Hello lovely people of r/docker.
I have create a SSL/TLS certificate server that can generate certificates with Certbot/Let's Encrypt and also serve certs from third parties.
I started it last year but decided to finish it off these last couple months during lockdown downtime.
It's called [CertCache](https://github.com/93million/certcache)
These are it's main features:
* Securely share TLS certificates between a number of client instances
* Generate certificates dynamically using Let's Encrypt
* Avoid Let's Encrypt usage limits by serving certificates from a cache
* Share manually downloaded TLS certificates from third parties such as Verisign
* Declaratively define certificates within config - either in a JSON config file or in `docker-compose.yml` (as demoed above)
* Generate wildcard domain certificates using DNS-01 challenges even if your DNS provider isn't supported by a Certbot plugin
To give you taster of operator experience - you can specify certificates in docker-compose.yml - eg. like this:
```yaml
services
…
container_name: certcache
image: 93million/certcache
certcache:
volumes:
- ./certcache/certs/:/certcache/certs/
environment:
CERTCACHE_CERTS: |
- domains:
- example.com
- *.example.com
- *.test.example.com
certName: web
```
To access the certs from a container like Nginx, you would do this:
```
services
…
nginx:
container_name: nginx
image: nginx
volumes:
- ./certcache/certs/:/etc/certcache/certs/
```
Certs and keys would be made available in the Nginx container at `/etc/certcache/certs/web/fullchain.pem` and `/etc/certcache/certs/web/privkey.pem`.
Certs are fetched and installed on `docker-compose up` - and kept up to date
Usage steps in the readme - https://github.com/93million/certcache/blob/master/README.md
Docker Hub: https://hub.docker.com/r/93million/certcache
GitHub: https://github.com/93million/certcache
Currently it only supports generation using Certbot but I can add support for acme.sh if there is demand.
Happy Friday everyone!
Pommy
Edit: thank you for the gold kind Redditor
(also edit yaml syntax)
If I had gold to give you I would. Fighting the good fight!
I like caching the certs locally — if you need to scale up an application you won’t want to find at at that moment in time that LE is down and you can’t scale.
It looks so cool, man!
I said so because I had just spent 1 – 2 days to deal with certbot and nginx using http challenge. There is another docker compose app in the same server so 80 and 443 port are used. But http challenge must use 80 port. It was so annoying.
Some redditors suggested to use traefik to do a reverse proxy. But I don’t know how to deal with now.
I was referring a tutorial suggesting to use an init script. But it’s still not convenient.
This looks sick. Thanks for sharing!
This is cool. I have used OpenResty with Lua plugins to create and serve SSL certificates upon request. Thanks for sharing
How this is different from cert-manager from jetstack?
This is really cool. Having a DNS provider without an API, it’s been a real pain to renew my certs every 3 months, and now that I have this setup, it’s so much easier.
The only thing I wish is that it could provide some capability for concatenating fullchain.pem and privkey.pem (as that’s how haproxy needs them)