-
-
Save u1i/1ec704b5c099b407875128fe0b864735 to your computer and use it in GitHub Desktop.
| #!/usr/bin/env bash | |
| # install docker | |
| # https://docs.docker.com/engine/installation/linux/ubuntulinux/ | |
| # install docker-compose | |
| # https://docs.docker.com/compose/install/ | |
| # install letsencrypt | |
| # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 | |
| # Generate SSL certificate for domain | |
| /opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring --standalone -d domain.example.com --email info@example.com | |
| # Setup letsencrypt certificates renewing | |
| line="30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log" | |
| (crontab -u root -l; echo "$line" ) | crontab -u root - | |
| # Rename SSL certificates | |
| # https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348 | |
| cd /etc/letsencrypt/live/domain.example.com/ | |
| cp privkey.pem domain.key | |
| cat cert.pem chain.pem > domain.crt | |
| chmod 777 domain.crt | |
| chmod 777 domain.key | |
| # Generate Password for Basic Auth | |
| mkdir auth | |
| docker run \ | |
| --entrypoint htpasswd \ | |
| registry:2 -Bbn testuser testpassword > auth/htpasswd | |
| # https://docs.docker.com/registry/deploying/ | |
| docker run -d -p 443:5000 --restart=always --name registry \ | |
| -v /etc/letsencrypt/live/domain.example.com:/certs \ | |
| -v /opt/docker-registry:/var/lib/registry \ | |
| -v `pwd`/auth:/auth \ | |
| -e "REGISTRY_AUTH=htpasswd" \ | |
| -e "REGISTRY_AUTH_HTPASSWD_REALM=Axway Docker Registry" \ | |
| -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ | |
| -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ | |
| -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ | |
| registry:2 | |
| # List images | |
| # https://domain.example.com/v2/_catalog |
I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid. Because after certification renovation the registry web server will continue to use old certificate.
Line 16 adds a cron job to auto renew. Is that not working?
I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid. Because after certification renovation the registry web server will continue to use old certificate.
Line 16 adds a cron job to auto renew. Is that not working?
-
Look at the script on the lines between 21 and 25. This code is executed only once. It must be executed automatically each time the Letsencrypt runs the renewal of certificate (in cronjob, or by using Letsencrypt hooks). Otherwise these generated files will remain unchanged.
-
Even if the certificate file will be renewed (and the problem above will be fixed), I doubt that the https server (registry:2) knows that the certificate is has been changed. So probably, the https server will continue to use the old certificate until restart.
Sorry for my bad English.
Oh, good point.
As there is a volume in use, destroy and rebuild is probably the simple fix, but yeah doing the cert name shuffle in cron would be better.
Thanks
I'm not sure, but I feel that this solution will work for only 3 months until Letsencrypt certificate is valid.
Because after certification renovation the registry web server will continue to use old certificate.