Remove acme.sh in favor of just caddy
This commit is contained in:
parent
7ddf44a2d6
commit
a616f93441
|
@ -1,195 +0,0 @@
|
|||
# Let's Encrypt
|
||||
|
||||
Use [acme.sh](https://github.com/Neilpang/acme.sh/) for wholly self-contained Let's Encrypt certificates. This assumes CloudFlare DNS is used for authentication.
|
||||
|
||||
**NOTE:** You probably want to use a DNS provider/API so you don't have to expose a service to the outside world.
|
||||
|
||||
**NOTE:** You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card.
|
||||
|
||||
## Domains
|
||||
|
||||
### Top Level Domain (TLD) ideas
|
||||
|
||||
- .zone
|
||||
- .host
|
||||
- .travel
|
||||
- .link
|
||||
- .online
|
||||
- .net
|
||||
- .tech
|
||||
- .club
|
||||
|
||||
### Registrar suggestions
|
||||
|
||||
- [http://namecheap.com/](http://namecheap.com/)
|
||||
- [https://uniregistry.com/](https://uniregistry.com/)
|
||||
|
||||
## Dependencies
|
||||
|
||||
``` bash
|
||||
apt update
|
||||
apt install jq
|
||||
|
||||
```
|
||||
|
||||
## Prep
|
||||
|
||||
Grab the acme.sh Dockerfile and update it to work with arm (32 or 64).
|
||||
|
||||
``` bash
|
||||
|
||||
mkdir -p /scratch/docker/acme.sh
|
||||
cd /scratch/docker/acme.sh
|
||||
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/Dockerfile
|
||||
sed -i '1s/^/ARG ALPINE=alpine:3.6\n/' Dockerfile
|
||||
sed -i '/FROM/c\FROM $ALPINE' Dockerfile
|
||||
mkdir /var/acme.sh
|
||||
chmod 700 /var/acme.sh
|
||||
|
||||
```
|
||||
|
||||
## Setup / Run
|
||||
|
||||
Setup a basic update/run script with the adjusted upstream Dockerfile
|
||||
|
||||
``` bash
|
||||
|
||||
cat > /scratch/docker/acme.sh/acme.sh <<EOF
|
||||
#!/bin/bash
|
||||
|
||||
LATEST=\`docker images --no-trunc acme.sh/acme.sh | awk '{print \$2}' | sort -r | head -n1\`
|
||||
|
||||
RELEASE=\`curl -s https://api.github.com/repos/Neilpang/acme.sh/releases/latest | jq -r .tag_name\`
|
||||
|
||||
if [ \$RELEASE == \$LATEST ]
|
||||
then
|
||||
echo "Already up to date"
|
||||
fi
|
||||
|
||||
ARCH=\`arch\`
|
||||
ALPINE=""
|
||||
|
||||
# Cleanup arch here
|
||||
if [ \$ARCH == "aarch64" ]
|
||||
then
|
||||
echo "64bit arm"
|
||||
ARCH="arm64"
|
||||
ALPINE="arm64v8/alpine"
|
||||
else
|
||||
echo "32bit arm"
|
||||
ARCH="arm"
|
||||
ALPINE="arm32v6/alpine"
|
||||
fi
|
||||
|
||||
echo "Build parms"
|
||||
echo " \${RELEASE}"
|
||||
echo " \${ARCH}"
|
||||
echo " \${ALPINE}"
|
||||
|
||||
echo "Running build"
|
||||
|
||||
docker build \\
|
||||
--network host \\
|
||||
--build-arg ALPINE=\$ALPINE \\
|
||||
--file /scratch/docker/acme.sh/Dockerfile \\
|
||||
--tag acme_sh/acme_sh:\$RELEASE \\
|
||||
.
