Certbot Cron Docker

Dockerised Certbot that utilises cron to schedule creating and renewing SSL certificates. Supports standalone, webroot or Cloudflare methods. Automatic renewal attempt happens every 6 hours by default.

Tags

Tag	Description
latest	Latest image built from the main branch. Usually coincides with a tagged release.
develop	Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of develop are removed after 14 days.

Running

Docker CLI

docker run -d --name certbot \
    -e EMAIL=admin@domain.com \
    -e DOMAINS=domain.com \
    -e PLUGIN=cloudflare \
    -e CLOUDFLARE_TOKEN=123abc
    -v ./certbot-cron:/config \
    git.mrmeeb.stream/mrmeeb/certbot-cron:latest

Docker Compose

version: "3"
services:
  certbot:
    image: git.mrmeeb.stream/mrmeeb/certbot-cron:latest
    container_name: certbot
    restart: unless-stopped
    volumes:
      - ./certbot:/config
    environment:
      - EMAIL=admin@domain.com
      - DOMAINS=domain.com,*.domain.com
      - PLUGIN=cloudflare
      - CLOUDFLARE_TOKEN=123abc

Environment Variables:

Core Options:

Core options to the container

Variable	Default	Description
PUID	int	1000
PGID	int	1000
TZ	List of valid TZs	UTC
GENERATE_DHPARAM	true (case-sensitive)	Generate Diffie-Hellman keys in /config/letsencrypt/keys
INTERVAL	0 */6 * * *	How often certbot attempts to renew the certificate. Cron syntax
CERT_COUNT	1	How many certificates certbot will try to issue (more than 1 not yet implemented)

Certificate Options

These options apply when CERT_COUNT is 1

Variable	Default	Description
EMAIL	None	Email address for renewal information & other communications
DOMAINS	None	Domains to be included in the certificate. Comma separated list, no spaces. Wildcards supported
STAGING	false (case-sensitive)	Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint. Not supported when using a custom Certificate Authority.

Plugins

Plugins that can used for issuing a certificate

Variable	Default	Description
PLUGIN	standalone	Options are webroot, standalone, or cloudflare

• webroot - relies on a webserver running on the FQDN for which you're trying to issue a certificate to serve validation files
  • Requires the webserver's root directory to be mounted to the container as /config/webroot
• standalone - certbot spawns a webserver on port 80 for validation
  • Requires this container to be bound to port 80 on the host
• cloudflare - Creates a TXT record with Cloudflare pointing to the domain you're requesting a certificate for
  • Requires the domain you're requesting a certificate for to be entered in Cloudflare

Cloudflare Plugin

Options that affect the behaviour of certbot running with the Cloudflare plugin

Variable	Default	Description
PROPOGATION_TIME	10	The amount of time (seconds) that certbot waits for the TXT records to propogate to Cloudflare before verifying - the more domains in the certificate, the longer you might need
CLOUDFLARE_TOKEN	null	Cloudflare token for verification

Custom Certificate Authority

Options to use a custom Certificate Authority, for example when issuing internal certificates

Variable	Default	Description
CUSTOM_CA	null	Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g root.pem. Must be placed in /config/custom_ca
CUSTOM_CA_SERVER	null	Custom server URL used by Certbot/ACME when requesting a certificate, e.g https://ca.internal/acme/acme/directory

Volumes

Docker path	Purpose
/config	Stores configs and LetsEncrypt output for mounting in other containers
/config/custom_ca	Mountpoint for a custom Certificate Authority root certificate. Required if CUSTOM_CA is set
/config/webroot	Mountpoint for the webroot of a separate webserver. Required if PLUGIN=webroot is set

Ports

Port	Purpose
80	Used by ACME to verify domain ownership. Required if PLUGIN=standalone is set