How to Configure LetsEncrypt-Cerbot in a Standalone Container

Question

I'm trying to find simple documentation on running certbot in a docker-container, but all I can find is complicated guides w/ running certbot + webserver etc. The official page is kinda useless... https://hub.docker.com/r/certbot/certbot/ .I already have webserver separate from my websites and I want to run certbot on it's own as well.

Can anybody give me some guidance on how I could generate certificates for mysite.com with a webroot of /opt/mysite/html.

As I already have services on port 443 and 80 I was thinking of using the "host-network" if needed for certbot, but I don't really understand why it needs access to 443 when my website is served over 443 already.

I have found something like so to generate a certbot container, but I have no idea how to "use it" or tell it to generate a cert for my site.

Eg:

WD=/opt/certbot
mkdir -p $WD/{mnt,setup,conf,www}
cd $WD/setup
cat << 'EOF' >docker-compose.yaml
version: '3.7'

services:
  certbot:
    image: certbot/certbot
    volumes:
      - type: bind
        source: /opt/certbot/conf
        target: /etc/letsencrypt
      - type: bind
        source: /opt/certbot/www
        target: /var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
EOF
chmod +x docker-compose.yaml

This link has something close to what I need, (obviously somehow I need to give it my domain as an argument!)

Letsencrypt + Docker + Nginx

 docker run -it --rm \
  -v certs:/etc/letsencrypt \
  -v certs-data:/data/letsencrypt \
  deliverous/certbot \
  certonly \
  --webroot --webroot-path=/data/letsencrypt \
  -d api.mydomain.com

I like to keep everything pretty "isolated" so I'm looking to just have certbot run in it's own container and configure nginx/webserver to use the certs seperatley and not have certbot either autoconfigure nginx or run in the same stack as a webserver.

Answer 1

The certbot dockerfile gave me some insight.

Basically you can append the follow to your docker-compose.yaml and it is as if appending to certbot on the CLI.

Be aware of the "Rate Limit of 5 failed auths/hour" and test w/ staging

See Entrypoint of DockerFile

ENTRYPOINT [ "certbot" ]

Docker-Compose.yaml:

    command: certonly --webroot -w /var/www/html -d www.examplecom -d examplecom --non-interactive --agree-tos -m example@example.com

Full Config Example:

WD=/opt/certbot
mkdir -p $WD/{setup,certbot_logs}
cd $WD/setup
cat << 'EOF' >docker-compose.yaml
version: '3.7'

services:
 certbot:
    container_name: certbot
    hostname: certbot
    image: certbot/certbot
    volumes:
      - type: bind
        source: /opt/certbot/certbot_logs
        target: /var/log/letsencrypt
      - type: bind
        source: /opt/nginx/ssl
        target: /etc/letsencrypt
      - type: bind
        source: ${WEBROOT}
        target: /var/www/html/

    environment:
      - 'TZ=${TZ}'

    command: certonly --webroot -w /var/www/html -d ${DOMAIN} -d www.${DOMAIN} --non-interactive --agree-tos --register-unsafely-without-email ${STAGING}
EOF
chmod +x docker-compose.yaml
cd $WD/setup

Variables:

cat << 'EOF'>.env
WEBROOT=/opt/example/example_html
DOMAIN=example.com
STAGING=--staging
TZ=America/Whitehorse
EOF
chmod +x .env

NGinx:

Note: To start nginx w/ SSL you NEED certs, even if they are wrong. So I will use old certs to start nginx, then use certbot to get proper certs, then restart nginx loading correct certs. This is just for first setup.

server {

   listen 80;
   listen [::]:80;
   server_name www.example.com example.com;

 location /.well-known/acme-challenge/ {

   proxy_pass              http://localhost:8575/$request_uri;
   include                 /etc/nginx/conf.d/proxy.conf;

 }

 location / {
   return 301 https://$host$request_uri;
 }

}

server {
   listen 443 ssl;
   listen        [::]:443;
   server_name www.example.com example.com;

#   ssl_certificate /etc/ssl/live/example.com/fullchain.pem;
#   ssl_certificate_key /etc/ssl/live/example.com/privkey.pem;
   ssl_certificate /etc/ssl/fake/fake.crt;
   ssl_certificate_key /etc/ssl/fake/fake.key;

 location / {

   proxy_pass              http://localhost:8575/;
   include                 /etc/nginx/conf.d/proxy.conf;
 }
)