We first create an include file that we'll share between all the domains
in /etc/nginx/conf.d/acme
:
# Allow access to the ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge {
allow all;
alias /usr/share/nginx/html/.well-known/acme-challenge;
}
Next we include this config in the config for each domain:
server {
listen 80;
listen [::]:80;
server_name example.com;
location / {
return 301 https://example.com$request_uri;
}
include conf.d/acme;
}
Install podman using dnf install podman
.
Then create a service for the certbot container in
/etc/containers/systemd/certbot.container
:
# Documentation: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
[Unit]
Description=Runs certbot
[Service]
Type=oneshot
RemainAfterExit=true
ExecStopPost=/usr/bin/systemctl reload nginx
[Container]
Image=docker.io/certbot/certbot
Exec=renew
Volume=/etc/letsencrypt:/etc/letsencrypt
Volume=/var/lib/letsencrypt:/var/lib/letsencrypt
SecurityLabelDisable=true
Running systemctl daemon-reload
will now automatically generate the
corresponding certbot.service
.
Create a timer that runs monthly by running
systemctl edit --full certbot.timer
and adding the following config:
[Unit]
Description=Renew certs montly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
Finally, enable the timer using systemctl enable certbot.timer