参考地址

https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
https://github.com/acmesh-official/acme.sh/wiki/deploy-to-docker-containers

创建所需文件夹及文件

  1. mkdir -p /data/nginx && mkdir -p /data/nginx/conf.d && touch /data/nginx/nginx.conf

编辑 nginx.conf 文件

  2. user  nginx;
  3. worker_processes  1;
  5. error_log  /var/log/nginx/error.log warn;
  6. pid        /var/run/nginx.pid;
  9. events {
  10.     worker_connections  1024;
  11. }
  14. http {
  15.     include       /etc/nginx/mime.types;
  16.     default_type  application/octet-stream;
  18.     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  19.                       '$status $body_bytes_sent "$http_referer" '
  20.                       '"$http_user_agent" "$http_x_forwarded_for"';
  22.     access_log  /var/log/nginx/access.log  main;
  24.     sendfile        on;
  25.     #tcp_nopush     on;
  27.     keepalive_timeout  65;
  29.     #gzip  on;
  31.     include /etc/nginx/conf.d/*.conf;
  32. }

编辑域名文件

vim /data/nginx/conf.d/test1.example.com.conf

  1. server {
  2.     listen       80;
  3.         #listen      443  ssl;
  4.     server_name  test1.example.com;
  5.     charset utf-8;
  7.     access_log  /var/log/nginx/test1.example.com.access.log  main;
  9.         root   /usr/share/nginx/html/test1.example.com;
  10.     index  index.html index.htm;
  11.         # 此处ssl 配置需要在申请证书文件后打开
  12.         #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  13.     #ssl_prefer_server_ciphers on;
  14.     #ssl_ciphers               "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
  16.     # config ssl certificate
  17.     #ssl_certificate           /etc/nginx/ssl/test1.example.com/fullchain.cer;
  18.     #ssl_certificate_key       /etc/nginx/ssl/test1.example.com/test1.example.com.key;
  21.     #申请证书使用
  22.     location ^~/.well-known/acme-challenge {
  23.         allow all;
  24.     }
  27.     # 这里配置使用HTTP访问的请求
  28.     location / {
  29.         proxy_set_header Host                   $http_addr;
  30.         proxy_set_header X-Real-IP              $remote_addr;
  31.         proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
  32.         proxy_pass http://127.0.0.1:8080;
  33.     }
  35.     #error_page  404              /404.html;
  37.     # redirect server error pages to the static page /50x.html
  38.     #
  39.     error_log  /var/log/nginx/test1.example.com.error.log;
  40.     error_page   500 502 503 504  /50x.html;
  41.     location = /50x.html {
  42.         root   /usr/share/nginx/html;
  43.     }
  45. }

vim /data/nginx/conf.d/test2.example.com.conf

  1. server {
  2.     listen       80;
  3.      #listen      443  ssl;
  5.     server_name  test2.example.com;
  6.     charset utf-8;
  8.     access_log  /var/log/nginx/test2.example.com.access.log  main;
  9.     root   /usr/share/nginx/html/test2.example.com/;
  10.     index  index.html index.htm;
  12.     # 此处ssl 配置需要在申请证书文件后打开
  13.     #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  14.     #ssl_prefer_server_ciphers on;
  15.     #ssl_ciphers               "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
  17.     # config ssl certificate
  18.     #ssl_certificate           /etc/nginx/ssl/test2.example.com/fullchain.cer;
  19.     #ssl_certificate_key       /etc/nginx/ssl/test2.example.com/test2.example.com.key;
  22.     #申请证书使用
  23.     location ~ /.well-known/acme-challenge {
  24.         allow all;
  25.     #    root /usr/share/nginx/html;
  26.     }
  29.     # 这里配置使用HTTP访问的请求
  30.     location / {
  31.         root   /usr/share/nginx/html/test2.example.com/;
  32.         index  index.html index.htm;
  33.     }
  37.     #error_page  404              /404.html;
  39.     # redirect server error pages to the static page /50x.html
  40.     #
  41.     error_log  /var/log/nginx/test2.example.com.error.log;
  42.     error_page   500 502 503 504  /50x.html;
  43.     location = /50x.html {
  44.         root   /usr/share/nginx/html;
  45.     }
  47. }

启动nginx,准备生成ssl证书

  1. docker run -d --name nginx --network host --restart always --privileged=true -v /data/nginx/html:/usr/share/nginx/html  -v /data/nginx/nginx.conf:/etc/nginx/nginx.conf  -v /data/nginx/ssl:/etc/nginx/ssl -v /data/nginx/logs:/var/log/nginx -v /data/nginx/conf.d:/etc/nginx/conf.d nginx

使用acme.sh生成证书文件

运行acme容器服务

  1. docker run --rm  -itd --privileged=true   -v /data/nginx/ssl:/acme.sh -v /data/nginx/html:/html    --net=host   --name=acme.sh   neilpang/acme.sh daemon
  1. docker exec acme.sh  --issue  -d test1.example.com --webroot /html/test1.example.com/ 
  2. docker exec acme.sh  --issue  -d test2.example.com --webroot /html/test2.example.com/

成功生成文件后,将 test1.example.com.conf 和 test2.example.com.conf 的ssl配置打开验证。

自动续期(未试验)

acme申请的证90天后会过期,需要定时去更新,acme默认60天更新
删除上面的容器,新建 /data/nginx/nginx_proxy.yml文件

  1. version: '3.4'
  2. services:
  3.   web:
  4.     image: nginx
  5.     container_name: nginx
  6.     ports:
  7.       - "80:80"
  8.       - "443:443"
  9.     privileged: true
  10.     volumes:
  11.       - "/data/nginx/html:/usr/share/nginx/html:z"
  12.       - "/data/nginx/nginx.conf:/etc/nginx/nginx.conf:z"
  13.       - "/data/nginx/ssl:/etc/nginx/ssl:z"
  14.       - "/data/nginx/logs:/var/log/nginx:z"
  15.       - "/data/nginx/conf.d:/etc/nginx/conf.d:z"
  16.     environment:
  17.       - ENV=production
  19.   acme.sh:
  20.     image: neilpang/acme.sh
  21.     container_name: acme.sh    
  22.     command: daemon
  23.     privileged: true
  24.     volumes:
  25.       - "/data/nginx/ssl:/acme.sh:z"
  26.       - /var/run/docker.sock:/var/run/docker.sock