This is an answer to https://twitter.com/developius/status/892470102632923136 about his SSL with Docker Swarm, Let's Encrypt and Nginx blog post and a way to not kill Nginx for certificate generation/renewal.
(from what I read in the blog post)
- Docker hosts have a
/etc/letsencrypt
directory so that certificates are on the host and not on the container. - Docker hosts have a
/var/lib/letsencrypt
shared copy of the and a (docker run certbot
could also re-use containers'/var/lib/letsencrypt
volumes.
I use /var/lib/letsencrypt/webroot/
as a place for the certbot
Webroot plugin (--webroot
) to store ACME Challenges, which are
then served by Nginx server for "/.well-known/acme-challenge/xxxxxxxxx" HTTP requests only.
Because, certbot
's Webroot plugin only need an HTTP (not HTTPS) server to chat with about ACME Challenges, for new domains, I
first start Nginx with only the HTTP (port 80) server
: the HTTPS (port 443) server
block is commented, then run the
certbot certonly --webroot
command.
Once first certificate has been issued, I can enable the HTTPS (port 443) server
and reload Nginx.
Future certificate renewal (certbot renew --webroot
) part is untouched (same as blog post).
how to add load balancing using upstream ?