acme.sh 💕 docker

As one of the big docker fans, I understand that we hate installing anything on a docker host, even if it's just copying a shell script.

Automated nginx reverse proxy docker image with acme.sh for letsencrypt ssl cert: https://github.com/Neilpang/letsproxy

Deploy to a docker container and reload it: https://github.com/Neilpang/acme.sh/wiki/deploy-to-docker-containers

So, Here "acme.sh in docker" comes.

1. Based on alpine, only 5MB size.
2. Either run as executable or run as daemon
3. Support all the command line parameters.

1. Say "Hello World"

docker run --rm neilpang/acme.sh

2. Used as an executable:

docker run --rm  -it  \
  -v "$(pwd)/out":/acme.sh  \
  --net=host \
  neilpang/acme.sh  --issue -d example.com  --standalone

You can use any commands that acme.sh supports here, other examples:

#revoke a cert
docker run --rm  -it  \
  -v "$(pwd)/out":/acme.sh  \
  --net=host \
  neilpang/acme.sh  --revoke -d example.com

#use dns mode
docker run --rm  -it  \
  -v "$(pwd)/out":/acme.sh  \
  neilpang/acme.sh  --issue --dns -d example.com

#run cron job
docker run --rm  -it  \
  -v "$(pwd)/out":/acme.sh  \
  --net=host \
  neilpang/acme.sh  --cron

Anyway, you can just invoke neilpang/acme.sh image as if it were a real shell script.

3. Run acme.sh as a docker daemon.

1. Running acme.sh as a docker daemon, so that it can handle the renewal cronjob automatically.

docker run --rm  -itd  \
  -v "$(pwd)/out":/acme.sh  \
  --net=host \
  --name=acme.sh \
  neilpang/acme.sh daemon

Or run acme.sh by using Docker Compose.

Edit docker-compose.yml:

services:
  acme-sh:
    image: neilpang/acme.sh
    container_name: acme.sh
    volumes:
      - ./out:/acme.sh
    network_mode: host
    command: daemon
    stdin_open: true
    tty: true
    restart: no

Then run acme.sh:

docker compose up -d

By default, acme.sh runs as root. The provided Docker image creates a user named acme with UID/GID 1000. Users who want to run as a non-root user can add --user 1000:1000 to the above docker run command line, or user: '1000:1000' to the above docker-compose.yml.

Additional considerations for non-root

• If you are using the docker deploy-hook and therefore mounting /var/run/docker.sock, you must ensure your non-root user has permission to read/write to /var/run/docker.sock by adding the user to the host's Docker GID (e.g. --group-add 999 on the command line or group_add: 999 in your docker-compose.yml
• If you are using the ssh deploy-hook, take note of where your .ssh keys are stored. **LE_CONFIG_HOME (/acme.sh) is used as home for this Docker image, so your keys will be stored in /acme.sh/.ssh regardless of the user. Existing users: your keys may have stored in /root/.ssh and need to be migrated into the proper directory where it will persist in the VOLUME.
• If the crontab is missing, one will be generated in LE_CONFIG_HOME (/acme.sh). Since this is a VOLUME, subsequent changes to crontab made by the user will persist.
• The non-root acme user (UID/GID 1000) must have proper read and write permissions to the acme.sh volume mounted at /acme.sh. Existing users: Depending on your mount type, you may have to set it manually either with chown or chmod.

2. Then you can just use docker exec to execute any acme.sh commands.

docker exec acme.sh --help

docker exec acme.sh --issue -d example.com --standalone

Yes, again, You can use any commands that acme.sh supports here.

---