This is a apache2 docker image with letsencrypt implemented.
Before starting the apache2 daemon, this image will check if certificates for
the hostname domain exist.
If certificates exists, it will do a certbot renew
command to check if
the certificates needs a renewal and renew it if needed.
In the case that certifacates do not exist, it will create it for the domains
in the environment variable LETS_ENCRYPT_DOMAINS
with the email in the LETS_ENCRYPT_EMAIL
variable as the Let's Encrypt
registration and recovery contact.
The environment variable LETS_ENCRYPT_DOMAINS
can be a comma separated list
of domains that should be in the certificate.
You can specify the variables
docker run -d -v /etc/letsencrypt -v /var/lib/letsencrypt --name letsencryptstore busybox
docker run -d --volumes-from letsencryptstore --restart always \
-e LETS_ENCRYPT_EMAIL="your@email.com" \
-e LETS_ENCRYPT_DOMAINS="yourserver.com,site2.yourserver.com" \
-p "80:80" -p "443:443" \
--name apache2 enoniccloud/apache2-letsencrypt
There are multiple ways of setting up with docker-compose, here is an example of how to set it up with custom configuration.
- Add the following code to your docker-compose setup:
apache2:
build: apache2
hostname: www.yourserver.com
restart: always
volumes_from:
- letsencryptstore
ports:
- "80:80"
- "443:443"
environment:
LETS_ENCRYPT_EMAIL: "your@email.com"
LETS_ENCRYPT_DOMAINS: "yourserver.com,site2.yourserver.com"
labels:
io.enonic.backup.data: "/etc/letsencrypt,/var/lib/letsencrypt"
letsencryptstore:
image: busybox
volumes:
- "/etc/letsencrypt"
- "/var/lib/letsencrypt"
- Create the folder
apache2
in your docker-compose setup - Add a vhost config file like this.
<VirtualHost *:80>
ServerName your.host.com
DocumentRoot /var/www/html/
#RewriteEngine on
#RewriteRule ^/(.*) https://your.host.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName your.host.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
- And add a
Dockerfile
that Uses theenoniccloud/apache2-letsencrypt
image, adds the vhost file you made and other modifications to your setup.
FROM enoniccloud/apache2-letsencrypt
COPY myvhost.conf /etc/apache2/sites-enabled/myvhost.conf
RUN a2enmod headers
The most common problem happens when this is run the first time and the user makes a configuration mistake (like wrong domain name etc.), and an invalid certificate is generated. And then fixing the config error will not necessarily remove the old certificate with mistakes in it. Just delete everything in /etc/letsencrypt/ or delete the letsencryptstore (while apache is stopped)
docker-compose stop apache2
docker-compose rm letsencryptstore apache2
docker-compose up -d --no-deps apache2