mirror of
https://github.com/acmesh-official/acme.sh.git
synced 2025-04-10 23:09:40 +08:00
Page:
deploy to docker containers
Pages
Blogs and tutorials
BuyPass.com CA
CA
Change default CA to ZeroSSL
Code of conduct
DNS API Dev Guide
DNS API Structural Info description
DNS API Test
DNS alias mode
DNS manual mode
Deploy ssl certs to apache server
Deploy ssl certs to nginx
Deploy ssl to SolusVM
Donate list
Enable acme.sh log
Exit Codes
Explicitly use DOH
Google Public CA
Google Trust Services CA
Home
How to debug acme.sh
How to debug acme.sh: No such file or directory
How to install
How to issue a cert
How to run on DD WRT with lighttpd
How to run on OpenWrt
How to use Amazon Route53 API
How to use Azure DNS
How to use OVH domain api
How to use Oracle Cloud Infrastructure DNS
How to use lexicon DNS API
How to use on Solaris based operating sytsems
How to use on embedded FreeBSD
Install in China
Install preparations
Issue a cert from existing CSR
OVH Success
Options and Params
Preferred Chain
Run acme.sh in docker
SSL.com CA
Server
Simple guide to add TLS cert to cpanel
Stateless Mode
Synology NAS Guide
Synology RT1900ac and RT2600ac install guide
TLS ALPN without downtime
Usage on Tomato routers
Use DNS Exit DNS API
Using pre hook post hook renew hook reloadcmd
Using systemd units instead of cron
Utilize multiple DNS API keys
Validity
ZeroSSL.com CA
deploy to docker containers
deployhooks
dnsapi
dnsapi2
dnscheck
dnssleep
how about the private key access modes, chmod, or chown or umask
ipcert
notify
openvpn2.4.7服务端和客户端使用注意
revokecert
sudo
tlsa next key
如何安装
说明
11
deploy to docker containers
neil edited this page 2025-02-19 21:45:20 +01:00
Deploy the cert/key into a docker container.
There are 3 cases that acme.sh can deploy the certs into containers.
- acme.sh is installed in the docker host machine, it deploys the certs into a container on the machine.
- You are running
neilpang/acme.shcontainer, that means acme.sh is running in a container, it can also deploy certs to another container on the same machine. - acme.sh is running on a machine, it deploys certs to a container running on another docker host.
Lets explain one by one:
1. Deploy certs from docker host to a container
acme.sh is installed on the docker host, it first issues a cert, then you may want to deploy the cert/key into a container.
1. Please set a label on the container, the label will later be used to find the container.
docker run --rm -it -d --label=sh.acme.autoload.domain=example.com nginx:latest
2. Remember the label value above, we can deploy now:
# The label value to find the container
export DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com
# The target file path in the container.
# The files will be copied to the position in the container.
export DEPLOY_DOCKER_CONTAINER_KEY_FILE="/etc/nginx/ssl/example.com/key.pem"
export DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem"
export DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem"
export DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem"
# The command to reload the service in the container.
export DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload"
acme.sh --deploy --deploy-hook docker -d example.com
2. Deploy certs from a container to another container
Let's use neilpang/acme.sh image as an example, actually, you can use acme.sh in any container.
1. Ok, same as above, first run the target container with a label:
docker run --rm -it -d --label=sh.acme.autoload.domain=example.com nginx:latest
2. Run acme.sh in a container
For more details see: https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker#3-run-acmesh-as-a-docker-daemon
Let's run acme.sh as a daemon, a difference with the above link is that we mount docker daemon socket /var/run/docker.sock in to the container.
docker run --rm -itd \
-v "$(pwd)/acmeout":/acme.sh \
--net=host \
--name=acme.sh \
-v /var/run/docker.sock:/var/run/docker.sock \
neilpang/acme.sh daemon
3. Let's issue a cert first:
docker exec \
-e CF_Email=xxx@exmaple.com \
-e CF_Key=xxxxxxxxxx \
acme.sh --issue -d example.com --dns dns_cf
4. Let's deploy the cert now:
docker exec \
-e DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com \
-e DEPLOY_DOCKER_CONTAINER_KEY_FILE=/etc/nginx/ssl/example.com/key.pem \
-e DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem" \
-e DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem" \
-e DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem" \
-e DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload" \
acme.sh --deploy -d example.com --deploy-hook docker
5. All together, docker compose example:
version: '3.4'
services:
web:
image: nginx
container_name: nginx
labels:
- sh.acme.autoload.domain=example.com
acme.sh:
image: neilpang/acme.sh
container_name: acme.sh
command: daemon
volumes:
- ./acmeout:/acme.sh
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=example.com
- DEPLOY_DOCKER_CONTAINER_KEY_FILE=/etc/nginx/ssl/example.com/key.pem
- DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem"
- DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem"
- DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem"
- DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload"
3. Deploy certs to a container in a remote docker host
TODO: this feature is not implemented yet. If you want this feature, please create an issue, and let me know.