acme-dns
Certificates issuer and periodical renewer
7.8K
Container images based on the official acme.sh script, wrapping certificates initial issuance and periodical renewal in DNS mode.
Sources are available on GitHub.
x.y.z-acmeshA.B.C tags the x.y.z container image version, embedded with
the acme.sh A.B.C version.edge-acmeshA.B.C tags the container image built from the last repository
commit, embedded with the acme.sh A.B.C version.Tags aliases :
x.y-acmeshA.B.C aliases the latest patch version of the container image x.y
major+minor version, embedded with the acme.sh A.B.C version;x-acmeshA.B.C aliases the latest minor+patch version of the container image
x major version, embedded with the acme.sh A.B.C version;x.y.z aliases the x.y.z container image version embedded with the latest
acme.sh version (Note: only the latest container image version gets updated);x.y aliases the latest patch version of the container image x.y major+minor
version, embedded with the latest acme.sh release (Note: only the latest container
image major+minor version gets updated);x aliases the latest minor+patch version of the container image x major
version, embedded with the latest acme.sh version (Note: only the latest container
image major version gets updated);acmeshA.B aliases the latest container image version, embedded with the latest
patch version of the acme.sh A.B major+minor version;acmeshA aliases the latest container image version, embedded with the latest
minor+patch version of the acme.sh A major version;latest aliases the latest x.y.z-acmeshA.B.C tag;edge-acmeshA.B aliases the container image built from the last repository
commit, embedded with the latest patch version of the acme.sh A.B major+minor
version;edge-acmeshA aliases the container image built from the last repository
commit, embedded with the latest minor+patch version of the acme.sh A major
version.edge aliases the latest edge-acmeshA.B.C tag;The container issues a certificate on first start, then renews it automatically via an internal cron job.
The certificate, full-chain, and private key are written to the paths defined by ACME_DNS_CERT_FILE, ACME_DNS_CERT_FULLCHAIN_FILE, and ACME_DNS_CERT_KEY_FILE (all inside the /cert directory by default). Mount a host directory or a named volume there to retrieve them.
services:
acme-dns:
image: ghcr.io/anthochamp/container-acme-dns:latest
restart: unless-stopped
volumes:
- acme-state:/var/lib/acme
- ./certs:/cert
environment:
ACME_DNS_ACME_SERVER: letsencrypt
ACME_DNS_ACME_ACCOUNT: [email protected]
ACME_DNS_PROVIDER: dns_cf # any acme.sh DNS provider
ACME_DNS_PROVIDER_ENV_PREFIX: CF_ # load CF_* vars through __FILE support
ACME_DNS_CERT_DOMAINS: example.com *.example.com
CF_Token__FILE: /run/secrets/cf_token
secrets:
- cf_token
volumes:
acme-state:
secrets:
cf_token:
file: ./secrets/cf_token.txt
/var/lib/acme/ stores acme.sh state (eg. account key)As an alternative to passing sensitive information via environment variables, __FILE may be appended to any of the listed environment variables below, causing the initialization script to load the values for those variables from files present in the container.
In particular, this can be used to load values from Docker secrets stored in /run/secrets/<secret_name> files. For example : ACME_DNS_ACME_ACCOUNT__FILE=/run/secrets/acme_account.
Default: letsencrypt
Refer to the acme.sh official documentation for the possible values.
Default: empty (optional)
Default: empty
Refer to acme.sh official documentation for the possible values.
Default: empty
When you need to pass additional environment variables to acme.sh and want to get support for the __FILE feature on those, you can pass the environment variables prefix here. This is especially useful for DNS credentials.
Default: 2048
| Value | Algorithm |
|---|---|
ec-256 | prime256v1 |
ec-384 | secp384r1 |
ec-521 | secp521r1 |
2048 | RSA 2048 |
3072 | RSA 3072 |
4096 | RSA 4096 |
Default: empty
List of space-separated domains (common name and SANs).
For example, with ACME_DNS_CERT_DOMAINS="foo.com *.foo.com bar.net *.bar.net", the common name will be foo.com with three SANs *.foo.com, bar.net and *.bar.net
Default: /cert/cert.pem
Default: /cert/fullchain.pem
Default: /cert/key.pem
Default: 0
Set to 1 to pass --insecure to acme.sh, disabling TLS certificate verification when communicating with the ACME server. Useful when pointing ACME_DNS_ACME_SERVER at a local test CA (e.g. Pebble).
Default: empty (acme.sh default)
Override the DNS propagation wait time (in seconds) passed to acme.sh via --dnssleep. Leave unset to use acme.sh's built-in DNS check loop.
Default: empty (optional)
Select an alternative certificate chain by specifying the issuer CN in the chain. Passed to acme.sh as --preferred-chain. Example: ISRG Root X1.
Refer to acme.sh documentation for details.
Default: empty (optional)
Delegate DNS-01 challenge records to a different domain. Passed to acme.sh as --challenge-alias. Useful when the domain's DNS provider has no API support but a second zone (e.g. _acme-challenge.acme.example.com) does.
Refer to acme.sh DNS alias mode documentation for details.
Default: 26 12 * * *
Cron expression controlling when acme.sh --cron runs to renew certificates. The default fires once a day at 12:26 UTC (matching the acme.sh upstream default). Adjust if you need a different renewal window.
Content type
Image
Digest
sha256:f60a9597c…
Size
33.2 MB
Last updated
1 day ago
docker pull anthochamp/acme-dns:edge