Versão avaliada: Debian 10 + HAProxy + Docker-CE 20.10.5
Criar os diretórios repositórios
# mkdir -p /home/suporte/haproxy/certs /home/suporte/letsencrypt
Configurar em http port 80 no HAProxy e disponibilizar no caminho /home/suporte/haproxy
# vi ~/haproxy/haproxy.cfg
frontend HTTP
bind *:80
http-request add-header X-Forwarded-Proto http
acl LTSNCRYPTHTTP path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTP if LTSNCRYPTHTTP
acl PRTNR hdr(host) -i portainer.domain.com.br
use_backend PRTNR if PRTNR
backend PRTNR
server PRTNR1 IP_SERVER:9000 check
backend LTSNCRYPTHTTP
server LTSNCRYPT1 IP_SERVER:8083
Executar o Certbot manualmente para evitar qualquer contratempo. Use o parametro --staging para testar a criação de certificado sem consumir a quantidade de tentativas de criação de certificado. O Letsencrypt libera 10 criações de certificados a cada 3 horas.
# docker run --name Certbot \
-p 8083:8083 \
-v /home/suporte/letsencrypt:/etc/letsencrypt \
-v /home/suporte/letsencrypt/log:/var/log/letsencrypt \
certbot/certbot:latest \
certonly --standalone --agree-tos --non-interactive --http-01-port=8083 --email suporte@domain.com.br -d portainer.domain.com.br
Opcional:
--staging <- Testar
--force-renewal <- Forçar atualização
Remover o containe após o uso
# docker stop Certbot && docker rm Certbot && docker rmi certbot/certbot:latest
Criar o arquivo .PEM
# /bin/cat /home/suporte/letsencrypt/live/portainer.domain.com.br/fullchain.pem /home/suporte/letsencrypt/live/portainer.domain.com.br/privkey.pem > /home/suporte/haproxy/certs/certificado.pem
OBs.: O LetsEncrypt cria as pastas e o aquivos com permissão root, portanto, para executar o comando acima alterne o console como root. Quando renovado o certificado as permissões são ajustadas para root novamente.
Configurar as entradas HTTPS no haproxy apontanto para o arquivo /haproxy/certs/certificado.pem
# vi ~/haproxy/haproxy.cfg
### // HTTP ###################################
frontend HTTP
bind *:80
http-request add-header X-Forwarded-Proto http
# Redirecionamento para site https
redirect scheme https if { hdr(host) -i portainer.domain.com.br } !{ ssl_fc }
acl LTSNCRYPTHTTP path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTP if LTSNCRYPTHTTP
backend LTSNCRYPTHTTP
server LTSNCRYPT1 IP_SERVER:8083
### // HTTPS ##################################
frontend HTTPS
bind *:443 ssl crt /etc/ssl/private/certificado.pem
http-request add-header X-Forwarded-Proto https
acl LTSNCRYPTHTTPS path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTPS if LTSNCRYPTHTTPS
acl PRTNR hdr(host) -i portainer.local.domain portainer.domain.com.br
use_backend PRTNR if PRTNR
backend PRTNR
server PRTNR1 IP_SERVER:9000 check
backend LTSNCRYPTHTTPS
server LTSNCRYPT1 IP_SERVER:8083
Reinicie o serviço HAProxy para efetivar o certificado
$ docker restart HAProxy
# docker run --name Certbot \
-p 8083:8083 \
-v /home/suporte/letsencrypt:/etc/letsencrypt \
-v /home/suporte/letsencrypt/log:/var/log/letsencrypt \
certbot/certbot:latest \
renew
Opcional:
--force-renewal
Atualizar o arquivo .PEM
# /bin/cat /home/suporte/letsencrypt/live/portainer.domain.com.br/fullchain.pem /home/suporte/letsencrypt/live/portainer.domain.com.br/privkey.pem > /home/suporte/haproxy/certs/certificado.pem
Reinicie o serviço HAProxy para efetivar o certificado
# docker restart HAProxy
frontend HTTP
bind *:80
http-request add-header X-Forwarded-Proto http
# Redirecionamento para site https
redirect scheme https if { hdr(host) -i portainer.domain.com.br } !{ ssl_fc }
acl LTSNCRYPTHTTP path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTP if LTSNCRYPTHTTP
acl NVM hdr(host) -i nuvem.local.domain nuvem.domain.com.br
use_backend NVM if NVM
backend NVM
server NVM1 IP_SERVER:8082 check
backend LTSNCRYPTHTTP
server LTSNCRYPT1 IP_SERVER:8083
docker run --name Certbot \
-p 8083:8083 \
-v /home/suporte/letsencrypt:/etc/letsencrypt \
-v /home/suporte/letsencrypt/log:/var/log/letsencrypt \
certbot/certbot:latest \
certonly --expand --standalone --agree-tos --non-interactive --http-01-port=8083 --email suporte@domain.com.br -d portainer.domain.com.br -d nuvem.domain.com.br
/bin/cat /home/suporte/letsencrypt/live/portainer.domain.com.br/fullchain.pem /home/suporte/letsencrypt/live/portainer.domain.com.br/privkey.pem > /home/suporte/haproxy/certs/certificado.pem
