All Projects → nginx-proxy → acme-companion

nginx-proxy / acme-companion

Licence: MIT License
Automated ACME SSL certificate generation for nginx-proxy

Programming Languages

shell
77523 projects
Dockerfile
14818 projects

Projects that are alternatives of or similar to acme-companion

Docker Letsencrypt Nginx Proxy Companion
Automated ACME SSL certificate generation for nginx-proxy
Stars: ✭ 6,350 (-1.31%)
Mutual labels:  letsencrypt, ssl, acme, nginx-proxy, acme-protocol, zerossl, acme-v2, buypass
Acme.sh
A pure Unix shell script implementing ACME client protocol
Stars: ✭ 24,723 (+284.26%)
Mutual labels:  letsencrypt, acme, acme-protocol, zerossl, buypass
ACMECert
PHP client library for Let's Encrypt (ACME v2 - RFC 8555)
Stars: ✭ 83 (-98.71%)
Mutual labels:  letsencrypt, ssl, acme, acme-v2
Certificaat
General-purpose ACME client
Stars: ✭ 88 (-98.63%)
Mutual labels:  letsencrypt, ssl, acme
docker-nginx-certbot
Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.
Stars: ✭ 367 (-94.3%)
Mutual labels:  letsencrypt, ssl, acme
Acme client
Java ACME Client application
Stars: ✭ 77 (-98.8%)
Mutual labels:  letsencrypt, ssl, acme
Terraform Provider Acme Old
ACME (Let's Encrypt) Support for Terraform
Stars: ✭ 211 (-96.72%)
Mutual labels:  letsencrypt, ssl, acme
Acmetool
🔒 acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)
Stars: ✭ 1,882 (-70.75%)
Mutual labels:  letsencrypt, ssl, acme
kong-plugin-acme
Let's Encrypt and ACMEv2 integration with Kong - this plugin has been moved into https://github.com/Kong/kong, please open issues and PRs in that repo
Stars: ✭ 36 (-99.44%)
Mutual labels:  letsencrypt, acme, acme-v2
freshcerts
ACME certificate protocol (Let's Encrypt) proxy client with a dashboard and monitoring
Stars: ✭ 59 (-99.08%)
Mutual labels:  letsencrypt, ssl, acme
AzureWebAppSSLManager
Acquires and manages free SSL certificates for Azure Web App and Azure Functions applications.
Stars: ✭ 70 (-98.91%)
Mutual labels:  letsencrypt, ssl, acme
LetsEncrypt
C# layer for generation of wildcard Let's Encrypt SSL certificates
Stars: ✭ 67 (-98.96%)
Mutual labels:  letsencrypt, acme-protocol, acme-v2
acme-dns-01-cloudflare
Cloudflare DNS for Let's Encrypt / ACME dns-01 challenges with Greenlock.js and ACME.js
Stars: ✭ 13 (-99.8%)
Mutual labels:  letsencrypt, acme, acme-v2
Certify
SSL Certificate Manager UI for Windows, powered by Let's Encrypt. Download from certifytheweb.com
Stars: ✭ 1,075 (-83.29%)
Mutual labels:  letsencrypt, ssl, acme
ght-acme.sh
Shell script to sign certificate by the letsencrypt CA
Stars: ✭ 31 (-99.52%)
Mutual labels:  letsencrypt, acme, acme-v2
Greenlock
Automatic SSL renewal for NodeJS
Stars: ✭ 30 (-99.53%)
Mutual labels:  letsencrypt, ssl, acme
Manuale
A fully manual Let's Encrypt/ACME client
Stars: ✭ 201 (-96.88%)
Mutual labels:  letsencrypt, ssl, acme
Win Acme
A simple ACME client for Windows (for use with Let's Encrypt et al.)
Stars: ✭ 4,305 (-33.09%)
Mutual labels:  letsencrypt, acme, acme-v2
qiniu-auto-cert
七牛 CDN 证书自动化工具
Stars: ✭ 20 (-99.69%)
Mutual labels:  letsencrypt, ssl, acme
acme
Go client library implementation for ACME v2 (RFC8555)
Stars: ✭ 77 (-98.8%)
Mutual labels:  letsencrypt, acme, zerossl

Tests GitHub release Docker Image Size Docker stars Docker pulls

acme-companion is a lightweight companion container for nginx-proxy.

