Home > Wiki > DevOps a backendy > Apache Certbot Docker

Apache Certbot Docker


Je to problém slepice - vejce. Potřebuji https , ale nemohu spustit Apache, když nemám certifikáty. Proto musím postupovat po krocích a nejsem schopen udělat deploy najednou.


1. krok -spustí se apache bez https


Dockerfile

FROM php:8.2-apache

ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Europe/Prague
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

RUN apt-get update
RUN apt-get install -y vim certbot net-tools python3-certbot-apache cron

COPY ./000-default-prod.conf /etc/apache2/sites-available/000-default.conf

RUN a2ensite 000-default.conf

WORKDIR /var/www/html
COPY index.html .


Defaultní web server

Musí tam být uvedeno server name.

Potom je tam důležitá cesta k "public_html" adresáři, kam certbot uloží ověřovací token.

<VirtualHost *:80>
  ServerName xxx.inited.cz
  ServerAdmin info@inited.cz
  DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log vhost
  LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost

  Alias "/.well-known/acme-challenge" "/etc/letsencrypt/public_html/.well-known/acme-challenge"
  <Directory "/etc/letsencrypt/public_html">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
  </Directory>

</VirtualHost>


2. ručně vygeneruji certifikáty


připojím se do kontejneru:

$ docker compose exec web bash


# mkdir /etc/letsencrypt/public_html

# certbot certonly --dry-run --webroot --webroot-path=/etc/letsencrypt/public_html --logs-dir /etc/letsencrypt/logs --email info@inited.cz --agree-tos --no-eff-email -d xxx.inited.cz


Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
Account registered.
Simulating a certificate request for xxx.inited.cz
The dry run was successful.

# certbot certonly --webroot --webroot-path=/etc/letsencrypt/public_html --logs-dir /etc/letsencrypt/logs --email info@inited.cz --agree-tos --no-eff-email -d xxx.inited.cz
Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
Requesting a certificate for xxx.inited.cz

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxx.inited.cz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxx.inited.cz/privkey.pem
This certificate expires on 2025-05-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@1e7387764e59:/var/www/html#



3. vytvořím konfiguraci virtuálního webserveru

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName xxx.inited.cz
  ServerAdmin info@inited.cz
  DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log vhost
  LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost

  SSLCertificateFile /etc/letsencrypt/live/xxx.inited.cz/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/xxx.inited.cz/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>


a přidám ji do Dockerfile:


COPY ./000-default.conf /etc/apache2/sites-available/000-default.conf
COPY ./xxx.inited.cz.conf /etc/apache2/sites-available/xxx.inited.cz.conf

...

RUN a2enmod ssl
RUN a2ensite 000-default.conf
RUN a2ensite xxx.inited.cz.conf