let's encrypt
About 1 min
let's encrypt
references
- https://letsencrypt.org/getting-started/
- https://github.com/acmesh-official/acme.sh/wiki/dnsapi#11-use-aliyun-domain-api-to-automatically-issue-cert
- https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker
prerequisites
- prepare RAM access policy to your aliyun account
- create policy
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "alidns:AddDomainRecord", "alidns:DeleteDomainRecord" ], "Resource": "acs:alidns:*:*:domain/geekcity.tech" }, { "Effect": "Allow", "Action": [ "alidns:DescribeDomains", "alidns:DescribeDomainRecords" ], "Resource": "acs:alidns:*:*:domain/*" } ] }
- create policy
- assuming we have an account with
AccessKey
andAccessSecret
Ali_Key=your_aliyun_key Ali_Secret=your_aliyun_secret
- add policy to your account
issue a certificate
- assuming we have a domain
geekcity.tech
- issue a certificate by letsencrypt
mkdir -p output podman run --rm \ -v "$(pwd)/output":/acme.sh \ -e Ali_Key=$Ali_Key \ -e Ali_Secret=$Ali_Secret \ docker.io/neilpang/acme.sh:3.1.0 --issue --dns dns_ali -d test.letsencrypt.geekcity.tech --server letsencrypt
- the outputs will be in the
output
directory
tests
- install the certificate into haproxy
mkdir -p haproxy/pem CERTIFICATE_PATH=$(pwd)/output/test.letsencrypt.geekcity.tech_ecc HA_PROXY_CERTIFICATE_PATH=$(pwd)/haproxy/pem cat $CERTIFICATE_PATH/fullchain.cer $CERTIFICATE_PATH/test.letsencrypt.geekcity.tech.key > $HA_PROXY_CERTIFICATE_PATH/test.letsencrypt.geekcity.tech.pem
- run the haproxy
cat <<EOF > haproxy/haproxy.cfg global log /dev/log local0 log /dev/log local1 notice defaults log global mode tcp timeout connect 5000 timeout client 50000 timeout server 50000 frontend http bind *:80 bind *:443 ssl crt /usr/local/etc/haproxy/certs/ mode http redirect scheme https code 301 if !{ ssl_fc } acl ACL_nginx ssl_fc_sni -i test.letsencrypt.geekcity.tech use_backend nginx if ACL_nginx default_backend nodes backend nginx mode http server nginxServer host.containers.internal:8080 backend nodes mode http balance roundrobin server defaultNginx host.containers.internal:8888 EOF
podman run --rm -p 1443:443 -p 1080:80 \ -v $(pwd)/haproxy/pem:/usr/local/etc/haproxy/certs/:ro \ -v $(pwd)/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \ -d docker.io/library/haproxy:2.2.14
- setup nginx to test
mkdir -p nginx # prepare default.conf cat << EOF > $(pwd)/nginx/default.conf server { listen 80; location / { root /usr/share/nginx/html; autoindex on; } } EOF
mkdir $(pwd)/nginx/data podman run --rm -p 8080:80 \ -v $(pwd)/nginx/data:/usr/share/nginx/html:ro \ -v $(pwd)/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro \ -d docker.io/library/nginx:1.19.9-alpine echo 'this is a test' > $(pwd)/nginx/data/some-data.txt
- point
127.0.0.1
totest.letsencrypt.geekcity.tech
echo '127.0.0.1 test.letsencrypt.geekcity.tech' >> /etc/hosts
- visit with curl
curl -v https://test.letsencrypt.geekcity.tech:1443