Setup letsencrypt
according to https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
This commit is contained in:
Tom Plüss
parent
ed29aaa96c
commit
3ae1fc042c
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
docker-compose-test.yml
|
docker-compose-test.yml
|
||||||
|
data/certbot
|
||||||
25
data/nginx/app.conf
Normal file
25
data/nginx/app.conf
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name ticket.simplificator.com;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name ticket.simplificator.com;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ticket.simplificator.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ticket.simplificator.com/privkey.pem;
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://ticket.simplificator.com;
|
||||||
|
}
|
||||||
|
}
|
||||||
1
deploy.sh
Executable file
1
deploy.sh
Executable file
@ -0,0 +1 @@
|
|||||||
|
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
||||||
21
docker-compose.prod.yml
Normal file
21
docker-compose.prod.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
version: '2'
|
||||||
|
services:
|
||||||
|
|
||||||
|
zammad-nginx:
|
||||||
|
environment:
|
||||||
|
- VIRTUAL_HOST=ticket.simplificator.com
|
||||||
|
volumes:
|
||||||
|
- ./data/nginx:/etc/nginx/conf.d
|
||||||
|
- ./data/certbot/conf:/etc/letsencrypt
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
|
||||||
|
certbot:
|
||||||
|
image: certbot/certbot
|
||||||
|
volumes:
|
||||||
|
- ./data/certbot/conf:/etc/letsencrypt
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
|
|
||||||
|
|
||||||
77
init-letsencrypt.sh
Executable file
77
init-letsencrypt.sh
Executable file
@ -0,0 +1,77 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
domains=(ticket.simplificator.com)
|
||||||
|
rsa_key_size=4096
|
||||||
|
data_path="./data/certbot"
|
||||||
|
email="operations@simplificator.com" # Adding a valid address is strongly recommended
|
||||||
|
nginx_service_name=zammad-nginx
|
||||||
|
compose_files=" -f docker-compose.yml -f docker-compose.prod.yml "
|
||||||
|
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
|
||||||
|
|
||||||
|
if [ -d "$data_path" ]; then
|
||||||
|
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
|
||||||
|
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
|
||||||
|
echo "### Downloading recommended TLS parameters ..."
|
||||||
|
mkdir -p "$data_path/conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "### Creating dummy certificate for $domains ..."
|
||||||
|
path="/etc/letsencrypt/live/$domains"
|
||||||
|
mkdir -p "$data_path/conf/live/$domains"
|
||||||
|
docker-compose $compose_files run --rm --entrypoint "\
|
||||||
|
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
||||||
|
-keyout '$path/privkey.pem' \
|
||||||
|
-out '$path/fullchain.pem' \
|
||||||
|
-subj '/CN=localhost'" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Starting $nginx_service_name ..."
|
||||||
|
docker-compose $compose_files up --force-recreate -d $nginx_service_name
|
||||||
|
echo
|
||||||
|
|
||||||
|
echo "### Deleting dummy certificate for $domains ..."
|
||||||
|
docker-compose $compose_files run --rm --entrypoint "\
|
||||||
|
rm -Rf /etc/letsencrypt/live/$domains && \
|
||||||
|
rm -Rf /etc/letsencrypt/archive/$domains && \
|
||||||
|
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Requesting Let's Encrypt certificate for $domains ..."
|
||||||
|
#Join $domains to -d args
|
||||||
|
domain_args=""
|
||||||
|
for domain in "${domains[@]}"; do
|
||||||
|
domain_args="$domain_args -d $domain"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Select appropriate email arg
|
||||||
|
case "$email" in
|
||||||
|
"") email_arg="--register-unsafely-without-email" ;;
|
||||||
|
*) email_arg="--email $email" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Enable staging mode if needed
|
||||||
|
if [ $staging != "0" ]; then staging_arg="--staging"; fi
|
||||||
|
|
||||||
|
docker-compose $compose_files run --rm --entrypoint "\
|
||||||
|
certbot certonly --webroot -w /var/www/certbot \
|
||||||
|
$staging_arg \
|
||||||
|
$email_arg \
|
||||||
|
$domain_args \
|
||||||
|
--rsa-key-size $rsa_key_size \
|
||||||
|
--agree-tos \
|
||||||
|
--force-renewal" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
echo "### Reloading $nginx_service_name ..."
|
||||||
|
docker-compose $compose_files exec $nginx_service_name nginx -s reload
|
||||||
Loading…
Reference in New Issue
Block a user