Hi. I’m building dockers that use acme.sh’s TLS-ALPN-01 to generate certificates for that specific host. The certificates are issued at runtime, the first time the docker container starts. After that it’s the job cronned by acme.sh that takes care of renewal. For development I’m using LE’s staging so that’s all working fine.

However, when development is done we switch to production and when using the docker builds it might happen that some config was missing for docker run (instead of committing it happens that they are simply re-created the container from image). Whatever the reason, point is that each time the container is freshly created from then on a new certificate is issued, but with a rate limiting of 5 per week there is not much room for “error”.

So the thing that 5 is not much, and it could happen rather quickly that a small mistakes results in losing the last generated certificates (as the docker container is removed without having it committed after first start) , meaning it is no longer possible to get a LE certificate for the next week for that host.

So my question is: am I using this the correct way? Is there maybe some kind of caching/proxy service that exists that we should be using?

Keep the acme.sh data/state in a storage volume that perists throughout the container lifecycle (creation/destruction). The Docker documentation for acme.sh does exactly that.

If you are using a more sophisticated container orchestration system like Kubernetes, all of this has been solved for you through the use of e.g. cert-manager which would automatically issue certificates for your ingress controller of choice (nginx, Traefik, etc), which in turn deals with routing traffic for each of your deployed applications.

Edit: it looks like acme.sh even has an nginx-proxy project which will do a similar thing. Using that would allow you to easily centralize your HTTP[S] traffic, certificate management and avoid rate limit issues without a complicated orchestration system.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.