1 创建主机映射目录
mkdir -p /coo/docker/www # http根目录(共用)
mkdir -p /coo/docker/cert # 证书目录(共用)
mkdir -p /coo/docker/nginx # nginx映射根目录
mkdir -p /coo/docker/nginx/conf # nginx配置conf.d目录
mkdir -p /coo/docker/nginx/html # nginx配置html目录
mkdir -p /coo/docker/nginx/log # nginx日志目录
mkdir -p /coo/docker/certbot # certbot映射根目录
mkdir -p /coo/docker/certbot/log # certbot日志目录
2 启动nginx
docker run -d --rm --name=nginx --privileged=true \
-v /coo/docker/www:/usr/share/nginx/html \
-p 80:80 -p 443:443 \
nginx
3 启动certbot(颂发证书)
3.1 使用http-01自动颂发
仅适用于单域名,不适用于通配符域名
docker run -it --rm --name=certbot \
-v /coo/docker/www:/var/www/html \
-v /coo/docker/cert:/etc/letsencrypt \
-v /coo/docker/certbot/log:/var/log/letsencrypt \
certbot/certbot certonly \
-n --webroot --webroot-path=/var/www/html \
-m abc@163.com --agree-tos -d *.abc.com
3.2 使用dns手动颂发
适用于通配符域名
docker run -it --rm --name=certbot \
-v /coo/docker/www:/var/www/html \
-v /coo/docker/cert:/etc/letsencrypt \
-v /coo/docker/certbot/log:/var/log/letsencrypt \
certbot/certbot certonly \
-m abc@163.com --manual --preferred-challenges dns -d *.abc.com
DNS手动添加域名解析
记录类型=TXT
主机记录=_acme-challenge
记录值=<certbot输出的内容>
4 nginx配置
# 复制nginx conf.d配置目录
docker cp nginx:/etc/nginx/. /coo/docker/nginx/conf
- 修改/coo/docker/nginx/conf/conf.d/default.conf
server {
listen 80 default_server;
listen [::]:80;
#server_name *.abc.com;
charset utf-8;
client_max_body_size 200m;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name *.abc.com;
charset utf-8;
client_max_body_size 200m;
ssl_certificate /data/cert/live/abc.com/fullchain.pem; # 证书的文件名。
ssl_certificate_key /data/cert/live/abc.com/privkey.pem; # 证书的密钥文件名。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # 加密套件
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
location /{
root /usr/share/nginx/html;
index index.html ;
}
}
5 使用新配置重新启动nginx
docker stop nginx
docker run -d --rm --name=nginx --privileged=true \
-p 80:80 -p 443:443 \
-v /coo/docker/www:/usr/share/nginx/html \
-v /coo/docker/nginx/conf:/etc/nginx \
-v /coo/docker/nginx/log:/var/log/nginx \
-v /coo/docker/cert:/data/cert \
nginx
6 定时更新证书
certbot的证书只有三个月时间,所以要写一个重启脚本
docker run -it --rm \
-v /coo/docker/www:/var/www/html \
-v /coo/docker/cert:/etc/letsencrypt \
-v /coo/docker/certbot/log:/var/log/letsencrypt \
certbot/certbot renew