listening for the HTTP challenge. It will produce all different kind of certificates that can then be used in other systems. It will also call an optional webhook on each certificate renewal (success or fail). As a bonus, it will redirect all HTTP calls (not from Certbot) permanent to HTTPS.

Simply configure your desired certificates via yaml (/certbot/etc/config.yaml). Configure each module with the information it needs. After that you can periodically run docker exec certbot renew. Certbot will then automatically renew or create all certificates defined in config.yaml, it will clean up expired certificates and create additional certificate types (*.pfx, *.pk8) as well as a tar with all files. You can call a webhook or script on each certificate renewal.

Why use this image at all and not simply use Certbot with Traefik? Simple answer: All though most systems can be proxies via Traefik or other reverse proxies that can auto update their certificates themselves, a lot of systems that can’t be proxied still need valid SSL certificates (like database authentication, MQTT, SMTP, RDP and so on). Since this image will create valid SSL certificates and call a possible webhook on each success or fail, that webhook can be used to update the certificates on these non-proxy systems.

3RD PARTY SYSTEMS SUPPORTED

• Horizon View Unified Access Gateway
• Traefik Dynamic Configuration

VOLUMES

• /certbot/etc - Directory of config.yaml and dns.ini
• /certbot/var - Directory of all certs
• /certbot/scripts - Directory of all your and default scripts

CONFIG (EXAMPLE)

/certbot/etc/config.yaml

yaml
certificates:
  # name must be unique and is used for the file names
  # up to 100 FQDN or wildcard allowed

  - name: "com.domain"
    *** "***"
    fqdn:
      - "*.domain.com"
      - "*.[***]"

  # define module to use
  - name: "com.domain.dns"
    *** "***"
    module:
      rfc2136:
        server: 10.255.255.53
        port: 53
        name: "certbot."
        secret: "*****************************************************"
        algorithm: "HMAC-SHA512"
        propagation_seconds: 30
    fqdn:
      - "*.domain.com"

  - name: "com.domain.dns.credentials"
    *** "***"
    module:
      rfc2136:
        credentials: "/certbot/etc/com.domain.ini"
    fqdn:
      - "*.domain.com"

  # use RSA instead of ECDSA
  - name: "com.domain.rsa"
    *** "***"
    key: rsa
    fqdn:
      - "*.domain.com"

  # call webhook
  - name: "com.domain.webhook"
    *** "***"
    webhook: [***]
    fqdn:
      - "*.domain.com"

  # call script
  - name: "com.domain.script"
    *** "***"
    script: /certbot/scripts/vmware.horizon.uag.sh
    key: rsa
    fqdn:
      - "*.domain.com"

Traefik redirect HTTP:80 to certbot container:

(HostRegexp(`{host:.+}`) && PathPrefix(`/.well-known/acme-challenge`))

DEFAULT SETTINGS

ENVIRONMENT

AVAILABLE MODULES

SOURCE

• 11notes/certbot:2.11.0

PARENT IMAGE

• 11notes/nginx:stable

BUILT WITH

• certbot
• nginx
• alpine

TIPS

• Use a reverse proxy like Traefik, Nginx to terminate TLS with a valid certificate
• Use Let’s Encrypt certificates to protect your SSL endpoints

ElevenNotes^™️

This image is provided to you at your own risk. Always make backups before updating an image to a new version. Check the changelog for breaking changes. You can find all my repositories on github.