Jan Christian Grünhage
feat: more powerful config generation
config generation is now done with jinja2 instead of sed. also added a way to do the dns challenge without fiddling with more than env vars. BREAKING CHANGE: a lot of env vars and volumes changed.
|1 year ago|
|examples||1 year ago|
|root||1 year ago|
|.drone.yml||1 year ago|
|Dockerfile||1 year ago|
|README.md||1 year ago|
|dns-01.md||1 year ago|
|http-01.md||1 year ago|
This is a docker container that wraps around dehydrated.
We have short tutorials for two different modi operandi: The
Both are fairly easy to use. The
dns-01 challenge requires less effort if your DNS provider
is supported by lexicon, the
http-01 challenge otherwise.
By default the container will attempt to generate a config as
with the default values for all the environment variables.
The defaults are explicitly meant to not work. Things you need to change:
DEHYDRATED_ACCEPT_TERMSto yes, after reading letsencrypts ToS
DEHYDRATED_EMAILto an email address you own
DEHYDRATED_CAto a production ACME CA, for example letsencrypt’s ACME v2 endpoint, “https://acme-v02.api.letsencrypt.org/directory”
DEHYDRATED_CA: This controls which ACME endpoint dehydrated contacts. The most common value for production environments is “https://acme-v02.api.letsencrypt.org/directory”, while you should use “https://acme-staging-v02.api.letsencrypt.org/directory” for experiments.
DEHYDRATED_CHALLENGE: You can either put
http-01here, depending on how you want letsencrypt to verify that you are allowed to obtain this certificate.
DEHYDRATED_KEYSIZE: This defaults to
4096, but you could also put
3072here, if you want less secure but slightly faster keys. This only makes sense if your host or your clients are very slow.
DEHYDRATED_HOOK: If you use the
dns-01challenge, you need to supply a hook script, which dehydrated will use to set dns records. The container ships with lexicon installed and a lexicon hook in
/usr/local/bin/lexicon-hook. Apart from the
dns-01challenge, you can also use hooks to deploy newly created certificates. For more info see dehydrated’s project page.
DEHYDRATED_RENEW_DAYS: When dehydrated runs, it will check if any certificates need renewal and renew those. All certificates which expire in the next
ndays will be renewed, where
nis the number you set here. Default is 30
DEHYDRATED_KEY_RENEW: Set this to yes to make dehydrated renew keys too when renewing certificates, or to no to keep the keys.
DEHYDRATED_ACCEPT_TERMS: For the first run this needs to be set to yes, else dehydrated will not work. Read the terms of service of letsencrypt before setting this to yes.
DEHYDRATED_EMAIL: Set your email address here.
DEHYDRATED_GENERATE_CONFIG: Set to yes by default. If you want to use a config supplied by you, change this to no and put your own config in
GID: You can set the UID and GID of the things run in the docker container here.s