|
@@ -0,0 +1,68 @@
|
|
1
|
+# Let's Encrypt HTTP Service
|
|
2
|
+
|
|
3
|
+This container uses [dehydrated](https://github.com/lukas2511/dehydrated)
|
|
4
|
+to automatically obtain SSL certs from [Let's Encrypt](https://letsencrypt.org/).
|
|
5
|
+
|
|
6
|
+You will need a webserver that will serve the challenge responses when
|
|
7
|
+queried by Let's Encrypt, such as my
|
|
8
|
+[service-nginx](https://github.com/csmith/docker-service-nginx) container.
|
|
9
|
+
|
|
10
|
+Multiple domains, as well as SANs, are supported. Certificates will be
|
|
11
|
+renewed automatically, and obtained automatically as soon as new domains
|
|
12
|
+are added.
|
|
13
|
+
|
|
14
|
+## Usage
|
|
15
|
+
|
|
16
|
+### Accepting Let's Encrypt's terms
|
|
17
|
+
|
|
18
|
+In order to issue certificates with Let's Encrypt, you must agree to the
|
|
19
|
+Let's Encrypt terms of service. You can do this by running the command
|
|
20
|
+`/dehydrated --register --accept-terms` from within the container.
|
|
21
|
+
|
|
22
|
+For ease of automation, you can define the `ACCEPT_CA_TERMS` env var
|
|
23
|
+(with any non-empty value) to automatically accept the terms. Be warned
|
|
24
|
+that doing so will automatically accept any future changes to the terms
|
|
25
|
+of service.
|
|
26
|
+
|
|
27
|
+### Defining domains
|
|
28
|
+
|
|
29
|
+The container defines one volume at `/letsencrypt`, and expects there to be
|
|
30
|
+a list of domains in `/letsencrypt/domains.txt`. Certificates are output to
|
|
31
|
+`/letsencrypt/certs/{domain}`.
|
|
32
|
+
|
|
33
|
+domains.txt should contain one line per certificate. If you want alternate
|
|
34
|
+names on the cert, these should be listed after the primary domain. e.g.
|
|
35
|
+
|
|
36
|
+```
|
|
37
|
+example.com www.example.com
|
|
38
|
+admin.example.com
|
|
39
|
+```
|
|
40
|
+
|
|
41
|
+This will request two certificates: one for example.com with a SAN of
|
|
42
|
+www.example.com, and a separate one for admin.example.com.
|
|
43
|
+
|
|
44
|
+The container uses inotify to monitor the domains.txt file for changes,
|
|
45
|
+so you can update it while the container is running and changes will be
|
|
46
|
+automatically applied.
|
|
47
|
+
|
|
48
|
+### Well-known files
|
|
49
|
+
|
|
50
|
+To verify that you own the domain, a webserver must be listening for
|
|
51
|
+requests and serve a unique file under the `/.well-known/acme-challenge`
|
|
52
|
+directory. The responses for these files are written by this container
|
|
53
|
+to `/letsencrypt/well-known`.
|
|
54
|
+
|
|
55
|
+### Other configuration
|
|
56
|
+
|
|
57
|
+For testing purposes, you can set the `STAGING` environment variable to
|
|
58
|
+a non-empty value. This will use the Let's Encrypt staging server, which
|
|
59
|
+has much more relaxed limits.
|
|
60
|
+
|
|
61
|
+You should pass in a contact e-mail address by setting the `EMAIL` env var.
|
|
62
|
+This is passed on to Let's Encrypt, and may be used for important service
|
|
63
|
+announcements.
|
|
64
|
+
|
|
65
|
+By default this container uses Eliptic Curve keys. You can override this
|
|
66
|
+behaviour by setting the `ALGORITHM` environment variable. Dehydrated
|
|
67
|
+supports the following algorithms: `rsa`, `prime256v1` and `secp384r1`.
|
|
68
|
+
|