### // HTTP ###################################
frontend HTTP
bind *:80
http-request add-header X-Forwarded-Proto http
# Redirecionamento para site https
redirect scheme https if { hdr(host) -i portainer.domain.com.br } !{ ssl_fc }
redirect scheme https if { hdr(host) -i nuvem.doamin.com.br } !{ ssl_fc }
acl LTSNCRYPTHTTP path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTP if LTSNCRYPTHTTP
### OUTRAS ACLs ABAIXO
backend LTSNCRYPTHTTP
server LTSNCRYPT1 IP_LOCAL:8083
### // HTTPS ##################################
frontend HTTPS
bind *:443 ssl crt /etc/ssl/private/certificado.pem
http-request add-header X-Forwarded-Proto https
acl LTSNCRYPTHTTPS path_beg -i /.well-known/acme-challenge/
use_backend LTSNCRYPTHTTPS if LTSNCRYPTHTTPS
acl PRTNR hdr(host) -i portainer.local.doamin portainer.domain.com.br
use_backend PRTNR if PRTNR
acl NVM hdr(host) -i nuvem.local.domain nuvem.domain.com.br
use_backend NVM if NVM
backend NVM
server NVM1 IP_SERVER:8082 check
backend PRTNR
server PRTNR1 IP_SERVER:9000 check
backend LTSNCRYPTHTTPS
server LTSNCRYPT1 IP_LOCAL:8083
docker restart HAProxy
Criar o script para expansão e renovação
#!/usr/bin/env bash
PATHLETS="/mnt/resource/CONTAINER/letsencrypt"
PATHLETSLOG="/mnt/resource/CONTAINER/letsencrypt/log"
PATHCERTS="/mnt/resource/CONTAINER/haproxy/certs"
DOCKER=`which docker`
CAT=`which cat`
CERTPARAM="--standalone --agree-tos --non-interactive --http-01-port=8083"
CERTEMAIL="--email suporte@domain.com.br"
CERTDOMAIN="domain.com"
CERTPARAMEXP="--expand --standalone --agree-tos --non-interactive --http-01-port=8083"
CERTDOMAINEXP="-d www.domain.com -d servicedesk.domain.com"
######################################
### FUNCOES ######################
criar_certificado(){
echo ""
echo "### Deploy Certbot ######################################"
$DOCKER run --name Certbot \
-p 8083:8083 \
-v $PATHLETS:/etc/letsencrypt \
-v $PATHLETSLOG:/var/log/letsencrypt \
certbot/certbot:latest \
certonly $CERTPARAM $CERTEMAIL -d $CERTDOMAIN
}
expandir_certificado(){
echo ""
echo "Novas expansões: " $CERTDOMAINEXP
echo ""
echo "### Deploy Certbot ######################################"
$DOCKER run --name Certbot \
-p 8083:8083 \
-v $PATHLETS:/etc/letsencrypt \
-v $PATHLETSLOG:/var/log/letsencrypt \
certbot/certbot:latest \
certonly $CERTPARAMEXP $CERTEMAIL -d $CERTDOMAIN $CERTDOMAINEXP
# --force-renewal
}
renovar_certificado(){
echo ""
echo "### Deploy Certbot ######################################"
$DOCKER run --name Certbot \
-p 8083:8083 \
-v $PATHLETS:/etc/letsencrypt \
-v $PATHLETSLOG:/var/log/letsencrypt \
certbot/certbot:latest \
renew
#--force-renewal
}
remover_container(){
echo ""
echo "### Removendo container Certbot #########################"
$DOCKER stop Certbot > /dev/null 2>&1 && \
$DOCKER rm Certbot > /dev/null 2>&1 && \
$DOCKER/bin/docker rmi certbot/certbot:latest > /dev/null 2>&1
}
gerar_pem(){
echo ""
echo "### Atualiza o arquivo .PEM #############################"
$CAT $PATHLETS/live/$CERTDOMAIN/fullchain.pem $PATHLETS/live/$CERTDOMAIN/privkey.pem > $PATHCERTS/certificado.pem
}
reiniciar_haproxy(){
echo ""
echo "### Reiniciando o HAProxy ##############################"
echo ""
$DOCKER restart HAProxy > /dev/null 2>&1
}
######################################
### CRIACAO ######################
if [[ $1 = "-new" ]]; then
# Verificacao do local de armazenamento
if [[ -d $PATHLETS && -d $PATHCERTS ]]; then
echo ""
echo "### Diretorio existente #################################"
else
mkdir -p $PATHLETS $PATHCERTS
echo ""
echo "### Diretorio criado ####################################"
exit 0
fi
criar_certificado
remover_container
gerar_pem
reiniciar_haproxy
exit 0
fi
################################################
### EXPANSAO ###############################
if [[ $1 = "-exp" ]]; then
expandir_certificado
remover_container
gerar_pem
reiniciar_haproxy
exit 0
fi
##################################################
### RENOCACAO ################################
if [[ $1 = "-renew" ]]; then
renovar_certificado
remover_container
gerar_pem
reiniciar_haproxy
exit 0
fi
Altere as variaveis e execute
# ./deploy_certbot.sh -renew > /var/log/RENOCAOCERTIFICADO
Ajuste o crontab para renovar o certificado
# crontab -e -u root
1 0 * * * /home/suporte/deploy_certbot.sh -renew > /var/log/RENOCAOCERTIFICADO
Link: 1 / 2 / 3 / 4