Certbot Cron Docker

Dockerised Certbot that utilises cron to schedule creating and renewing SSL certificates. Supports standalone, webroot or Cloudflare methods. Automatic renewal attempt happens every 6 hours by default.

Tag	Description
latest	Latest image built from the main branch. Usually coincides with a tagged release.
develop	Latest image built from the develop branch. Commits are made to the develop branch before being merged to main. Old versions of `develop` are removed after 14 days.

Running

Docker CLI

docker run -d --name certbot \
    -e EMAIL=admin@domain.com \
    -e DOMAINS=domain.com \
    -e PLUGIN=cloudflare \
    -e CLOUDFLARE_TOKEN=123abc
    -v ./certbot-cron:/config \
    git.mrmeeb.stream/mrmeeb/certbot-cron:latest

Docker Compose

version: "3"
services:
  certbot:
    image: git.mrmeeb.stream/mrmeeb/certbot-cron:latest
    container_name: certbot
    restart: unless-stopped
    volumes:
      - ./certbot:/config
    environment:
      - EMAIL=admin@domain.com
      - DOMAINS=domain.com,*.domain.com
      - PLUGIN=cloudflare
      - CLOUDFLARE_TOKEN=123abc

Environment Variables:

Core Options:

Core options to the container

Variable	Default	Description
PUID	int	1000
PGID	int	1000
TZ	List of valid TZs	UTC
GENERATE_DHPARAM	true (case-sensitive)	Generate Diffie-Hellman keys in /config/letsencrypt/keys
INTERVAL	0 /6 * *	How often certbot attempts to renew the certificate. Cron syntax
CERT_COUNT	1	How many certificates certbot will try to issue (more than 1 not yet implemented)

Certificate Options

These options apply when CERT_COUNT is 1

Variable	Default	Description
EMAIL	None	Email address for renewal information & other communications
DOMAINS	None	Domains to be included in the certificate. Comma separated list, no spaces. Wildcards supported
STAGING	false (case-sensitive)	Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint. Not supported when using a custom Certificate Authority.

Plugins

Plugins that can used for issuing a certificate

Variable	Default	Description
PLUGIN	standalone	Options are `webroot`, `standalone`, or `cloudflare`

webroot - relies on a webserver running on the FQDN for which you're trying to issue a certificate to serve validation files
- Requires the webserver's root directory to be mounted to the container as /config/webroot
standalone - certbot spawns a webserver on port 80 for validation
- Requires this container to be bound to port 80 on the host
cloudflare - Creates a TXT record with Cloudflare pointing to the domain you're requesting a certificate for
- Requires the domain you're requesting a certificate for to be entered in Cloudflare

Cloudflare Plugin

Options that affect the behaviour of certbot running with the Cloudflare plugin

Variable	Default	Description
PROPOGATION_TIME	10	The amount of time (seconds) that certbot waits for the TXT records to propogate to Cloudflare before verifying - the more domains in the certificate, the longer you might need
CLOUDFLARE_TOKEN	null	Cloudflare token for verification

Custom Certificate Authority

Options to use a custom Certificate Authority, for example when issuing internal certificates

Variable	Default	Description
CUSTOM_CA	null	Name of the root certificate Certbot/ACME will trust requesting the certificate, e.g `root.pem`. Must be placed in `/config/custom_ca`
CUSTOM_CA_SERVER	null	Custom server URL used by Certbot/ACME when requesting a certificate, e.g `https://ca.internal/acme/acme/directory`

Volumes

Docker path	Purpose
/config	Stores configs and LetsEncrypt output for mounting in other containers
/config/custom_ca	Mountpoint for a custom Certificate Authority root certificate. Required if `CUSTOM_CA` is set
/config/webroot	Mountpoint for the webroot of a separate webserver. Required if `PLUGIN=webroot` is set

Ports

Port	Purpose
80	Used by ACME to verify domain ownership. Required if `PLUGIN=standalone` is set

4.9 KiB Raw Blame History