⚠️🚧 Work in Progress 🚧⚠️
🛠️ This article is currently under construction.
📅 Some sections may still be incomplete or subject to revision.
🔄 Please check back later for updates!
💡 Feel free to follow along, but note that some information might change as the article is updated.
目前還是半自動化拉 我找不到好方法自動切換自簽的憑證跟 let's encrypt 的憑證
docker-compose.yml reverse-proxy
# SSL/TLS certificates for both Let's Encrypt and self-signed certificates
- ./config/certs/letsencrypt:/etc/nginx/certs/letsencrypt:ro
- ./config/certs/self-signed:/etc/nginx/certs/self-signed:ro
# Temporary storage for Certbot challenge files
- certbot-challenge:/var/www/certbot
docker-compose.yml certbot
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./config/certs/letsencrypt:/etc/letsencrypt
- certbot-challenge:/var/www/certbot
entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot --quiet; sleep 12h; done"
nginx.conf 預設的 domain 加上 ACME challenge
# Redirect all HTTP traffic to HTTPS for all domains
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Certbot challenges for Let's Encrypt
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Redirect other HTTP traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
接下來來手動測試我們的第一次申請(在那之前要把 docker-compose 裡面的 entrypoint 註解掉)
docker compose run --rm -it certbot certonly --webroot -w /var/www/certbot -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): wildfootw@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for example.com and www.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2025-01-09.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
成功拿到 cert 了
nginx.conf 對於要用 letsencrypt 簽憑證的 domain,把憑證改成新的位置,還有把 certbot 的 entrypoint 放回來讓他自動更新憑證
# Use Let's Encrypt certificates if available
ssl_certificate /etc/nginx/certs/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/letsencrypt/live/example.com/privkey.pem;
# Fallback to the original self-signed certificates if Let's Encrypt certificates are not found
# ssl_certificate /etc/nginx/certs/self-signed/example.com.crt;
# ssl_certificate_key /etc/nginx/certs/self-signed/example.com.key;