Install and configure Docker

Yum install docker # seLinux setenforce 0 usermod -g root dockerroot // Configure image source vi /etc/docker/daemon.json { "Registry - mirrors" : [" mirror image source address "], "the log - driver" : "json - file", "log - opts" : {"max-size":"100m", "max-file":"2"} } systemctl daemon-reload systemctl restart dockerCopy the code

You must run the setenforce and usermod commands. Otherwise, a permission error will be reported when you apply for a certificate

2. Write Dockerfile

# VERSION 1.0 # Author: MAINTAINER XXXX <[email protected]> RUN PIP install --upgrade PIP \ && PIP install certbot-apache certbot-dns-aliyun \ && mkdir -p /project/conf/aliyun \Copy the code

3. Build docker image

Run docker build -t aliyun-certbot:v1.0 in the same directory as the Dockerfile. “Successfully built” indicates that the image was built Successfully. Run the docker images command to check

4. Apply for and configure an Aliyun DNS access key

Go to ram.console.aliyun.com to apply for a subaccount and configure AliyunDNSFullAccess. Then configure the AccessKey for the subaccount and record it.

5. Create the credentials.ini configuration file for certbot-dns-aliyun

Ini <<EOF certbot_dNS_ALIyun :dns_aliyun_access_key = The AccessKey obtained in the previous step Certbot_dns_aliyun: dNS_aliyun_access_KEY_secret = AccessSecret EOF obtained in the previous stepCopy the code

6. Apply for a certificate

docker run -it --rm -v /opt/testdomain:/etc/letsencrypt \
                -v /opt/testdomain:/var/log/letsencrypt \
                -v /opt/aliyun-dns:/project/conf/aliyun \
                aliyun-certbot:v1.0 certonly \
                -v \
                -a certbot-dns-aliyun:dns-aliyun \
                --certbot-dns-aliyun:dns-aliyun-credentials /project/conf/aliyun/credentials.ini \
                --register-unsafely-without-email \
                -d *.tomcat.test.abc.com
Copy the code

/opt/ testDomain Specifies the location where the certificate and logs are stored. /opt/aliyun- DNS Specifies the location where the Aliyun DNS configuration file is stored

For example, your domain name is 8100.tomcat.test.abc.com. If your domain name is *.abc.com, a message is displayed indicating that there is a certificate problem after the configuration. You should apply for a *.tomcat.test.abc.com certificate

6. Configure Apache HTTPD

Create the common_conf/ssl_common.conf file in /etc/httpd. The content of the file is as follows:

SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:! aNULL:! MD5:! SEED:! IDEA SSLCertificateFile "/etc/letsencrypt/live/tomcat.test.abc.com/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/tomcat.test.abc.com/privkey.pem" SSLCertificateChainFile "/ etc/letsencrypt/live/tomcat.test.abc.com/fullchain.pem" # reverse proxy configuration, SSLProxyEngine On ProxyRequests off ProxyPreserveHost On <Proxy *> Order allow,deny allow from all </Proxy> SSLProxyEngine On ProxyRequests off ProxyPreserveHost On <Proxy *> Order allow,deny allow from all </Proxy>Copy the code

Configuring the HTTP Service

<VirtualHost *:443> ServerName Your domain name. tomcat.test.abc.com Include common_conf/ssl_common.conf ProxyPass / http://localhost:xxxx/ ProxyPassReverse / http://localhost:xxxx/ CustomLog logs/abcsss_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>Copy the code

Restart the HTTPD service

systemctl restart httpd.service
Copy the code

7. Write automatic renewal scripts

#! /bin/bash docker run -it --rm -v /opt/testdomain:/etc/letsencrypt/live \ -v /opt/testdomain:/var/log/letsencrypt \ -v /opt/aliyun-dns:/project/conf/aliyun \ aliyun-certbot:v1.0 renew \ -v \ -a certbot-dns-aliyun:dns-aliyun \ --certbot-dns-aliyun:dns-aliyun-credentials /project/conf/aliyun/credentials.ini \ --register-unsafely-without-email Echo "SSL renewal successful" | mail -s "` date + % Y % m % d ` SSL renewal" [email protected]Copy the code

Adds scheduled tasks to be executed at 1:00 a.m. every night

crontab -e

0 1 1 * * /opt/certbot/renew.sh > /opt/certbot/renew.log 2>&1
Copy the code