Skip to content

Instantly share code, notes, and snippets.

@KostyaEsmukov

KostyaEsmukov/_ letsencrypt_in_docker_with_nginx.md

Last active December 10, 2017 07:29
Show Gist options
  • Save KostyaEsmukov/03aacd5323f427b9372118029790d498 to your computer and use it in GitHub Desktop.
Save KostyaEsmukov/03aacd5323f427b9372118029790d498 to your computer and use it in GitHub Desktop.
Download ZIP
A recipe to get letsencrypt running in docker in couple with nginx
Raw
_ letsencrypt_in_docker_with_nginx.md

Let's Encrypt in docker with nginx

Replace myproject and domain.com in the commands below to your needs.

# This folder will contain actual certificates and account data
mkdir -p /etc/myproject/letsencrypt/

# This folder will contain authentication files created by webroot plugin of the certbot
mkdir -p /var/myproject/letsencrypt/

mkdir -p /var/myproject/letsencrypt/domain.com/

Add these volumes to your nginx docker container:

  • -v /etc/myproject/letsencrypt/:/etc/letsencrypt/:ro
  • -v /var/myproject/letsencrypt/:/var/www/certbot/:ro

Add the /.well-known/acme-challenge location to your domain.com's server context (see the attached a sites-enabled.d domain.com.conf file below)

Reload nginx: docker kill -s HUP nginx

Retrieve certificate:

docker run \
    -it --rm \
    -v /etc/myproject/letsencrypt/:/etc/letsencrypt/ \
    -v /var/myproject/letsencrypt/:/var/www/certbot/ \
    certbot/certbot \
    certonly --webroot -w /var/www/certbot/domain.com -d domain.com -d www.domain.com

Backup the /etc/myproject/letsencrypt as suggested by the certbot. More info about why'd you need to backup it here.

Add keys to nginx config (see the attached b sites-enabled.d domain.com.conf file below).

Reload nginx: docker kill -s HUP nginx

Now you should be able to reach the domain.com via https.

One thing left: you need to setup automatic certificates renewal. Here we go:

docker run \
    -d --restart=always \
    --name certbot_renew \
    --log-driver=syslog --log-opt syslog-facility=local5 -v /dev/log:/dev/log \
    -v /etc/myproject/letsencrypt/:/etc/letsencrypt/ \
    -v /var/myproject/letsencrypt/:/var/www/certbot/ \
    --entrypoint sh \
    certbot/certbot \
    -c 'while true; do certbot renew --non-interactive || exit 1; sleep 43200; done'

Update (17-10-16)

Make sure that your nginx server reloads ocassionally in order to use the fresh certificates generated by the certbot. For example, you may add the following entry to your root crontab:

crontab -e
# Reload latest certbot certificates weekly
0 4 * * 1 docker kill -s HUP nginx

Update (09-08-17)

certbot/certbot is the new official Docker image instead of the old quay.io/letsencrypt/letsencrypt:latest. See here: https://certbot.eff.org/docs/install.html#running-with-docker

Raw
a sites-enabled.d domain.com.conf
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
location /.well-known/acme-challenge {
default_type text/plain;
root /var/www/certbot/domain.com;
}
# ... the rest of your config
}
Raw
b sites-enabled.d domain.com.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com www.domain.com;
# This configuration assumes that you've configured ssl (ciphers, OCSP stapling, session reuse) in `http` block: https://gist.github.com/KostyaEsmukov/3f1e80db9154887e34b16fbc34b39b84#file-nginx-conf
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
# ... the rest of your config
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment