serversideup · Jan 9, 2025 · Jan 9, 2025 · Jan 11, 2025 · Jan 15, 2025 · Jan 22, 2025
Showing with 78 additions and 43 deletions.

BIN .github/workflows/header.png

+43 −25 README.md

+3 −0 src/Dockerfile

+32 −18 src/entrypoint.sh
diff --git a/.github/workflows/header.png b/.github/workflows/header.png
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
-<p style="text-align: center">
+<p align="center">
 		<img src="https://raw.githubusercontent.com/serversideup/docker-certbot-dns-cloudflare/main/.github/header.png" width="1200" alt="Docker Images Logo">
 </p>
-<p style="text-align: center">
-	<a href="https://actions-badge.atrox.dev/serversideup/docker-certbot-dns-cloudflare/goto?ref=main"><img alt="Build Status" src="https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fserversideup%2Fdocker-proftpd%2Fbadge%3Fref%3Dmain&style=flat" /></a>
+<p align="center">
+	<a href="https://github.com/serversideup/docker-certbot-dns-cloudflare/actions/workflows/publish_docker-images-production.yml"><img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/serversideup/docker-certbot-dns-cloudflare/.github%2Fworkflows%2Fpublish_docker-images-production.yml" /></a>
 	<a href="https://github.com/serversideup/docker-certbot-dns-cloudflare/blob/main/LICENSE" target="_blank"><img src="https://badgen.net/github/license/serversideup/docker-certbot-dns-cloudflare" alt="License"></a>
 	<a href="https://github.com/sponsors/serversideup"><img src="https://badgen.net/badge/icon/Support%20Us?label=GitHub%20Sponsors&color=orange" alt="Support us"></a>
 	<a href="https://community.serversideup.net"><img alt="Discourse users" src="https://img.shields.io/discourse/users?color=blue&server=https%3A%2F%2Fcommunity.serversideup.net"></a>
@@ -31,6 +31,25 @@ The image is based on `certbot/dns-cloudflare:latest`, providing a stable and up
 - Windows support (set `REPLACE_SYMLINKS` to `true`)
 - Native Docker health checks to ensure the server is running
 
+### Works great for orchestrated deployments
+
+We designed this image to work great in orchestrated deployments like Kubernetes, Docker Swarm, or even in Github Actions. Look how simple the syntax is:
+
+```yaml
+  certbot:
+    image: serversideup/certbot-dns-cloudflare
+    volumes:
+      - certbot_data:/etc/letsencrypt
+    environment:
+      CLOUDFLARE_API_TOKEN: "${CLOUDFLARE_API_TOKEN}"
+      CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
+      CERTBOT_DOMAINS: "${CERTBOT_DOMAINS}"
+      CERTBOT_KEY_TYPE: "rsa"
+
+  volumes:
+    certbot_data:
+```
+
 ## Environment Variables
 
 The following environment variables can be used to customize the Certbot container:
@@ -40,13 +59,29 @@ The following environment variables can be used to customize the Certbot contain
 | `CERTBOT_DOMAINS`      | Comma-separated list of domains for which to obtain the certificate | - |
 | `CERTBOT_EMAIL`        | Email address for Let's Encrypt notifications                       | - |
 | `CERTBOT_KEY_TYPE`     | Type of private key to generate                                     | `ecdsa` |
-| `CLOUDFLARE_API_TOKEN` | Cloudflare API token for DNS authentication                         | - |
+| `CERTBOT_SERVER`       | The ACME server URL                                                 | `https://acme-v02.api.letsencrypt.org/directory` |
+| `CLOUDFLARE_API_TOKEN` | Cloudflare API token for DNS authentication (see below how to create one)                         | - |
+| `CLOUDFLARE_CREDENTIALS_FILE` | Path to the Cloudflare credentials file. | `/cloudflare.ini` |
+| `CLOUDFLARE_PROPAGATION_SECONDS` | Wait time (in seconds) after setting DNS TXT records before validation. Useful if DNS propagation is slow. | `10` |
 | `DEBUG`                | Enable debug mode (prints more information to the console)            | `false`                    |
 | `PUID`                 | The user ID to run certbot as                                       | `0`                    |
 | `PGID`                 | The group ID to run certbot as                                        | `0`                    |
-| `RENEWAL_INTERVAL`     | Interval between certificate renewal checks                         | 43200 seconds (12 hours) |
+| `RENEWAL_INTERVAL`     | Interval between certificate renewal checks. Set to `0` to disable renewals and only run once.                         | 43200 seconds (12 hours) |
 | `REPLACE_SYMLINKS`     | Replaces symlinks with direct copies of the files they reference (required for Windows) | `false`                    |
 
