文中的操作都是在CentOS Stream release 9下執行的,使用的是root用戶,
1. 安裝docker
# 卸載原有的docker
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
# 安裝依賴
yum install -y yum-utils device-mapper-persistent-data lvm2
# 配置docker-ce源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 安裝docker
yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin
# 安裝docker-compose
wget https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64
chmod +x docker-compose-linux-x86_64 && mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose && ldconfig
2. Let`s Encrypt及Certbot介紹
關于Let`s Encrypt可以參見這里,
certbot安裝使用參加這里,
3. Docker運行Certbot獲取證書
為了方便維護、升級,同時也避免破壞本地的開發環境,我這里使用docker方式來運行certbot,整個程序分為兩步:首次申請證書和證書更新,
3.1 首次申請證書
因為我的文章都是通過jekyll運行的靜態網站,之后會通過nginx來運行,所以這里就以nginx為例來配置網站的tls證書,
- 創建nginx組態檔
default.conf:
server {
listen 80;
server_name example.com www.example.com;
# 高優先級,僅用于更新證書
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
- docker-compose檔案:
version: '3.3'
services:
nginx:
image: nginx:1.23.4-alpine
container_name: frontend
volumes:
- ./default.conf:/etc/nginx/conf.d/default.conf
- ./frontend:/usr/share/nginx/html
ports:
- 80:80
- 啟動web服務:
docker-compse up -d - 啟動
certbot申請證書:
docker run --rm -it -v ./certbot/etc/letsencrypt:/etc/letsencrypt -v ./certbot/var/log/letsencrpt:/var/log/letsencrypt -v ./frontend:/data/letsencrypt certbot/certbot:latest certonly --webroot --email [email protected] --agree-tos --no-eff-email --webroot-path=/data/letsencrypt -d example.com -d example.com
運行結束后可以在./certbot/etc/letsencrypt/live目錄下找到example.com檔案夾,其中包含證書檔案fullchain.pem和私鑰檔案privkey.pem,
- 停止web服務:
docker-compose down - 更新compose檔案:
version: '3.3'
services:
nginx:
image: nginx:1.23.4-alpine
container_name: frontend
volumes:
- ./default.conf:/etc/nginx/conf.d/default.conf
# - ./frontend:/usr/share/nginx/html
- ./certbot/etc/letsencrypt/live:/letsencrypt/live # 當前證書目錄
- ./certbot/etc/letsencrypt/archive:/letsencrypt/archive # 歷史證書目錄
- ./dhparam-2048.pem:/letsencrypt/dhparam-2048.pem # 使用2048位DH(Diffie-Hellman)引數
ports:
- 80:80
- 443:443
2048為DH引數生成命令:openssl dhparam -out ./dhparam-2048.pem 2048
- 更新nginx組態檔
# 處理http請求
server {
listen 80;
server_name example.com www.example.com;
# 重定向到https
location / {
rewrite ^ https://$host$request_uri? permanent;
}
# 高優先級,僅用于更新證書
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
# 處理https請求
server {
listen 443 ssl http2;
server_name example.com www.example.com;
server_tokens off;
ssl_certificate /letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /letsencrypt/dhparam-2048.pem; # 使用2048位DH引數,加強安全
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
root /usr/share/nginx/html;
index index.html;
}
- 重新啟動web服務:
docker-compose up -d
3.2 證書更新
- 通過以下腳本可以實作證書更新:
#!/bin/bash
docker run -it --rm \
-v ./certbot/etc/letsencrypt:/etc/letsencrypt \
-v ./certbot/var/lib/letsencrypt:/var/lib/letsencrypt \
-v ./certbot/var/log/letsencrypt:/var/log/letsencrypt \
-v ./site:/data/letsencrypt \
certbot/certbot \
renew --webroot -w /data/letsencrypt --quiet && docker kill --signal=HUP frontend
- crontab -e新增一條定時任務,每月1號00:00更新一次證書:
0 0 1 * * {{YOURPATH}}/renew.sh
宣告:本作品采用署名-非商業性使用-相同方式共享 4.0 國際 (CC BY-NC-SA 4.0)進行許可,使用時請注明出處,
Author: mengbin
blog: mengbin
Github: mengbin92
cnblogs: 戀水無意
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/551437.html
標籤:其他
上一篇:【Docker】鏡像制作和管理
下一篇:返回列表