This Docker container automatically renews certificates from Let's Encrypt, copies them to a MikroTik device running RouterOS, and activates them in the Webserver, API and OpenVPN Server.
- GitHub: foorschtbar/routeros-letsencrypt-docker
- Docker Hub: foorschtbar/routeros-letsencrypt
- Map a SSH private keyfile for login into RouterOS
- Map a volume/folder to store persistent authorization information between container restarts
- Configure environment variables to controll the automation process:
Name | Default | Description |
---|---|---|
ROUTEROS_USER |
(none) | User with policies ssh, write, ftp, read |
ROUTEROS_HOST |
(none) | RouterOS IP or Hostname |
ROUTEROS_SSH_PORT |
22 |
RouterOS SSH Port |
ROUTEROS_PRIVATE_KEY |
(none) | Private Key file to connect to RouterOS (set permissions to 0400!) |
ROUTEROS_DOMAIN |
(none) | Domainname for catch up certs from LEGO Client. Usually the first Domain you set in the LEGO_DOMAINS variable |
LEGO_STAGING |
1 |
Whether to use production or staging LetsEncrypt endpoint. 0 for production, 1 for staging |
LEGO_KEY_TYPE |
ec384 |
Type of key |
LEGO_DOMAINS |
(none) | Domains (delimited by ';' ) |
LEGO_EMAIL_ADDRESS |
(none) | Email used for registration and recovery contact. |
LEGO_PROVIDER |
(none) | DNS Provider. Valid values are: acmedns , alidns , arvancloud , auroradns , autodns , azure , bindman , bluecat , checkdomain , clouddns , cloudflare , cloudns , cloudxns , conoha , constellix , desec , designate , digitalocean , dnsimple , dnsmadeeasy , dnspod , dode , dreamhost , duckdns , dyn , dynu , easydns , edgedns , exec , exoscale , fastdns , gandi , gandiv5 , gcloud , glesys , godaddy , hetzner , hostingde , httpreq , iij , internal , inwx , joker , lightsail , linode , linodev4 , liquidweb , luadns , mydnsjp , mythicbeasts , namecheap , namedotcom , namesilo , netcup , netlify , nifcloud , ns1 , oraclecloud , otc , ovh , pdns , rackspace , regru , rfc2136 , rimuhosting , route53 , sakuracloud , scaleway , selectel , servercow , stackpath , transip , vegadns , versio , vscale , vultr , yandex , zoneee , zonomi |
LEGO_DNS_TIMEOUT |
10 |
Set the DNS timeout value to a specific value in seconds |
LEGO_ARGS |
(none) | Send arguments directly to lego, e.g. "--dns.disable-cp" or "--dns.resolvers 1.1.1.1" |
<KEY/TOKEN_FROM_PROVIDER> |
(none) | See Configuration of DNS Providers |
SET_ON_WEB |
true | Set the new certificate on the WebServer |
SET_ON_API |
true | Set the new certificate on the API |
SET_ON_OVPN |
false | Set the new certificate on the OpenVPN Server |
SET_ON_HOTSPOT |
false | Set the new certificate for the HotSpot/CaptivePortal |
HOTSPOT_PROFILE_NAME |
(none) | HotSpot/CaptivePortal profile name |
- Generate SSH Key Pair
- Upload Public key to RouterOS
- Add User/Group and import Public SSH Key
- Pass private key into Docker container
version: "3"
services:
app:
image: foorschtbar/routeros-letsencrypt
environment:
- LEGO_STAGING=1 # 0 for production, 1 for staging (default)
- LEGO_PROVIDER=digitalocean # Example
- LEGO_DOMAINS=mydomain.tld # or *.mydomain.tld for a wildcard cert.
- [email protected]
- DO_AUTH_TOKEN=changeme # Example
- ROUTEROS_USER=letsencrypt
- ROUTEROS_HOST=router.mydomain.tld
- ROUTEROS_PRIVATE_KEY=/id-rsa
- ROUTEROS_DOMAIN=mydomain.tld # or *.mydomain.tld for a wildcard cert.
volumes:
- ./data:/letsencrypt # To store persistent authorization information between container restarts
- ./id-rsa:/id-rsa
restart: unless-stopped
Inspired by