Run lego on a schedule rootless, distroless and secure by default!
Let's Encrypt client and ACME library written in Go.
What can I do with this? Run 11notes/distroless:lego rootless and distroless on a schedule to automatically renew all your certificates from a single yml config.
- /lego/etc - Directory of your Let's Encrypt accounts
- /lego/var - Directory of your Let's Encrypt certificates
name: "letsencrypt"
services:
lego:
image: "11notes/lego:4.30.1"
dns:
- "8.8.8.8"
- "9.9.9.9"
read_only: true
environment:
TZ: "Europe/Zurich"
LEGO_CONFIG: |-
domains:
- name: "domain.com"
fqdns:
- "*.domain.com"
- "domain.com"
commands:
- "--dns"
- "rfc2136"
- name: "porkbun.com"
fqdns:
- "*.porkbun.com"
- "porkbun.com"
commands:
- "--dns"
- "porkbun"
global:
LEGO_EMAIL: "info@domain.com"
RFC2136_NAMESERVER: "ns.domain.com"
RFC2136_TSIG_ALGORITHM: "hmac-sha512"
RFC2136_TSIG_KEY: "lego"
RFC2136_TSIG_SECRET: ${RFC2136_TSIG_SECRET}
PORKBUN_SECRET_API_KEY: ${PORKBUN_SECRET_API_KEY}
PORKBUN_API_KEY: ${PORKBUN_API_KEY}
volumes:
- "lego.etc:/lego/etc"
- "lego.var:/lego/var"
networks:
frontend:
restart: "always"
volumes:
lego.etc:
lego.var:
networks:
frontend:To find out how you can change the default UID/GID of this container image, consult the RTFM.
| Parameter | Value | Description |
|---|---|---|
user |
docker | user name |
uid |
1000 | user identifier |
gid |
1000 | group identifier |
home |
/lego | home directory of user docker |
| Parameter | Value | Default |
|---|---|---|
TZ |
Time Zone | |
DEBUG |
Will activate debug option for container image and app (if available) | |
LEGO_CONFIG |
Your config for all your domains, either as a file or inline |
These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value.
It is my opinion that the :latest tag is a bad habbit and should not be used at all. Many developers introduce breaking changes in new releases. This would messed up everything for people who use :latest. If you don’t want to change the tag to the latest semver, simply use the short versions of semver. Instead of using :4.30.1 you can use :4 or :4.30. Since on each new version these tags are updated to the latest version of the software, using them is identical to using :latest but at least fixed to a major or minor version. Which in theory should not introduce breaking changes.
If you still insist on having the bleeding edge release of this app, simply use the :rolling tag, but be warned! You will get the latest version of the app instantly, regardless of breaking changes or security issues or what so ever. You do this at your own risk!
docker pull 11notes/lego:4.30.1
docker pull ghcr.io/11notes/lego:4.30.1
docker pull quay.io/11notes/lego:4.30.1
Important
This image is not based on another image but uses scratch as the starting layer. The image consists of the following distroless layers that were added:
- 11notes/distroless - contains users, timezones and Root CA certificates, nothing else
- 11notes/distroless:lego
Tip
- Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints
- Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services
This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the releases for breaking changes. If you have any problems with using this image simply raise an issue, thanks. If you have a question or inputs please create a new discussion instead of an issue. You can find all my other repositories on github.
created 17.12.2025, 06:34:13 (CET)