+### Creating a Cloudflare API Token
+
+> [!WARNING]  
+> Treat this token like a password. It will grant access to your Cloudflare account and can be used to modify DNS records.
+
+1. Go to the [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens) page.
+2. Click on "Create Token".
+3. Click "Use template" for the "Edit Zone DNS" template.
+4. Change the token name (optional)
+5. Set a specific zone under "Zone Resources" (optional)
+6. Click on "Continue to summary".
+7. Click on "Create Token".
+
 ## Usage
 
 1. Pull the Docker image:
@@ -67,28 +102,11 @@ The following environment variables can be used to customize the Certbot contain
     -v /path/to/your/certs:/etc/letsencrypt \
    serversideup/certbot-dns-cloudflare:latest
    ```
+> [!TIP]
+> For Wildcard Certificates, use the following order for the Docker instance health check: `domain.name, *.domain.name`
 
 3. The container will automatically generate and renew the certificate.
 
-### Works great for orchestrated deployments
-
-We designed this image to work great in orchestrated deployments like Kubernetes, Docker Swarm, or even in Github Actions. Look how simple the syntax is:
-
-```yaml
-  certbot:
-    image: serversideup/certbot-dns-cloudflare
-    volumes:
-      - certbot_data:/etc/letsencrypt
-    environment:
-      CLOUDFLARE_API_TOKEN: "${CLOUDFLARE_API_TOKEN}"
-      CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
-      CERTBOT_DOMAINS: "${CERTBOT_DOMAINS}"
-      CERTBOT_KEY_TYPE: "rsa"
-
-  volumes:
-    certbot_data:
-```
-
 ## Resources
 
 - **[Discord](https://serversideup.net/discord)** for friendly support from the community and the team.
@@ -155,4 +173,4 @@ If you appreciate this project, be sure to check out our other projects.
 ### 🌍 Open Source
 - **[AmplitudeJS](https://521dimensions.com/open-source/amplitudejs)**: Open-source HTML5 & JavaScript Web Audio Library.
 - **[Spin](https://serversideup.net/open-source/spin/)**: Laravel Sail alternative for running Docker from development → production.
-- **[Financial Freedom](https://github.com/serversideup/financial-freedom)**: Open source alternative to Mint, YNAB, & Monarch Money.
+- **[Financial Freedom](https://github.com/serversideup/financial-freedom)**: Open source alternative to Mint, YNAB, & Monarch Money.
diff --git a/src/Dockerfile b/src/Dockerfile
@@ -10,7 +10,10 @@ ARG CERTBOT_GID=9999
 ENV CERTBOT_DOMAINS="" \
     CERTBOT_EMAIL="" \
     CERTBOT_KEY_TYPE="ecdsa" \
+    CERTBOT_SERVER="https://acme-v02.api.letsencrypt.org/directory" \
     CLOUDFLARE_API_TOKEN="" \
+    CLOUDFLARE_CREDENTIALS_FILE="/cloudflare.ini" \
+    CLOUDFLARE_PROPAGATION_SECONDS="10" \
     DEBUG=false \
     PUID=0 \
     PGID=0 \

diff --git a/src/entrypoint.sh b/src/entrypoint.sh
@@ -26,7 +26,7 @@ debug_print() {
 
 configure_uid_and_gid() {
     debug_print "Preparing environment for $PUID:$PGID..."
-    
+
     # Handle existing user with the same UID
     if id -u "${PUID}" >/dev/null 2>&1; then
         old_user=$(id -nu "${PUID}")
@@ -107,10 +107,12 @@ run_certbot() {
 
     $certbot_cmd $debug_flag certonly \
         --dns-cloudflare \
-        --dns-cloudflare-credentials /cloudflare.ini \
+        --dns-cloudflare-credentials "$CLOUDFLARE_CREDENTIALS_FILE" \
+        --dns-cloudflare-propagation-seconds "$CLOUDFLARE_PROPAGATION_SECONDS" \
         -d "$CERTBOT_DOMAINS" \
         --key-type "$CERTBOT_KEY_TYPE" \
         --email "$CERTBOT_EMAIL" \
+        --server "$CERTBOT_SERVER" \
         --agree-tos \
         --non-interactive \
         --strict-permissions
@@ -121,13 +123,13 @@ run_certbot() {
     fi
 
     if [ "$REPLACE_SYMLINKS" = "true" ]; then
-      replace_symlinks "/etc/letsencrypt/live";
+        replace_symlinks "/etc/letsencrypt/live"
     fi
 }
 
