Docker环境下自动续签Let’s Encrypt SSL证书

写一个删除旧证书脚本

#!/bin/bash  
  
# 定义一个函数，用于检查并删除指定目录  
delete_if_old() {  
    local domain_name="$1"  
    local age_minutes="$2"  
    local live_dir="/etc/letsencrypt/live/$domain_name"  
    local archive_dir="/etc/letsencrypt/archive/$domain_name"  
  
    # 检查 /etc/letsencrypt/live/ 下的目录是否存在且修改时间超过指定分钟数  
    if [ -d "$live_dir" ] && [ "$(find "$live_dir" -maxdepth 0 -mmin +$age_minutes)" ]; then  
        echo "Deleting $live_dir ..."  
        rm -rf "$live_dir"  
        echo "Deleting $archive_dir ..."  
        rm -rf "$archive_dir"
    else  
        echo "$live_dir does not exist or is not old enough."  
    fi
}  
  
# 调用函数，删除超过43200分钟的目录  
delete_if_old blog.example.com 1440

nginx 域名配置

server {
    listen       80;
    listen  [::]:80;
    listen  443 ssl;
    server_name  blog.example.com;

    ssl_certificate   /etc/letsencrypt/cert/blog.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/cert/blog.example.com/privkey.pem;

    location ~/.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    location = /xmlrpc.php {
        return 403;
    }

    location / {
        if ($block_ip) {
            return 403;  # 返回 403 Forbidden
        }

        #limit_req zone=mylimit burst=4 nodelay;
        #limit_req_status 598;

        proxy_pass http://wordpress/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

编写定时

0 7 * * 6 docker cp /data/app/delete_old_cert_blog.sh nginx:/delete_old_cert_blog.sh
1 7 * * 6 docker exec nginx /bin/bash -c '/delete_old_cert_blog.sh'
2 7 * * 6 docker run --rm --volumes-from nginx certbot/certbot certonly --force-renewal --webroot --non-interactive --agree-tos --webroot-path=/usr/share/nginx/html -m [email protected] -d blog.example.com
3 7 * * 6 docker exec nginx bash -c  'cp -rfL /etc/letsencrypt/live/* /etc/letsencrypt/cert'
4 7 * * 6 docker exec nginx bash -c 'nginx -s reload'

这里有3个注意点

1.crontab里不能用docker exec -it 这种交互式脚本，用了也执行不了。

2.这里不用/etc/letsencrypt/live/作为nginx的配置目录，因为脚本删除旧配置文件的操作会导致网站访问失效，所以这里用live目录生成的复制到/etc/letsencrypt/cert作为nginx的证书目录

3.--webroot-path=/usr/share/nginx/html这里对应nginx里

location ~/.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
这里的root路径，如果有多个域名，分时段执行时不用改这个路径，同时执行最好改下这个路径。

注意上面3点即可保持证书更新，上面脚本已经稳定运行两年，然后宝塔证书续签现在还有bug