docker-compose certbot 快速创建letsencrypt SSL证书

博主原来使用aliyun的免费ssl，有效期12个月。ssl过期后发现没法直接续约，只能续约90天，而且流程繁琐，需要等待数小时，而且还会申请失败。

遂不得不采用let ssl。

docker-compose.yml配置

  sx-certbot:
    container_name: sx-certbot
    image: dockerproxy.net/library/python:3.11
    restart: 'no'
    privileged: true
    volumes:
      - ./volumes/sx-certbot/logs:/usr/src/app/logs:rw
      - ./volumes/sx-certbot/config:/usr/src/app/config:rw
      - ./volumes/sx-certbot/live:/etc/letsencrypt/live/:rw
      - ./volumes/sx-certbot/boot:/etc/letsencrypt/boot/:rw
    command:
      - /bin/sh
      - -c
      - "chmod +x /etc/letsencrypt/boot/start.sh && /etc/letsencrypt/boot/start.sh"
    deploy:
      resources:
        limits:
          cpus: '0.3'
          memory: 128M
        reservations:
          memory: 50M
    logging:
      options:
        max-size: "10240k"
        max-file: "3"

volumes/sx-certbot/boot目录内容

credentials.ini内容：

dns_aliyun_access_key = LTAI5xx
dns_aliyun_access_key_secret = XsHZMhBxxx

requirements.txt内容：

certbot==2.8.0
certbot-nginx==2.8.0
certbot-dns-aliyun==2.0.0

start.sh配置

pip3 install -i https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple  -r /etc/letsencrypt/boot/requirements.txt

/usr/local/bin/python /usr/local/bin/certbot certonly  \
--authenticator=dns-aliyun  \
--dns-aliyun-credentials=/etc/letsencrypt/boot/credentials.ini \
--logs-dir \
/usr/src/app/logs \
--config-dir \
/usr/src/app/config  \
--email \
100000@qq.com \
-d \
"claves.cn,*.claves.cn,*.office.claves.cn,*.cloud.claves.cn,*.tools.claves.cn" \
--non-interactive \
--agree-tos \
--verbose \
--expand 

生成证书

启动容器后，等待许久会自动生成或更新ssl证书。

结果见下：

nginx配置

server{
        listen 443 ssl;
        server_name blog.claves.cn;

        proxy_intercept_errors on;
        recursive_error_pages on;

        ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
        ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        client_max_body_size 1024m;
        location / {
                proxy_pass http://sx-blog:80;
                proxy_send_timeout 18;
                proxy_read_timeout 18;
                proxy_redirect off;
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_connect_timeout 18;
        }
}