 validate_environment_variables() {
     # Validate required environment variables
-    for var in CLOUDFLARE_API_TOKEN CERTBOT_DOMAINS CERTBOT_EMAIL CERTBOT_KEY_TYPE; do
+    for var in CLOUDFLARE_API_TOKEN CERTBOT_DOMAINS CERTBOT_EMAIL CERTBOT_KEY_TYPE CERTBOT_SERVER CLOUDFLARE_CREDENTIALS_FILE CLOUDFLARE_PROPAGATION_SECONDS; do
         if [ -z "$(eval echo \$$var)" ]; then
             echo "Error: $var environment variable is not set"
             exit 1
@@ -141,6 +143,11 @@ validate_environment_variables() {
 
 trap cleanup TERM INT
 
+# Ensure backwards compatibility with the old CERTBOT_DOMAIN environment variable
+if [ -n "$CERTBOT_DOMAIN" ] && [ -z "$CERTBOT_DOMAINS" ]; then
+    CERTBOT_DOMAINS=$CERTBOT_DOMAIN
+fi
+
 validate_environment_variables
 
 if ! is_default_privileges; then
@@ -151,12 +158,7 @@ if [ "$REPLACE_SYMLINKS" = "true" ]; then
     configure_windows_file_permissions
 fi
 
-# Ensure backwards compatibility with the old CERTBOT_DOMAIN environment variable
-if [ -n "$CERTBOT_DOMAIN" ] && [ -z "$CERTBOT_DOMAINS" ]; then
-  CERTBOT_DOMAINS=$CERTBOT_DOMAIN
-fi
-
-cat << "EOF"
+cat <<"EOF"
  ____________________
 < Certbot, activate! >
  --------------------
@@ -170,16 +172,22 @@ EOF
 echo "🚀 Let's Get Encrypted! 🚀"
 echo "🌐 Domain(s): $CERTBOT_DOMAINS"
 echo "📧 Email: $CERTBOT_EMAIL"
+echo "🌐 Certbot Server: $CERTBOT_SERVER"
 echo "🔑 Key Type: $CERTBOT_KEY_TYPE"
 echo "⏰ Renewal Interval: $RENEWAL_INTERVAL seconds"
+echo "🕒 DNS Propagation Wait: $CLOUDFLARE_PROPAGATION_SECONDS seconds"
 echo "Let's Encrypt, shall we?"
 echo "-----------------------------------------------------------"
 
 # Create Cloudflare configuration file
-echo "dns_cloudflare_api_token = $CLOUDFLARE_API_TOKEN" > /cloudflare.ini
-chmod 600 /cloudflare.ini
-if ! is_default_privileges; then
-    chown "${PUID}:${PGID}" /cloudflare.ini
+if [ -f "$CLOUDFLARE_CREDENTIALS_FILE" ]; then
+    echo "Using existing Cloudflare credentials file: $CLOUDFLARE_CREDENTIALS_FILE"
+else
+    echo "dns_cloudflare_api_token = $CLOUDFLARE_API_TOKEN" > "$CLOUDFLARE_CREDENTIALS_FILE"
+    chmod 600 "$CLOUDFLARE_CREDENTIALS_FILE"
+    if ! is_default_privileges; then
+        chown "${PUID}:${PGID}" "$CLOUDFLARE_CREDENTIALS_FILE"
+    fi
 fi
 
 # Check if a command was passed to the container
@@ -193,6 +201,12 @@ else
     # Run certbot initially to get the certificates
     run_certbot
 
+    # If RENEWAL_INTERVAL is set to 0, do not attempt to renew certificates and exit immediately
+    if [ "$RENEWAL_INTERVAL" = "0" ]; then
+        echo "Let's Encrypt Renewals are disabled because RENEWAL_INTERVAL=0. Running once and exiting..."
+        cleanup
+    fi
+
     # Infinite loop to keep the container running and periodically check for renewals
     while true; do
         # POSIX-compliant way to show next run time
@@ -202,20 +216,20 @@ else
         echo "Next certificate renewal check will be at ${next_run}"
 
         # Store PID of sleep process and wait for it
-        sleep "$RENEWAL_INTERVAL" & 
+        sleep "$RENEWAL_INTERVAL" &
         sleep_pid=$!
         wait $sleep_pid
         wait_status=$?
 
         # Check if we received a signal (more portable check)
         case $wait_status in
-            0) : ;; # Normal exit
-            *) cleanup ;;
+        0) : ;; # Normal exit
+        *) cleanup ;;
         esac
 
         if ! run_certbot; then
             echo "Error: Certificate renewal failed. Exiting."
             exit 1
         fi
     done
-fi
+fi