MrMeeb
0b4022caf1
All checks were successful
Build Image / Validate Image (push) Successful in 2m11s
Build Image / Publish Image (push) Successful in 4m53s
Build Image / Notify (push) Successful in 3s
Test Pull Request / Build Image (pull_request) Successful in 4m43s
Test Pull Request / Notify (pull_request) Successful in 4s
Reviewed-on: #21
Certbot Cron Docker
Dockerised Certbot that utilises cron to schedule creating and renewing SSL certificates. Supports standalone, webroot or Cloudflare methods. Automatic renewal attempt happens every 6 hours by default.
Tags
| Tag | Description |
|---|---|
| latest | Latest image built from the main branch. Usually coincides with a tagged release. |
| develop | Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of develop are removed after 14 days. |
Running
Docker CLI
docker run -d --name certbot \
-e EMAIL=admin@domain.com \
-e DOMAINS=domain.com \
-e PLUGIN=cloudflare \
-e CLOUDFLARE_TOKEN=123abc
-v ./certbot-cron:/config \
git.mrmeeb.stream/mrmeeb/certbot-cron:latest
Docker Compose
version: "3"
services:
certbot:
image: git.mrmeeb.stream/mrmeeb/certbot-cron:latest
container_name: certbot
restart: unless-stopped
volumes:
- ./certbot:/config
environment:
- EMAIL=admin@domain.com
- DOMAINS=domain.com,*.domain.com
- PLUGIN=cloudflare
- CLOUDFLARE_TOKEN=123abc
Environment Variables:
Core Options:
Core options to the container
| Variable | Default | Description |
|---|---|---|
| PUID | int | 1000 |
| PGID | int | 1000 |
| TZ | List of valid TZs | UTC |
| ONE_SHOT | false | Whether container exits after first run of certbot, or starts cron-based auto-renewal |
| GENERATE_DHPARAM | true (case-sensitive) | Generate Diffie-Hellman keys in /config/letsencrypt/keys |
| INTERVAL | 0 */6 * * * | How often certbot attempts to renew the certificate. Cron syntax |
| CERT_COUNT | 1 | How many certificates certbot will try to issue. Details here |
| APPRISE_URL | None | URL for Apprise notifications. Syntax |
| NOTIFY_ON_SUCCESS | false | Notify on a successful renewal attempt. Note that this isn't just when the cert is renewed, but on every renewal attempt. |
| NOTIFY_ON_FAILURE | false | Notify on a failed renewal attempt. |
Certificate Options
These options apply when CERT_COUNT is 1
| Variable | Default | Description |
|---|---|---|
| None | Email address for renewal information & other communications | |
| DOMAINS | None | Domains to be included in the certificate. Comma separated list, no spaces. Wildcards supported |
| STAGING | false (case-sensitive) | Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint. Not supported when using a custom Certificate Authority. |
Plugins
Plugins that can used for issuing a certificate
| Variable | Default | Description |
|---|---|---|
| PLUGIN | standalone | Options are webroot, standalone, or cloudflare |
webroot- relies on a webserver running on the FQDN for which you're trying to issue a certificate to serve validation files- Requires the webserver's root directory to be mounted to the container as
/config/webroot
- Requires the webserver's root directory to be mounted to the container as
standalone- certbot spawns a webserver on port 80 for validation- Requires this container to be bound to port 80 on the host
cloudflare- Creates a TXT record with Cloudflare pointing to the domain you're requesting a certificate for- Requires the domain you're requesting a certificate for to be entered in Cloudflare
Cloudflare Plugin
Options that affect the behaviour of certbot running with the Cloudflare plugin
| Variable | Default | Description |
|---|---|---|
| PROPOGATION_TIME | 10 | The amount of time (seconds) that certbot waits for the TXT records to propogate to Cloudflare before verifying - the more domains in the certificate, the longer you might need |
| CLOUDFLARE_TOKEN | null | Cloudflare token for verification |
Custom Certificate Authority
Options to use a custom Certificate Authority, for example when issuing internal certificates
| Variable | Default | Description |
|---|---|---|
| CUSTOM_CA | null | Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g root.pem. Must be placed in /config/custom_ca |
| CUSTOM_CA_SERVER | null | Custom server URL used by Certbot/ACME when requesting a certificate, e.g https://ca.internal/acme/acme/directory |
Multiple Certificates
This container can issue multiple certificates each containing different domains. This could be used to issue a certificate for a public domain on Cloudflare, but then also for a local certificate from an internal Certificate Authority, for example. Another example would be you have a web-server hosting two separate websites and you want them to have dedicated SSL certificates instead of sharing one.
When issuing multiple certificates, first CERT_COUNT must be set to a value greater than 1.
Global Environment Variables
Some environment variables can be set globally, where they apply to all certificates (unless otherwise specifically specified). The following can be used globally:
| Variable | DESCRIPTION |
|---|---|
| Email address for renewal information & other communications | |
| STAGING | Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint. Not supported when using a custom Certificate Authority. |
| CUSTOM_CA | Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g root.pem. Must be placed in /config/custom_ca |
| CUSTOM_CA_SERVER | Custom server URL used by Certbot/ACME when requesting a certificate, e.g https://ca.internal/acme/acme/directory |
| PLUGIN | Options are webroot, standalone, or cloudflare |
| PROPOGATION_TIME | (Applies to Cloudflare plugin) The amount of time (seconds) that certbot waits for the TXT records to propogate to Cloudflare before verifying - the more domains in the certificate, the longer you might need |
More detail on these environment variables may be found further up.
Certificate-specific Environment Variables
Any variable other than those described as Core Options can be set per-certificate in a multi-certificate environment. The syntax is ${VARIABLE_NAME}_${CERT_NUMBER}. The only certificate-specific option that must be set is the DOMAINS option.
Multi-certificate container using global variables:
certbot:
container_name: certbot
image: git.mrmeeb.stream/mrmeeb/certbot-cron
volumes:
- /docker/certbot-cron:/config
- /docker/nginx/www:/config/webroot
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- GENERATE_DHPARAM=false
- CERT_COUNT=2
- EMAIL=admin@domain.com
- CUSTOM_CA=root.pem
- CUSTOM_CA_SERVER=https://ca.internal/acme/acme/directory
- PLUGIN=webroot
- STAGING=false
- DOMAINS_1=website1.com
- DOMAINS_2=website2.com
Multi-certificate container using different options for each certificate:
certbot:
container_name: certbot
image: git.mrmeeb.stream/mrmeeb/certbot-cron
volumes:
- /docker/certbot-cron:/config
- /docker/nginx/www:/config/webroot
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- GENERATE_DHPARAM=false
- CERT_COUNT=2
- EMAIL=admin@domain.com
- DOMAINS_1=website1.com
- CUSTOM_CA_1=root.pem
- CUSTOM_CA_SERVER_1=https://ca.internal/acme/acme/directory
- PLUGIN_1=webroot
- STAGING_1=false
- DOMAINS_2=website2.com
- PLUGIN_2=cloudflare
- CLOUDFLARE_TOKEN_2=abc123
- PROPOGATION_TIME_2=30
- STAGING_2=true
Volumes
| Docker path | Purpose |
|---|---|
| /config | Stores configs and LetsEncrypt output for mounting in other containers |
| /config/webroot | Mountpoint for the webroot of a separate webserver. Required if PLUGIN=webroot is set |
Ports
| Port | Purpose |
|---|---|
| 80 | Used by ACME to verify domain ownership. Required if PLUGIN=standalone is set |