moving to certbot v0.31.0 to support tls-alpn-01 challenge

ebarault · Mar 5, 2019 · ad7179d · ad7179d
1 parent a1aa949
commit ad7179d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM certbot/certbot:v0.18.2
+FROM certbot/certbot:v0.31.0
 MAINTAINER Eric Barault (@ebarault)
 
 VOLUME /certs

diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ The following volumes of interest can be mounted on the docker host or as docker
 
 #### Environment variables:
 - **WEBROOT** : (optional) path to the host's web server root. If provided, letsencrypt will use the given existing web server to request and validate the certificates. If not provided, letsencrypt will launch it's own web server for this purpose
+- **PREFERRED_CHALLENGES** : (optional) A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (eg. "dns" or "tls-alpn-01,http,dns") 
 - **LOGFILE** : (optional) path of a file where to write the logs from the certificate request/renewal script. When not provided both stdout/stderr are directed to console which is convenient when using a docker log driver
 - **DEBUG** : (optional) whether to run letsencrypt in debug mode, refer to certbot [documentation] (https://certbot.eff.org/docs/using.html#certbot-command-line-options)
 - **STAGING** : (optional) whether to run letsencrypt in staging mode, refer to certbot [documentation] (https://certbot.eff.org/docs/using.html#certbot-command-line-options)

diff --git a/scripts/run_certbot.sh b/scripts/run_certbot.sh
@@ -117,14 +117,15 @@ CERTBOT_ARGS=""
 # see https://certbot.eff.org/docs/using.html#webroot
 #
 # `standlone` plugin runs a built-in “standalone” web server to obtain the certificate
-# --preferred-challenges tls-sni` option is set to use port 443
-# this mode is triggered when $WEBROOT is not set
+# The current implementation supports the http-01, dns-01 and tls-alpn-01 challenges and
+# defaults to http-01 since tls-sni-01 has been deprecated
+# This mode is triggered when $WEBROOT is not set
 # see https://certbot.eff.org/docs/using.html#standalone
 #
 if [ $WEBROOT ]; then
   CERTBOT_ARGS=" --webroot -w $WEBROOT"
 else
-  CERTBOT_ARGS=" --standalone --preferred-challenges tls-sni"
+  CERTBOT_ARGS=" --standalone --preferred-challenges ${PREFERRED_CHALLENGES:-http-01}"
 fi
 
 # activate debug mode