NGINX-Certbot 自動跟Let'sEncrytp取得憑證

#🐳

睡睡念

前人很強，很厲害，喜歡自己動手，
所以他當初造的自動取得Let's Encrypt的程式，都是自己寫一整套來用。
然後，交接了整套，但程式沒人知道在幹嘛，只有每次出問題時，
會去翻API看是要先call哪個，再call哪個，然後再重開某些image
才能正確取得，身爲一個懶人，跟腦細胞容量過小的我，實在記不住阿，
只好改了。

正文

這個只適合Docker，k8s請改用cert-manage

使用說明

我這邊是掛載user_conf.d 到 /etc/nginx/user_conf.d ，
user_conf.d就是設定檔存放的位置。

docker-compose.yaml

version: '3'

services:
  nginx:
    image: jonasal/nginx-certbot:latest
    container_name: nginx
    restart: unless-stopped
    networks:
      - cicd_net
    env_file:
      - ./nginx-certbot.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./user_conf.d:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

# 跟drone servere掛在同一層
networks:
  cicd_net:
    name: cicd_net
    driver: bridge

記得更改email，不然啓動會失敗
nginx-certbot.env

# Required
CERTBOT_EMAIL=<email>

# Optional (Defaults)
DHPARAM_SIZE=2048
ELLIPTIC_CURVE=secp256r1
RENEWAL_INTERVAL=8d
RSA_KEY_SIZE=2048
STAGING=0
USE_ECDSA=1

# Advanced (Defaults)
CERTBOT_AUTHENTICATOR=webroot
CERTBOT_DNS_PROPAGATION_SECONDS=""
DEBUG=0
USE_LOCAL_CA=0

user_conf.d資料夾內的檔案名稱

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Domain names this server should respond to.
    server_name otpat.domain.com;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/otpat-domain-com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/otpat-domain-com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/otpat-domain-com/chain.pem;

    ssl_protocols             TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve            X25519:secp521r1:secp384r1;
    ssl_ciphers               TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache         shared:TLS:2m;
    ssl_buffer_size           4k;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare

   # return 200 'Let\'s Encrypt certificate successfully installed!';
   # add_header Content-Type text/plain;

   location / {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

        proxy_pass http://totp-auth:9987;

        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_buffering off;

        chunked_transfer_encoding off;
    }

}

完成品，因為要將proxy_pass導到服務上面，最好是設成同一個network，這邊設為 cicd_net
157-fig.1.jpg

如果啓動失敗的話，
可以查一下nginx裏面的錯誤訊息，上面通常寫的很清楚。

建議可以先看看這兩篇
ref.
- D15 - NGINX-Certbot Image
- github_good_to_know