| date | 2000-01-01 00:00:00 +0000 | ||||||
|---|---|---|---|---|---|---|---|
| title | Certificates | ||||||
| author | bradrydzewski | ||||||
| weight | 20 | ||||||
| separator | true | ||||||
| aliases |
|
||||||
| description | Configure server security. |
Drone supports native SSL configuration by mounting certificates into the server container. If your server is public you should consider using Lets Encrypt.
-
Mount your certificate and key into the server container:
$ docker run \ -v /etc/certs/drone.company.com/server.crt:/etc/certs/drone.company.com/server.crt \ -v /etc/certs/drone.company.com/server.key:/etc/certs/drone.company.com/server.key -
Configure the path to your certificate and key:
$ docker run \ -e DRONE_TLS_CERT=/etc/certs/drone.company.com/server.crt \ -e DRONE_TLS_KEY=/etc/certs/drone.company.com/server.key -
Expose the standard http and https ports:
$ docker run \ -p 80:80 \ -p 443:443
Drone supports automated SSL configuration and updates using Let's Encrypt. You can enable Let’s encrypt with the following flag:
-
Enable Lets Encrypt with the following parameter:
DRONE_TLS_AUTOCERT=true -
Ensure the desired hostname is configured:
DRONE_SERVER_HOST=domain.com DRONE_SERVER_PROTO=https -
Expose the standard http and https ports:
docker run \ -p 80:80 \ -p 443:443 -
Mount the certificate cache to the host:
docker run \ -v /var/lib/drone:/data
Drone caches generated certificates on disk at /data/golang-autocert. This prevents the system from re-requesting certificates on restart. It is best practice to bind mount the /data directory to the host.
Drone uses the official Go acme library which will handle certificate upgrades. There should be no additional configuration or management required.