Deploy the cert/key into a docker container.
There are 3 cases that acme.sh can deploy the certs into containers.
- acme.sh is installed in the docker host machine, it deploys the certs into a container on the machine.
- You are running
neilpang/acme.sh
container, that means acme.sh is running in a container, it can also deploy certs to another container on the same machine. - acme.sh is running on a machine, it deploys certs to a container running on another docker host.
Lets explain one by one:
1. Deploy certs from docker host to a container
acme.sh is installed on the docker host, it first issues a cert, then you may want to deploy the cert/key into a container.
1. Please set a label on the container, the label will later be used to find the container.
docker run --rm -it -d --label=sh.acme.autoload.domain=example.com nginx:latest
2. Remember the label value above, we can deploy now:
# The label value to find the container
export DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com
# The target file path in the container.
# The files will be copied to the position in the container.
export DEPLOY_DOCKER_CONTAINER_KEY_FILE="/etc/nginx/ssl/example.com/key.pem"
export DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem"
export DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem"
export DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem"
# The command to reload the service in the container.
export DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload"
acme.sh --deploy --deploy-hook docker -d example.com
2. Deploy certs from a container to another container
Let's use neilpang/acme.sh
image as an example, actually, you can use acme.sh in any container.
1. Ok, same as above, first run the target container with a label:
docker run --rm -it -d --label=sh.acme.autoload.domain=example.com nginx:latest
2. Run acme.sh in a container
For more details see: https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker#3-run-acmesh-as-a-docker-daemon
Let's run acme.sh as a daemon, a difference with the above link is that we mount docker daemon socket /var/run/docker.sock
in to the container.
docker run --rm -itd \
-v "$(pwd)/acmeout":/acme.sh \
--net=host \
--name=acme.sh \
-v /var/run/docker.sock:/var/run/docker.sock \
neilpang/acme.sh daemon
3. Let's issue a cert first:
docker exec \
-e CF_Email=xxx@exmaple.com \
-e CF_Key=xxxxxxxxxx \
acme.sh --issue -d example.com --dns dns_cf
4. Let's deploy the cert now:
docker exec \
-e DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com \
-e DEPLOY_DOCKER_CONTAINER_KEY_FILE=/etc/nginx/ssl/example.com/key.pem \
-e DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem" \
-e DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem" \
-e DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem" \
-e DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload" \
acme.sh --deploy -d example.com --deploy-hook docker
5. All together, docker compose example:
version: '3.4'
services:
web:
image: nginx
container_name: nginx
labels:
- sh.acme.autoload.domain=example.com
acme.sh:
image: neilpang/acme.sh
container_name: acme.sh
command: daemon
volumes:
- ./acmeout:/acme.sh
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com
- DEPLOY_DOCKER_CONTAINER_KEY_FILE=/etc/nginx/ssl/example.com/key.pem
- DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem"
- DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem"
- DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem"
- DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload"
3. Deploy certs to a container in a remote docker host
TODO: this feature is not implemented yet. If you want this feature, please create an issue, and let me know.
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