2018年9月29日 星期六

Docker for Let's Encrypt on CentOS 7 Nginx Docker

Docker Installation

移除舊版本docker並安裝新版



#!/bin/bash
#!/bin/bash
sudo yum remove -y docker \
     docker-client \
     docker-client-latest \
     docker-common \
     docker-latest \
     docker-latest-logrotate \
     docker-logrotate \
     docker-selinux \
     docker-engine-selinux \
     docker-engine
sudo yum install -y yum-utils \
     device-mapper-persistent-data \
     lvm2
sudo yum-config-manager \
     --add-repo \
     https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce docker-compose
sudo systemctl enable docker.service
sudo systemctl start docker.service

建立certbot docker 環境

  • 建立環境之前,需先將DNS record設定好
  1. 建立工作資料夾
    • 由於docker command 只能使用絕對路徑,因此建議依此法建立相關資料夾進行操作,確保不會有問題
    

    2. 



sudo mkdir -p /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site


      2. 建立docker-compose.yml


sudo vi /docker/letsencrypt-docker-nginx/src/letsencrypt/docker-compose.yml





加入


version: '3.1'
    services:
    
      letsencrypt-nginx-container:
        container_name: 'letsencrypt-nginx-container'
        image: nginx:latest
        ports:
          - "80:80"
        volumes:
          - ./nginx.conf:/etc/nginx/conf.d/default.conf
          - ./letsencrypt-site:/usr/share/nginx/html
        networks:
          - docker-network
    
    networks:
      docker-network:
        driver: bridge






    3. 建立nginx.conf設定檔




sudo vi /docker/letsencrypt-docker-nginx/src/letsencrypt/nginx.conf






加入




    

  • 
修改ooo.com為自身域名
    

    • 

  • 
可以只用sub-domain
    

    • 





server {
    listen 80;
    listen [::]:80;
    # change ooo.com to your domain name
    server_name ooo.com www.ooo.com;

    location ~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html;
    }

    root /usr/share/nginx/html;
    index index.html;
    }






    4. 啟動docker-compose




cd /docker/letsencrypt-docker-nginx/src/letsencry
docker-compose up -d









    

  • 
啟動後,letsencrypt-site資料夾會自動建立,放入測試首頁確認(option)
    

    • 





sudo echo "let's encrypt site" > /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site/index.html




    5. 執行以下shell script vi letencrypt_script_gen.sh




#!/bin/bash
mkdir -p /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts
cd /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts

# create stg_apply.sh
cat > stg_apply.sh << EOF
#!/bin/bash
# usage
# sudo sh stg_apply.sh your_domain_name
sudo docker run -it --rm \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
-v /docker-volumes/var/log/letsencrypt:/var/log/letsencrypt \\
certbot/certbot \\
certonly --webroot \\
--register-unsafely-without-email --agree-tos \\
--webroot-path=/data/letsencrypt \\
--staging \\
-d \$1
EOF

# create stg_check.sh
cat > stg_check.sh << EOA
#!/bin/bash
sudo docker run --rm -it --name certbot \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
certbot/certbot \\
--staging \\
certificates
EOA

# create prod_apply.sh
cat > prod_apply.sh << EOC
#!/bin/bash
# usage
# sudo sh prod_apply.sh your_domain_name your_email
sudo docker run -it --rm \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \\
certbot/certbot \\
certonly --webroot \\
--email \${2} --agree-tos --no-eff-email \\
--webroot-path=/data/letsencrypt \\
-d \${1}
EOC

cat > prod_check.sh << EOD
#!/bin/bash
sudo docker run --rm -it --name certbot \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
certbot/certbot \\
certificates
EOD

# create prod_renew.sh
cat > prod_renew.sh << EOB
#!/bin/bash
# usage
# sudo sh prod_renew.sh your_docker_nginx_name
docker run --rm -it --name certbot \\
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt" \\
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt" \\
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt" \\
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \\
certbot/certbot \\
renew --webroot -w /data/letsencrypt --quiet && \\
docker kill --signal=HUP \$1
EOB

cat > cleanup_docker-volume.sh << EOE
#!/bin/bash
rm -fr /docker-volumes
EOE

chmod +x *.sh






進行測試與申請憑證


    

  • cd /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts
    • 



    

  • 測試(stage)
    

      

    • 執行./stg_apply.sh YOUR_DOMAIN_NAME
      • 

    • 執行./stg_check.sh確認狀態正常
      • 

    • ./cleanup_docker-volume.sh清空測試
      • 

    

    • 

  • 正式申請
    

      

    • 執行./prod_apply.sh YOUR_DOMAIN_NAME YOUR_EMAIL
      • 

    • 執行./prod_check.sh確認狀態正常
      • 

    • prod_renew.sh YOUR_NGINX_DOCKER_NAME加入crontab中定期執行更新憑證即可
      • 

    • 申請完成後即可將申請用container關閉docker-compose down
      • 

    

    • 

  • 產生DHParam檔
    

    cd /docker-volumes
sudo openssl dhparam -out dhparam-2048.pem 2048

    

    • 

  • 可使用憑證路徑如下
    

      

    • public key /docker-volumes/etc/letsencrypt/live/ooo.com/fullchain.pem
      • 

    • private key /docker-volumes/etc/letsencrypt/live/ooo.com/privkey.pem
      • 

    • DHParam /docker-volumes/dhparam-2048.pem
      • 

    

    • 




ref:

How to Set Up Free SSL Certificates from Let's Encrypt using Docker and Nginx



































標籤:
,
,
,
,


















沒有留言:















張貼留言


















        

      









訂閱:
張貼留言 (Atom)









MariaDB Cluster on CentOS7.6



 目標   於3臺 CentOS 7.6 minimal 上建置 MariaDB 10.3 Galera cluster