I think everyone knows Let's Encrypt these days. I use letsencrypt for some of my personal services.
I was using the system shipped certs at the beginning, and using systemd jobs to auto renew the certs. I was using the HTTP-01 challenge mode at first, and using the certbot standalone mode to achieve that. Certbot will need to run a webserver at 443/80 to finish the challenge, so we have to add pre/post hook to certbot to stop/start our nginx servers. If certbot can't stop your webserver, it will fail the challenge. After failed many times, I decide to change to Caddy.
Caddy was a modern webserver, it can automatically apply and extend your letsencrypt certs which is very convenient. But after some time, I found that I only can use these certs inside Caddy, if I want to add certs to an other service, I have to use Caddy as the reverse proxy, that wasn't what I want. So I have to found a new way.
After some research, I decide to use a certbot docker to apply the certs.
As I mentioned early, the HTTP-01 challenge method has some problems, I try to use DNS-01 this time.
My domain was managed by Cloudflare, which already supported by certbot. First create a API token with DNS zone edit permission at Cloudflare, create a file named
Run command bellow to apply certs, the certs will be placed at
Then you can mount
./certs to other containers to use the certs.
Certs renew is easy, and after renew the certs, we also need to reload our webserver or applications to use the new certs, it's very important.
Certbot didn't provide a way to run a daemon in docker container to renew the certs. After some research, I decide to use docker-crontab finally.
crontab/config.json as bellow, alter
/path/to to absolute path on the host.
Create the crontab container.
As you can see, I use
docker restart container to reload the certs in the
config.json , you can change it to a better version like bellow to avoid downtime for you website.
You can use
docker logs crontab to check the logs, with
"onstart": true, in
config.json , the task will run when the container starts.