add multi-certificate support

2023-07-16 15:37:12 +00:00
parent f9aaaaa624
commit e69f607bf8
3 changed files with 661 additions and 68 deletions
--- a/README.md
+++ b/README.md
@ -14,7 +14,7 @@ Dockerised Certbot that utilises cron to schedule creating and renewing SSL cert
 ## Running

 ### Docker CLI
-```
+```bash
 docker run -d --name certbot \
    -e EMAIL=admin@domain.com \
    -e DOMAINS=domain.com \
@ -25,7 +25,7 @@ docker run -d --name certbot \
 ```

 ### Docker Compose
-```
+```yaml
 version: "3"
 services:
  certbot:
@ -99,12 +99,87 @@ Options to use a custom Certificate Authority, for example when issuing internal
 | CUSTOM_CA | null | Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g `root.pem`. **Must be placed in `/config/custom_ca`** |
 | CUSTOM_CA_SERVER | null | Custom server URL used by Certbot/ACME when requesting a certificate, e.g `https://ca.internal/acme/acme/directory` |

+### Multiple Certificates
+
+This container can issue multiple certificates each containing different domains. This could be used to issue a certificate for a public domain on Cloudflare, but then also for a local certificate from an internal Certificate Authority, for example. Another example would be you have a web-server hosting two separate websites and you want them to have dedicated SSL certificates instead of sharing one.
+
+When issuing multiple certificates, first `CERT_COUNT` must be set to a value greater than 1.
+
+#### Global Environment Variables 
+
+Some environment variables can be set globally, where they apply to all certificates (unless otherwise specifically specified). The following can be used globally:
+
+| Variable | DESCRIPTION |
+| --- | --- |
+|EMAIL| Email address for renewal information & other communications |
+|STAGING| Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint. **Not supported when using a custom Certificate Authority.** |
+|CUSTOM_CA| Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g `root.pem`. **Must be placed in `/config/custom_ca`** |
+|CUSTOM_CA_SERVER| Custom server URL used by Certbot/ACME when requesting a certificate, e.g `https://ca.internal/acme/acme/directory` |
+|PLUGIN| Options are `webroot`, `standalone`, or `cloudflare` |
+|PROPOGATION_TIME| **(Applies to Cloudflare plugin)** The amount of time (seconds) that certbot waits for the TXT records to propogate to Cloudflare before verifying - the more domains in the certificate, the longer you might need |
+
+More detail on these environment variables may be found further up.
+
+#### Certificate-specific Environment Variables
+
+Any variable other than those described as **Core Options** can be set per-certificate in a multi-certificate environment. The syntax is `${VARIABLE_NAME}_${CERT_NUMBER}`. The only certificate-specific option that **must** be set is the `DOMAINS` option.
+
+##### Multi-certificate container using global variables:
+
+```yaml
+  certbot:
+    container_name: certbot
+    image: git.mrmeeb.stream/mrmeeb/certbot-cron
+    volumes:
+      - /docker/certbot-cron:/config
+      - /docker/nginx/www:/config/webroot
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/London
+      - GENERATE_DHPARAM=false
+      - CERT_COUNT=2
+      - EMAIL=admin@domain.com
+      - CUSTOM_CA=root.pem
+      - CUSTOM_CA_SERVER=https://ca.internal/acme/acme/directory
+      - PLUGIN=webroot
+      - STAGING=false
+      - DOMAINS_1=website1.com
+      - DOMAINS_2=website2.com
+```
+
+##### Multi-certificate container using different options for each certificate:
+```yaml
+  certbot:
+    container_name: certbot
+    image: git.mrmeeb.stream/mrmeeb/certbot-cron
+    volumes:
+      - /docker/certbot-cron:/config
+      - /docker/nginx/www:/config/webroot
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/London
+      - GENERATE_DHPARAM=false
+      - CERT_COUNT=2
+      - EMAIL=admin@domain.com
+      - DOMAINS_1=website1.com
+      - CUSTOM_CA_1=root.pem
+      - CUSTOM_CA_SERVER_1=https://ca.internal/acme/acme/directory
+      - PLUGIN_1=webroot
+      - STAGING_1=false
+      - DOMAINS_2=website2.com
+      - PLUGIN_2=cloudflare
+      - CLOUDFLARE_TOKEN_2=abc123
+      - PROPOGATION_TIME_2=30
+      - STAGING_2=true
+```
+
 ## Volumes

 | Docker path | Purpose |
 | --- | --- |
 | /config | Stores configs and LetsEncrypt output for mounting in other containers
-| /config/custom_ca | Mountpoint for a custom Certificate Authority root certificate. **Required if `CUSTOM_CA` is set**
 | /config/webroot | Mountpoint for the webroot of a separate webserver. **Required if `PLUGIN=webroot` is set**

 ## Ports