Self-contained dockerized Certbot installation

My domain is: DNS not yet configured. I am setting up a new server, there will be many domain names.

I am looking for a clean, dockerized setup to install and renew the Let’s encrypt certificates. I have several http servers, each in their own container, and their virtual host files and configuration is saved on shared volumes.

My goal would be to create a Dockerfile that downloads and installs Certbot and provides certbot as the entry point. Something like this, but up-to-date, because that Dockerfile is no longer valid for the current stats of the repository.

This would let me to contain all the Certbot-related stuff in a container, and run that container with appropriate parameters whenever I need to create new certificates or renew existing ones.

When I tried to install python-certbot-apache package, it failed to run because the 80th port is blocked on the host, as it is taken by one of the http server containers.

Installing the Certbot on the http server containers would go against the idea that the containers are as lean as possible, without too much service software. That would also mean that I have ton install it on every http server container, that doesn’t feel right. I hope to find a solution where Certbot can be ran in a dedicated container only when certificate creation or renewal is required.

I understand that Certbot needs access to site root, to plant a temporary file there, and also that it needs access to the site’s Apache virtual host configuration file. Both things can be granted via shared docker volumes.

The hosts’ operating system is Ubuntu Server 18.04 LTS. But that shouldn’t matter, as everything needs to be containterized.

The official docker image for certbot does that, but it doesn’t reload containers on autorenew. You can use --webroot sharing the appropriate directory or --standalone

You can have certbot not listening externally as long as the “port 80” container proxies /.well-known/acme-challenge to it

You could try uacme, my lightweight client which only depends on gnutls and libcurl. There is also third party Docker integration here

Please explain, why the certificates can’t be renewed using the image? Can’t I run this container on regular basis, with proper parameters, using host-level cronjob, for instance? Of course, there can’t be automated tasks on a non-running container.

Regarding the port 80 exposure: I don’t completely understand the flow of the certificate acquisition, so I don’t know why and when Certbot wants to listen to ports 80 and 443. Would it be fine if I introduce a nginx container that accepts all incoming http/https traffic, and takes care for proper redirection — /.well-known/acme-challenge to the Certbot container, all other request to their respective http server containers?