Containerized certbot with the plugins listed in the docs made available:
- certbot-dns-cloudflare
- certbot-dns-cloudxns
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-google
- certbot-dns-linode
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-ovh
- certbot-dns-rfc2136
- certbot-dns-route53
The container entrypoint is literally EFF's certbot
. All the flags and
arguments described in the documentation will work here.
The examples use Podman. Substitute podman
with docker
if you prefer that.
The expected outcome is to have the certificates saved in a volume, so that it can be easily mounted into the webserver container:
podman volume create --name https-certs
Prepare to manually edit your DNS zone with the provided instructions:
podman run --rm -it \
-v https-certs:/etc/letsencrypt \
quay.io/pierreprinetti/certbot certonly \
--manual \
--preferred-challenges=dns \
-m [email protected] \
--agree-tos \
-d example.com \
-d www.example.com
In this example, my OVH credentials are stored in the file ./ovh.ini
as described in the docs.
This command will persist the Letsencrypt material, including the HTTPS certificate, in the newly created volume:
podman run --rm \
-v $(pwd)/ovh.ini:/ovh.ini:ro \
-v https-certs:/etc/letsencrypt \
quay.io/pierreprinetti/certbot certonly \
--non-interactive \
--agree-tos \
-m [email protected] \
--dns-ovh \
--dns-ovh-credentials /ovh.ini \
-d example.com \
-d www.example.com
Remember to substitute [email protected]
with your own email address in order to receive important notifications about your certificate.
This same command will renew the certificates, if they are found in the attached volume.
Spin your favorite reverse proxy with something like:
podman run \
--name some-nginx \
-v https-certs:/etc/nginx/certs:ro \
-p 80:80 \
-p 443:443 \
--restart unless-stopped \
-d nginx:mainline-alpine
Example configuration for example.com
in your containerized nginx:
server {
listen 443 http2;
listen [::]:443 http2;
server_name example.com;
ssl on;
ssl_certificate /etc/nginx/certs/live/example.com/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/live/example.com/privkey.pem;
[...]