创建网站相关目录
mkdir -p /var/{certs,website,openresty}
运行docker certbot申请ssh证书
docker run -it --rm --name certbot -v "/var/certs/letsencrypt/etc:/etc/letsencrypt" -v "/var/certs/letsencrypt/lib:/var/lib/letsencrypt" -v "/var/certs/letsencrypt/log:/var/log" -v "/var/website/letsencrypt:/www" certbot/certbot certonly --webroot --agree-tos -w /www -d www.test.me-d boss.test.me -d mall.test.me
openresty nginx domain 申请ssl验证配置
server {
listen 80;
server_name www.test.me;
location /.well-known/acme-challenge/ {
default_type 'text/plain';
allow all;
root html/letsencrypt;
}
location / {
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
}
docker运行openresty
docker run --rm -p 443:443 -p 80:80 -d --name openresty -v /var/certs/letsencrypt/etc:/etc/openresty/certs -v /var/certs/letsencrypt/etc/archive/www.test.me:/etc/openresty/cert -v /var/openresty/lualib:/etc/openresty/lualib -v /var/openresty/conf/nginx.conf:/etc/openresty/nginx.conf -v /var/openresty/conf/bot.conf:/etc/openresty/bot.conf -v /var/website:/usr/local/openresty/nginx/html -v /var/openresty/logs:/usr/local/openresty/nginx/logs -v /etc/localtime:/etc/localtime:ro --privileged=true openresty/openresty
证书自动续期脚本renew.sh
#!/bin/bash
docker run -it --rm --name certbot_renew -v "/var/certs/letsencrypt/etc:/etc/letsencrypt" -v "/var/certs/letsencrypt/lib:/var/lib/letsencrypt" -v "/var/certs/letsencrypt/log:/var/log" -v "/var/website/letsencrypt:/www" certbot/certbot renew --webroot --agree-tos -w /www
docker restart openresty
定时更新ssl证书
#每两个月的25日03点15分
15 03 25 */2 * /var/certs/renew.sh > /dev/null 2>&1