It handles the automated creation, renewal and use of SSL certificates for proxied Docker containers through the ACME protocol.

Required read if you use the latest version : the v2.0.0 release of this project mark the switch of the ACME client used by the Docker image from simp.le to acme.sh. This switch result in some backward incompatible changes, so please read this issue and the updated docs for more details before updating your image. The single most important change is that the container now requires a volume mounted to /etc/acme.sh in order to persist ACME account keys and SSL certificates. The last tagged version that uses simp_le is v1.13.1.

Features:

  • Automated creation/renewal of Let's Encrypt (or other ACME CAs) certificates using acme.sh.
  • Let's Encrypt / ACME domain validation through http-01 challenge only.
  • Automated update and reload of nginx config on certificate creation/renewal.
  • Support creation of Multi-Domain (SAN) Certificates.
  • Creation of a strong RFC7919 Diffie-Hellman Group at startup.
  • Work with all versions of docker.

Requirements:

  • Your host must be publicly reachable on both port 80 and 443.
  • Check your firewall rules and do not attempt to block port 80 as that will prevent http-01 challenges from completing.
  • For the same reason, you can't use nginx-proxy's HTTPS_METHOD=nohttp.
  • The (sub)domains you want to issue certificates for must correctly resolve to the host.
  • Your DNS provider must answer correctly to CAA record requests.
  • If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port 80 and 443.

schema

Basic usage (with the nginx-proxy container)

Three writable volumes must be declared on the nginx-proxy container so that they can be shared with the acme-companion container:

  • /etc/nginx/certs to store certificates and private keys (readonly for the nginx-proxy container).
  • /etc/nginx/vhost.d to change the configuration of vhosts (required so the CA may access http-01 challenge files).
  • /usr/share/nginx/html to write http-01 challenge files.

Additionally, a fourth volume must be declared on the acme-companion container to store acme.sh configuration and state: /etc/acme.sh.

Please also read the doc about data persistence.

Example of use:

Step 1 - nginx-proxy

Start nginx-proxy with the three additional volumes declared:

$ docker run --detach \
    --name nginx-proxy \
    --publish 80:80 \
    --publish 443:443 \
    --volume certs:/etc/nginx/certs \
    --volume vhost:/etc/nginx/vhost.d \
    --volume html:/usr/share/nginx/html \
    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy

Binding the host docker socket (/var/run/docker.sock) inside the container to /tmp/docker.sock is a requirement of nginx-proxy.

Step 2 - acme-companion

Start the acme-companion container, getting the volumes from nginx-proxy with --volumes-from:

$ docker run --detach \
    --name nginx-proxy-acme \
    --volumes-from nginx-proxy \
    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
    --volume acme:/etc/acme.sh \
    --env "[email protected]" \
    nginxproxy/acme-companion

The host docker socket has to be bound inside this container too, this time to /var/run/docker.sock.

Albeit optional, it is recommended to provide a valid default email address through the DEFAULT_EMAIL environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.

Step 3 - proxied container(s)

Once both nginx-proxy and acme-companion containers are up and running, start any container you want proxied with environment variables VIRTUAL_HOST and LETSENCRYPT_HOST both set to the domain(s) your proxied container is going to use.

VIRTUAL_HOST control proxying by nginx-proxy and LETSENCRYPT_HOST control certificate creation and SSL enabling by acme-companion.

Certificates will only be issued for containers that have both VIRTUAL_HOST and LETSENCRYPT_HOST variables set to domain(s) that correctly resolve to the host, provided the host is publicly reachable.

$ docker run --detach \
    --name your-proxied-app \
    --env "VIRTUAL_HOST=subdomain.yourdomain.tld" \
    --env "LETSENCRYPT_HOST=subdomain.yourdomain.tld" \
    nginx

The containers being proxied must expose the port to be proxied, either by using the EXPOSE directive in their Dockerfile or by using the --expose flag to docker run or docker create.

If the proxied container listen on and expose another port than the default 80, you can force nginx-proxy to use this port with the VIRTUAL_PORT environment variable.

Example using Grafana (expose and listen on port 3000):

$ docker run --detach \
    --name grafana \
    --env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \
    --env "VIRTUAL_PORT=3000" \
    --env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \
    --env "[email protected]" \
    grafana/grafana

Repeat Step 3 for any other container you want to proxy.

Additional documentation

Please check the docs section.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].