|
||||
|
||||
echo "Running with latest release"
|
||||
|
||||
# Cleanup existing container
|
||||
docker stop acme_sh
|
||||
docker rm acme_sh
|
||||
|
||||
# Re-run/create container with latest image
|
||||
# daemon (for cron auto renews)
|
||||
docker run -itd \\
|
||||
-v "/var/acme.sh":/acme.sh \\
|
||||
--net=host \\
|
||||
--restart unless-stopped \\
|
||||
--name=acme_sh \\
|
||||
acme_sh/acme_sh:\$RELEASE daemon
|
||||
|
||||
EOF
|
||||
|
||||
chmod a+x /scratch/docker/acme.sh/acme.sh
|
||||
|
||||
```
|
||||
|
||||
## First Run
|
||||
|
||||
Run ```cd /scratch/docker/acme.sh && /scratch/docker/acme.sh/acme.sh``` to get the container online. The following commands will get your Let's Encrypt certificates created.
|
||||
|
||||
*Note: The above script(s) setup the container to auto-run for auto-renew purposes. If you think you'll miss your renew window, force update the certs*
|
||||
|
||||
## Get Help
|
||||
|
||||
``` bash
|
||||
|
||||
docker exec acme.sh --help
|
||||
|
||||
```
|
||||
|
||||
## Renewals...
|
||||
|
||||
If you're going to be on the go, you may want to force rewewal of your scripts ahead of any travel or longer periods of time away from the internet. The author recommends a simple script at ```/root/update_certs.sh``` or similar that calls the necessary command(s) from below.
|
||||
|
||||
## Register a Let's Encrypt Account
|
||||
|
||||
Only do this **ONCE**
|
||||
|
||||
``` bash
|
||||
|
||||
docker exec acme.sh \
|
||||
--register-account \
|
||||
--staging
|
||||
|
||||
```
|
||||
|
||||
## Issue Cert (CloudFlare DNS API)
|
||||
|
||||
``` bash
|
||||
|
||||
docker exec \
|
||||
-e CF_Email='[your cloudflare email]' \
|
||||
-e CF_Key='[your cloudflare api key]' \
|
||||
acme_sh \
|
||||
--issue \
|
||||
--cert-file /acme.sh/domain.tld/domain.tld.crt \
|
||||
--dns dns_cf \
|
||||
-d domain.tld \
|
||||
-d pi-hole-gui.domain.tld \
|
||||
-d syncthing-gui.domain.tld \
|
||||
-d nextcloud.domain.tld \
|
||||
--staging
|
||||
|
||||
```
|
||||
|
||||
## Force Renew All Certs (CloudFlare DNS API)
|
||||
|
||||
``` bash
|
||||
|
||||
docker exec \
|
||||
-e CF_Email='[your cloudflare email]' \
|
||||
-e CF_Key='[your cloudflare api key]' \
|
||||
acme_sh \
|
||||
--renew-all \
|
||||
--force \
|
||||
--dns dns_cf \
|
||||
--staging
|
||||
|
||||
```
|
||||
|
||||
## Revoke Cert
|
||||
|
||||
``` bash
|
||||
|
||||
docker exec acme_sh \
|
||||
--revoke \
|
||||
-d domain.tld \
|
||||
-d pi-hole-gui.domain.tld \
|
||||
-d syncthing-gui.domain.tld \
|
||||
-d nextcloud.domain.tld \
|
||||
--staging
|
||||
|
||||
```
|
|
@ -91,7 +91,9 @@ EOF
|
|||
|
||||
cat > /etc/caddy/services/nextcloud.conf <<EOF
|
||||
# Nextcloud proxy
|
||||
nextcloud:80, nextcloud:443, nextcloud.domain.tld:80, nextcloud.domain.tld:443 {
|
||||
nextcloud.domain.tld {
|
||||
tls user@domain.domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is http
|
||||
/ https://nextcloud.domain.tld{uri}
|
||||
|
@ -101,10 +103,6 @@ nextcloud:80, nextcloud:443, nextcloud.domain.tld:80, nextcloud.domain.tld:443 {
|
|||
proxy / 172.30.7.7:80 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
|
||||
header / {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always
|
||||
# connect via HTTPS (do not use if only testing)
|
||||
|
|
|
@ -117,7 +117,9 @@ cat > /etc/caddy/services/pi-hole.conf <<EOF
|
|||
# Pi Hole proxy
|
||||
# This is only so good
|
||||
# Pi Hole assumes everything is http. Bump it over to http instead of https, because Pi Hole is stupid at life
|
||||
pi-hole-gui:80, pi-hole-gui:443, pi-hole-gui.domain.tld:80 pi-hole-gui.domain.tld:443 {
|
||||
pi-hole-gui.domain.tld {
|
||||
tls user@domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is https
|
||||
/ http://pi-hole-gui.domain.tld{uri}
|
||||
|
@ -127,9 +129,6 @@ pi-hole-gui:80, pi-hole-gui:443, pi-hole-gui.domain.tld:80 pi-hole-gui.domain.tl
|
|||
proxy / 172.30.5.5:80 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
|
@ -58,7 +58,9 @@ Simply execute ```/scratch/docker/searx/searx.sh``` to update/run Gogs.
