ACME Issue & Renew (acme) is a service container to issue and renew
Let's Encrypt TLS certificates using @PhrozenByte's
acme management scripts and acme-tiny.
This container is basically just an Alpine-based installation of these
scripts. All certs and their associated files are stored in /var/local/acme,
the configuration is stored in /etc/acme. Both directories are expected to be
volumes. Please refer to the script's README.md for information about
these directories and the required config.
On the container's first run the entrypoint script will create the necessary
files and directories; this also includes /etc/acme/config.env. The config
file is populated with values of the env variables ACME_ACCOUNT_KEY_FILE,
ACME_ACCOUNT_CONTACT, ACME_DIRECTORY_URL, TLS_KEY_GROUP, and
FP_REVOCATION_LIST. FQDN_GROUPS isn't supported at the moment.
The container runs crond by default. It runs two cronjobs, acme-renew --all
to renew all certificates once per month, and acme-check --all daily to check
validity of all certificates (especially whether they might have been revoked).
The cronjobs will choose a random execution time automatically; an algorithm
ensures that the execution times don't change unless you add/remove domains.
You might pass the CRON_RENEW and CRON_CHECK environment variables to
adjust the schedule (pass e.g. CRON_RENEW='23 4 3 * *' to run acme-renew
on the 3rd day of the month at 04:23 o'clock).
To issue new certs, renew existing ones, or to check certs manually, call
acme-issue, acme-renew, or acme-check inside the container, e.g.
podman exec -it --user acme acme acme-issue --force example.com www.example.com
podman exec -it --user acme acme acme-renew example.com
podman exec -it --user acme acme acme-check --all