acme.sh using docker-compose

ACME-SH-docker-compose.md

How to use

$ docker compose -f acmesh.yaml up -d

.env

ACME_HOME_DIR=./acme.sh

# CloudFlare
#CF_API_EMAIL
#CF_API_KEY

# DNSPod
#DP_ID
#DP_KEY

# CloudFlare
#CX_KEY
#CX_SECRET

acme.sh-docker.sh

#!/bin/sh

# https://hub.docker.com/r/neilpang/acme.sh/dockerfile
if [ ! -f /acme.sh/account.conf ]; then
    echo 'First startup'
    acme.sh --update-account --accountemail ${ACME_SH_EMAIL}
    echo 'Asking for certificates'
    acme.sh --issue \
        -d "${DOMAIN_NAME}" -d "*.${DOMAIN_NAME}" \
        --dns "${DNS_API}"

fi

echo 'Listing certs'
acme.sh --list

# Keep the container running
# /entry.sh daemon
# New method
crond -n -s -m off

acmesh.yaml

version: '2'
services:
    acme:
        image: neilpang/acme.sh:latest
        volumes:
            - ./acme.sh-docker.sh:/acme.sh-docker.sh:ro
            - ${ACME_HOME_DIR:-./acme.sh}:/acme.sh
        environment:
            # CloudFlare
            CF_Key: ${CF_API_KEY}
            CF_Email: ${CF_API_EMAIL}
            # From: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
            DNS_API: "dns_cf"
            DOMAIN_NAME: "example.com"
            ACME_SH_EMAIL: "tech@example.com"
        command: sh ./acme.sh-docker.sh
        container_name: acme

Thanks for sharing your code, it has been really useful to me. Just a note - in [acme.sh-docker.sh] line 10 - I think you can use your environment variable for DNS_API so it would become: --dns ${DNS_API}

Thanks again :)

Thanks for sharing your code, it has been really useful to me. Just a note - in [acme.sh-docker.sh] line 10 - I think you can use your environment variable for DNS_API so it would become: --dns ${DNS_API}

Thanks again :)

Indeed, thank you
Fixed now 🎉

Thanks for sharing, works quite well with gandi.
Any way to run it as non-root?

I tried setting the 'user' attribute in docker compose but I get 'Permission denied' when running acme.sh in acme.sh-docker.sh ...

Hi @psychowood

Any way to run it as non-root?

You should check that the base image supports running as non root

I tried setting the 'user' attribute in docker compose but I get 'Permission denied' when running acme.sh in acme.sh-docker.sh ...

Probably that the scripts to not have the right permissions. Try a chmod +x on them

heya thanks for the gist!

When I try and deploy the cert with acme.sh --deploy -d example.com --deploy-hook docker I get this error:

[Sun Apr 16 21:36:21 UTC 2023] The domain 'example.com' seems to have a ECC cert already, lets use ecc cert.
[Sun Apr 16 21:36:21 UTC 2023] /var/run/docker.sock is not available
[Sun Apr 16 21:36:21 UTC 2023] Error deploy for domain:example.com
[Sun Apr 16 21:36:21 UTC 2023] Deploy error.

Solved, I was missing the additional values, as per instructions. Many thanks again!

So this is what I'm using now:

if [ ! -f /acme.sh/account.conf ]; then
    echo 'First startup'
    echo 'Registering account with email address'
    acme.sh  --register-account -m ${ACME_SH_EMAIL} --server zerossl
    echo 'Issuing certificates'
    acme.sh --server zerossl --issue -d "${DOMAIN_NAME}" -d *."${DOMAIN_NAME}" --dns "${DNS_API}"
    echo 'Deploying certificates'
    acme.sh --deploy -d ${ACME_SH_EMAIL}  --deploy-hook docker

fi

wouldn't the correct export variable be CF_Token instead of CF_Key ? At least that did it for me after changing to Let's Encrypt.

wouldn't the correct export variable be CF_Token instead of CF_Key ? At least that did it for me after changing to Let's Encrypt.

I am using zerossl but do not have this issue, how did you configure CloudFlare ?
A scoped token ?

I pushed some updates to the gist today.
See my working source: https://github.com/wdes/mails.wdes.eu/tree/fc4c71397977cf1958a3eef1783828363732c4a7/scripts
And the docker compose part: https://github.com/wdes/mails.wdes.eu/blob/fc4c71397977cf1958a3eef1783828363732c4a7/docker-compose.yml#L283-L321