Skip to content

Container configuration

Nicolas Duchon edited this page Apr 5, 2021 · 8 revisions

Optional container environment variables for custom configuration.

  • ACME_CA_URI - Directory URI for the CA ACME API endpoint (defaults to https://acme-v02.api.letsencrypt.org/directory).

If you set this environment variable value to https://acme-staging-v02.api.letsencrypt.org/directory the container will obtain its certificates from Let's Encrypt test API endpoint that don't have the 5 certs/week/domain limit (but are not trusted by browsers).

For example

$ docker run --detach \
    --name nginx-proxy-acme \
    --volumes-from nginx-proxy \
    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
    --volume certs:/etc/nginx/certs:rw \
    --volume acme:/etc/acme.sh \
    --env "ACME_CA_URI=https://acme-staging-v02.api.letsencrypt.org/directory" \
    nginxproxy/acme-companion

You can also create test certificates per container (see Test certificates)

  • DEBUG - Set it to 1 to enable debugging of the entrypoint script and generation of ACME certificates, which could help you pin point any configuration issues.

  • RENEW_PRIVATE_KEYS - Set it to false to make acme.sh reuse previously generated private key for each certificate instead of creating a new one on certificate renewal. Reusing private keys can help if you intend to use HPKP, but please note that HPKP has been deprecated by Google's Chrome and that it is therefore strongly discouraged to use it at all.

  • DHPARAM_BITS - Change the size of the Diffie-Hellman key generated by the container from the default value of 2048 bits. For example --env DHPARAM_BITS=1024 to support some older clients like Java 6 and 7.

  • CA_BUNDLE - This is a test only variable for use with Pebble. It changes the trusted root CA used by acme.sh, from the default Alpine trust store to the CA bundle file located at the provided path (inside the container). Do not use it in production unless you are running your own ACME CA.

  • CERTS_UPDATE_INTERVAL - 3600 seconds by default, this defines how often the container will check if the certificates require update.