@@ -1,11 +1,16 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
# Certificates renewal allows both HTTP or DNS challenges based on renewal configuration
# generated when certificates have been issued using `certonly` command.
#
# For renewal relying on HTTP challenge to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
#
# This can happen inside the container network by proxying to `http://matrix-certbot:8080`
# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.
#
# For renewal relying on DNS challenge to work, certbot docker image must have the associated DNS plugins configured.
docker run \
--rm \
@@ -13,20 +18,20 @@ docker run \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network="{{ matrix_docker_network }}" \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
-- publish 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \
{% if (matrix_ssl_lets_encrypt_dns_config is defined) and (matrix_ssl_lets_encrypt_dns_config|length > 0) %}
--mount type=bind,src={{ matrix_ssl_dns_config_dir_path }},dst=/etc/letsencrypt-dns-config,readonly \
{% endif %}
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \
{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
renew \
--non-interactive \
--work-dir=/tmp \
--http-01-port 8080 \
{% if matrix_ssl_lets_encrypt_staging %}
--staging \
{% endif %}
--key-type {{ matrix_ssl_lets_encrypt_key_type }} \
--standalone \
--preferred-challenges http \
--agree-tos \
--email={{ matrix_ssl_lets_encrypt_support_email }} \
--no-random-sleep-on-renew
ZzMzaw
3 лет назад