|
|||
|
||||
cat > /etc/caddy/services/searx.conf <<EOF
|
||||
# Searx proxy
|
||||
searx:80, searx:443, searx.domain.tld:80, searx.domain.tld:443 {
|
||||
searx.domain.tld {
|
||||
tls user@domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is http
|
||||
/ https://searx.domain.tld{uri}
|
||||
|
@ -68,9 +70,6 @@ searx:80, searx:443, searx.domain.tld:80, searx.domain.tld:443 {
|
|||
proxy / 172.30.8.8:8888 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
|
@ -135,7 +135,9 @@ EOF
|
|||
|
||||
cat > /etc/caddy/services/syncthing.conf <<EOF
|
||||
# Syncthing proxy
|
||||
syncthing-gui:80, syncthing-gui:443, syncthing-gui.domain.tld:80, syncthing-gui.domain.tld:443 {
|
||||
syncthing-gui.domain.tld {
|
||||
tls user@domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is http
|
||||
/ https://syncthing-gui.domain.tld{uri}
|
||||
|
@ -146,9 +148,6 @@ syncthing-gui:80, syncthing-gui:443, syncthing-gui.domain.tld:80, syncthing-gui.
|
|||
transparent
|
||||
header_upstream Host 127.0.0.1 # Reset the transparent proxy host so requests aren't blocked by syncthing
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
|
@ -62,7 +62,9 @@ Simply execute ```/root/docker/ttrss.sh``` to update/run TT-RSS.
|
|||
|
||||
cat > /etc/caddy/services/ttrss.conf <<EOF
|
||||
# TT-RSS proxy
|
||||
ttrss:80, ttrss:443, ttrss.domain.tld:80, ttrss.domain.tld:443 {
|
||||
ttrss.domain.tld {
|
||||
tls user@domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is http
|
||||
/ https://ttrss.domain.tld{uri}
|
||||
|
@ -72,9 +74,6 @@ ttrss:80, ttrss:443, ttrss.domain.tld:80, ttrss.domain.tld:443 {
|
|||
proxy / 172.30.13.13:80 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
|
@ -115,7 +115,9 @@ docker exec -it wallabag /bin/sh -c "mkdir -p /wallabag/data/db && touch /wallab
|
|||
|
||||
cat > /etc/caddy/services/wallabag.conf <<EOF
|
||||
# Wallabag proxy
|
||||
wallabag:80, wallabag:443, wallabag.domain.tld:80, wallabag.domain.tld:443 {
|
||||
wallabag.domain.tld {
|
||||
tls user@domain.tld
|
||||
|
||||
redir 301 {
|
||||
if {scheme} is http
|
||||
/ https://wallabag.domain.tld{uri}
|
||||
|
@ -125,9 +127,6 @@ wallabag:80, wallabag:443, wallabag.domain.tld:80, wallabag.domain.tld:443 {
|
|||
proxy / 172.30.9.9:80 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Use acme.sh Let's Encrypt SSL cert setup
|
||||
tls /var/acme.sh/domain.tld/domain.tld.cer /var/acme.sh/domain.tld/domain.tld.key
|
||||
}
|
||||
EOF
|
||||
|
||||
|
|
Reference in New Issue