# docker-certbot

**Repository Path**: augety/docker-certbot

## Basic Information

- **Project Name**: docker-certbot
- **Description**: Let's Encrypt 泛域名证书申请
- **Primary Language**: Unknown
- **License**: MIT
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 2
- **Forks**: 1
- **Created**: 2020-03-27
- **Last Updated**: 2023-06-10

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README



#安装certbot
官网文档：https://certbot.eff.org/docs/using.html

直接使用官网首页的安装方法是无法使用最新的Let's Encrypt的v2 API，这里加参数

> --server https://acme-v02.api.letsencrypt.org/directory

现在的命令是：


```
# certbot certonly --standalone -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory
```

结果提示：

> Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

原因是没有DNS验证

添加参数：
```
--preferred-challenges dns
```

扒官方文档后，发现泛域名需要**dns-01**验证。文档说明了改验证方法可自动验证，但需要安装插件，且DNS服务商为下列服务商：

- cloudflare
- cloudxns
- digitalocean
- dnsimple
- dnsmadeeasy
- google
- luadns
- nsone
- rfc2136
- route53

国内域名商，很少有API，所以没有API来自动验证，故添加手动验证参数：

```
--manual
```

完整命令为：

```
# certbot certonly --preferred-challenges dns --manual  -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory
```
第一次执行，要同意协议，全部同意就好

签发证书时提示添加TXT记录

> Please deploy a DNS TXT record under the name
> _acme-challenge.example.com with the following value:
>  
> **xxxxxxxxxxxxxxxxxxxxxxxxxxxxx**
>  
> Before continuing, verify the record is deployed.

添加一个TXT记录，并等待生效（可用dig验证），按回车即可！

# 使用 docker-compose
```
version: '3'
services:
  certbot:
    container_name: certbot
    image: certbot/certbot
    volumes:
      - ./letsencrypt/etc:/etc/letsencrypt
      - ./letsencrypt/lib:/var/lib/letsencrypt
      - ./letsencrypt/log:/var/log/letsencrypt
      - ./webroot/www:/var/www
```

运行命令如下

```
docker-compose run certbot certonly --preferred-challenges dns --manual -d *.example.com
```


```
docker-compose run certbot renew
```

添加定时更新任务，例如下面，30天更新一次

```
0 0 */30 * * cd /home/docker_compose_lnmp && /usr/local/bin/docker-compose run certbot renew --quiet --renew-hook "docker exec nginx nginx -s reload" > /dev/null  2>&1
```

其中 

`/home/docker_compose_lnmp` 是我服务器`docker-compose`配置目录，要替换你自己的目录 

`--renew-hook "docker exec nginx nginx -s reload"` 是renew的一个hook ，用于重新加载 `nginx`配置