How to auto-renew LetsEncrypt Certs with a Dockerized Instance of Apache?

Question

We have some dockerized PHP applications with custom docker images so that the PHP mail() function actually works.

When we build the images, we are COPYing the certs into the image at build time. This works great... for 90 days.

In order to renew, we are having to shut down the web-app, renew LetsEncrypt manually, then re-build, and re-deploy a new image with the new certs.

I feel like I should be able to do this with named containers so that the renewal is automatic, but I can't wrap my brain around it.

Does anyone have a working playbook for this?

Answer 1

The answer ended up being: use named volumes, and add a script to copy certs into the volumes on the local disk from the docker host. It works like this:

1. Create a named volume that is mounted at /certs.
2. Make sure Apache uses the certs that are located here in your site config files.
3. Setup cert-bot to auto-renew from the host, and use the pre-hooks to shutdown your docker instance.
4. After cert-bot renews the cert, use post-hooks to run a script to copy the newly minted / renewed certs from /etc/letsencrypt/live/foosite.com/ (or similar) to the volume location - overwriting what's there.

This last step requires a little bit of effort. After creating the named volume the first time, you have to use docker volume ls and docker volume inspect to find out where that volume is maintained on the host file system. It will be somewhere under /var/lib/docker, usually.

Your post-hook script from step #4 above simply copiest the certs from the live directory to this docker volume directly, and THEN restarts the containers.