Docker Installation
移除舊版本docker並安裝新版
#!/bin/bash
#!/bin/bash
sudo yum remove -y docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce docker-compose
sudo systemctl enable docker.service
sudo systemctl start docker.service
建立certbot docker 環境
- 建立環境之前,需先將DNS record設定好
- 建立工作資料夾
- 由於docker command 只能使用絕對路徑,因此建議依此法建立相關資料夾進行操作,確保不會有問題
sudo mkdir -p /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site
docker-compose.ymlsudo vi /docker/letsencrypt-docker-nginx/src/letsencrypt/docker-compose.yml
加入
version: '3.1'
services:
letsencrypt-nginx-container:
container_name: 'letsencrypt-nginx-container'
image: nginx:latest
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./letsencrypt-site:/usr/share/nginx/html
networks:
- docker-network
networks:
docker-network:
driver: bridge
3. 建立
nginx.conf設定檔sudo vi /docker/letsencrypt-docker-nginx/src/letsencrypt/nginx.conf
加入
- 修改ooo.com為自身域名
- 可以只用sub-domain
server {
listen 80;
listen [::]:80;
# change ooo.com to your domain name
server_name ooo.com www.ooo.com;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
root /usr/share/nginx/html;
index index.html;
}
4. 啟動docker-compose
cd /docker/letsencrypt-docker-nginx/src/letsencry
docker-compose up -d
- 啟動後,
letsencrypt-site資料夾會自動建立,放入測試首頁確認(option)
sudo echo "let's encrypt site" > /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site/index.html
5. 執行以下shell script
vi letencrypt_script_gen.sh#!/bin/bash
mkdir -p /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts
cd /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts
# create stg_apply.sh
cat > stg_apply.sh << EOF
#!/bin/bash
# usage
# sudo sh stg_apply.sh your_domain_name
sudo docker run -it --rm \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
-v /docker-volumes/var/log/letsencrypt:/var/log/letsencrypt \\
certbot/certbot \\
certonly --webroot \\
--register-unsafely-without-email --agree-tos \\
--webroot-path=/data/letsencrypt \\
--staging \\
-d \$1
EOF
# create stg_check.sh
cat > stg_check.sh << EOA
#!/bin/bash
sudo docker run --rm -it --name certbot \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
certbot/certbot \\
--staging \\
certificates
EOA
# create prod_apply.sh
cat > prod_apply.sh << EOC
#!/bin/bash
# usage
# sudo sh prod_apply.sh your_domain_name your_email
sudo docker run -it --rm \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \\
certbot/certbot \\
certonly --webroot \\
--email \${2} --agree-tos --no-eff-email \\
--webroot-path=/data/letsencrypt \\
-d \${1}
EOC
cat > prod_check.sh << EOD
#!/bin/bash
sudo docker run --rm -it --name certbot \\
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \\
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \\
-v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt \\
certbot/certbot \\
certificates
EOD
# create prod_renew.sh
cat > prod_renew.sh << EOB
#!/bin/bash
# usage
# sudo sh prod_renew.sh your_docker_nginx_name
docker run --rm -it --name certbot \\
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt" \\
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt" \\
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt" \\
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \\
certbot/certbot \\
renew --webroot -w /data/letsencrypt --quiet && \\
docker kill --signal=HUP \$1
EOB
cat > cleanup_docker-volume.sh << EOE
#!/bin/bash
rm -fr /docker-volumes
EOE
chmod +x *.sh
進行測試與申請憑證
cd /docker/letsencrypt-docker-nginx/src/letsencrypt/scripts
- 測試(stage)
- 執行
./stg_apply.sh YOUR_DOMAIN_NAME - 執行
./stg_check.sh確認狀態正常 ./cleanup_docker-volume.sh清空測試
- 執行
- 正式申請
- 執行
./prod_apply.sh YOUR_DOMAIN_NAME YOUR_EMAIL - 執行
./prod_check.sh確認狀態正常 - 將
prod_renew.sh YOUR_NGINX_DOCKER_NAME加入crontab中定期執行更新憑證即可 - 申請完成後即可將申請用container關閉
docker-compose down
- 執行
- 產生DHParam檔
cd /docker-volumes sudo openssl dhparam -out dhparam-2048.pem 2048 - 可使用憑證路徑如下
public key/docker-volumes/etc/letsencrypt/live/ooo.com/fullchain.pemprivate key/docker-volumes/etc/letsencrypt/live/ooo.com/privkey.pemDHParam/docker-volumes/dhparam-2048.pem
ref:
How to Set Up Free SSL Certificates from Let's Encrypt using Docker and Nginx
沒有留言:
張貼留言