I am working on this django docker project template with this certbot setup, Dockerfile
FROM certbot/certbot:v1.27.0
COPY certify-init.sh /opt/
RUN chmod +x /opt/certify-init.sh
ENTRYPOINT ["/opt/certify-init.sh"]
entrypoint
#!/bin/sh
set -e
echo "Getting certificate..."
certbot certonly \
--webroot \
--webroot-path "/vol/www/" \
-d "$DOMAIN" \
--email $EMAIL \
--rsa-key-size 4096 \
--agree-tos \
--noninteractive
if [ $? -ne 0 ]; then
echo "Certbot encountered an error. Exiting."
exit 1
fi
#for copying the certificate and configuration to the volume
if [ -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
echo "SSL cert exists, enabling HTTPS..."
envsubst '${DOMAIN}' < /etc/nginx/nginx.prod.conf > /etc/nginx/conf.d/default.conf
echo "Reloading Nginx configuration..."
nginx -s reload
else
echo "Certbot unable to get SSL cert,server HTTP only..."
fi
echo "Setting up auto-renewal..."
apk add --no-cache dcron
echo "0 12 * * * /usr/bin/certbot renew --quiet" | crontab -
crond -b
problem with this setup is,certbot exits after initial run of getting the certificate and when it’s renew time it require manual intervention.
Now There are two choices
-
set
restart: unless-stoppedin docker compose file so it keeps restarting the container and with cron job to renew the certificate when required. -
Set cron job in host machine to restart the container.
Are there any other/more option to tackle this situation.
I have heard great things for Traefik because it integrates nicely with containers. Which webserver are you using, is there Nginx on top of Gunicorn? I’d google if youe webserver has integrations to certbot… Perhaps you need to approach from a different perspective
I second this, it is easy to set up Traefik as a reverse proxy with automatic certificate renewal.
you are right.