Automatically generates Let's Encrypt certificates using a lightweight Docker container without requiring any ports to be exposed for DNS challenges.

• DUCKDNS_TOKEN: Duck DNS account token (obtained from Duck DNS) (required)
• DUCKDNS_DOMAIN: Full Duck DNS domain (e.g. test.duckdns.org) (required)
• LETSENCRYPT_DOMAIN: Domain to generate SSL cert for. By default the SSL certificate is generated for DUCKDNS_DOMAIN (optional)
• LETSENCRYPT_WILDCARD: true or false, indicating whether the SSL certificate should be for subdomains only of LETSENCRYPT_DOMAIN (i.e. *.test.duckdns.org), or for the main domain only (i.e. test.duckdns.org) (optional, default: false)
• LETSENCRYPT_EMAIL: Email used for certificate renewal notifications (optional)
• TESTING: true or false, indicating whether a staging SSL certificate should be generated or not (optional, default: false)
• UID: User ID to apply to Let's Encrypt files generated (optional, recommended, default: 0 - root)
• GID: Group ID to apply to Let's Encrypt files generated (optional, recommended, default: 0 - root)

• The DUCKDNS_DOMAIN should already be pointing to the server with a dynamic IP. The maksimstojkovic/duckdns image can be used to automatically update the IP address.
• The format of DUCKDNS_DOMAIN should be <subdomain>.duckdns.org, regardless of the value of LETSENCRYPT_WILDCARD.
• To use LETSENCRYPT_DOMAIN feature, the following DNS records need to be created for ACME authentication (records should not be proxied):

• <certs>:/etc/letsencrypt: A named or host volume which allows SSL certificates to persist and be accessed by other containers

Note: To use the <certs> host volume in another container, mount it as read-only for those containers. The <certs> host volume should be read-write enabled for the Letsencrypt container.