|
@@ -0,0 +1,83 @@
|
|
1
|
+# Let's Encrypt Lexicon Service
|
|
2
|
+
|
|
3
|
+This container uses the awesome [Lexicon](https://github.com/AnalogJ/lexicon)
|
|
4
|
+library with [letsencrypt.sh](https://github.com/lukas2511/letsencrypt.sh) to
|
|
5
|
+automatically obtain SSL certs from [Let's Encrypt](https://letsencrypt.org/).
|
|
6
|
+
|
|
7
|
+Multiple domains, as well as SANs, are supported. Certificates will be
|
|
8
|
+renewed automatically, and obtained automatically as soon as new domains
|
|
9
|
+are added.
|
|
10
|
+
|
|
11
|
+## Usage
|
|
12
|
+
|
|
13
|
+### Defining domains
|
|
14
|
+
|
|
15
|
+The container defines one volume at `/letsencrypt`, and expects there to be
|
|
16
|
+a list of domains in `/letsencrypt/domains.txt`. Certificates are output to
|
|
17
|
+`/letsencrypt/certs/{domain}`.
|
|
18
|
+
|
|
19
|
+domains.txt should contain one line per certificate. If you want alternate
|
|
20
|
+names on the cert, these should be listed after the primary domain. e.g.
|
|
21
|
+
|
|
22
|
+```
|
|
23
|
+example.com www.example.com
|
|
24
|
+admin.example.com
|
|
25
|
+```
|
|
26
|
+
|
|
27
|
+This will request two certificates: one for example.com with a SAN of
|
|
28
|
+www.example.com, and a separate one for admin.example.com.
|
|
29
|
+
|
|
30
|
+The container uses inotify to monitor the domains.txt file for changes,
|
|
31
|
+so you can update it while the container is running and changes will be
|
|
32
|
+automatically applied.
|
|
33
|
+
|
|
34
|
+### DNS providers
|
|
35
|
+
|
|
36
|
+To verify that you own the domain, a TXT record needs to be automatically
|
|
37
|
+created for it. The Lexicon library handles this, and comes with support
|
|
38
|
+for a variety of providers including CloudFlare, EasyDNS, DigitalOcean and
|
|
39
|
+Vultr.
|
|
40
|
+
|
|
41
|
+Lexicon takes its configuration from environment variables. For full
|
|
42
|
+instructions, see its
|
|
43
|
+[README](https://github.com/AnalogJ/lexicon/blob/master/README.md).
|
|
44
|
+
|
|
45
|
+To configure Lexicon to update DNS hosted by CloudFlare, for example, you
|
|
46
|
+would pass in:
|
|
47
|
+
|
|
48
|
+```
|
|
49
|
+docker run ... \
|
|
50
|
+ -e "PROVIDER=cloudflare" \
|
|
51
|
+ -e "LEXICON_CLOUDFLARE_USERNAME=email@address.com" \
|
|
52
|
+ -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here"
|
|
53
|
+```
|
|
54
|
+
|
|
55
|
+### Other configuration
|
|
56
|
+
|
|
57
|
+For testing purposes, you can set the `STAGING` environment variable to
|
|
58
|
+a non-empty value. This will use the Let's Encrypt staging server, which
|
|
59
|
+has much more relaxed limits.
|
|
60
|
+
|
|
61
|
+You should pass in a contact e-mail address by setting the `EMAIL` env var.
|
|
62
|
+This is passed on to Let's Encrypt, and may be used for important service
|
|
63
|
+announcements.
|
|
64
|
+
|
|
65
|
+### Running
|
|
66
|
+
|
|
67
|
+Here's a full worked example:
|
|
68
|
+
|
|
69
|
+```bash
|
|
70
|
+# The directory we'll use to store the domain list and certificates.
|
|
71
|
+# You could use a docker volume instead.
|
|
72
|
+mkdir /tmp/letsencrypt
|
|
73
|
+echo "domain.com www.domain.com" > /tmp/letsencrypt/domains.txt
|
|
74
|
+
|
|
75
|
+docker run -d --restart=always \
|
|
76
|
+ -e "EMAIL=admin@domain.com" \
|
|
77
|
+ -e "STAGING=true" \
|
|
78
|
+ -e "PROVIDER=cloudflare" \
|
|
79
|
+ -e "LEXICON_CLOUDFLARE_USERNAME=email@address.com" \
|
|
80
|
+ -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here" \
|
|
81
|
+ -v /tmp/letsencrypt:/letsencrypt \
|
|
82
|
+ csmith/letsencrypt-lexicon:latest
|
|
83
|
+```
|