https://phoenixnap.com/kb/letsencrypt-docker
You can take a look at my repo here: https://github.com/dobleuber/live-bootcamp-project
events {
worker_connections 1024;
}
http {
server {
listen 80;
location / {
proxy_pass http://app-service:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /auth/ {
proxy_pass http://auth-service:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
nginx:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx-conf/nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- app-service
- auth-service- Modify the file
prod.ymlto copy the nginx configuration
- name: Copy compose.yml and nginx config to droplet
run: |
sshpass -v -p ${{ secrets.DROPLET_PASSWORD }} scp -o StrictHostKeyChecking=no compose.yml root@${{ vars.DROPLET_IP }}:~
sshpass -v -p ${{ secrets.DROPLET_PASSWORD }} scp -r -o StrictHostKeyChecking=no nginx-conf root@${{ vars.DROPLET_IP }}:~
- Adding a new location to
nginx
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
- Update the
compose.yml
...
nginx:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx-conf/nginx.conf:/etc/nginx/nginx.conf:ro
- ./letsencrypt:/etc/letsencrypt
- ./certbot-etc:/var/www/certbot
...
certbot:
image: certbot/certbot
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./certbot-etc:/var/www/certbot- Deploy these changes.
- Create the folders
certbot-etcandletsencryptbefore to run the next command.
- Create the folders
- Open your droplet by using ssh and run:
docker compose run --rm certbot certonly --webroot --webroot-path=/var/www/certbot -d dobleuber.lat
6. Update the `nginx.config`
```nginx
server {
listen 80;
server_name dobleuber.lat;
location / {
proxy_pass http://app-service:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /auth/ {
proxy_pass http://auth-service:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
listen 443 ssl;
server_name dobleuber.lat;
ssl_certificate /etc/letsencrypt/live/dobleuber.lat/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dobleuber.lat/privkey.pem;
location / {
proxy_pass http://app-service:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /auth/ {
proxy_pass http://auth-service:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
- Automatize the generation and renewal for the certificates
name: Deploy and setup SSL
uses: appleboy/ssh-action@master
with:
host: ${{ vars.DROPLET_IP }}
username: root
password: ${{ secrets.DROPLET_PASSWORD }}
script: |
cd ~
export AUTH_SERVICE_IP=${{ vars.DROPLET_IP }}
# Create dirs if they don't exist
mkdir -p certbot-etc letsencrypt
# Stop services
docker compose down
# Initialize certbot if certificates don't exist
if [ ! -d "/root/letsencrypt/live/dobleuber.lat" ]; then
docker compose run --rm certbot certonly --webroot -w /var/www/certbot --force-renewal --email [email protected] -d dobleuber.lat --agree-tos
fi
# renew certificates
docker compose run --rm certbot renew
# start services
docker compose pull
docker compose up -d
# configure crontab to renew certificates
(crontab -l 2>/dev/null; echo "0 12 * * * /usr/bin/docker compose run --rm certbot renew --quiet && /usr/bin/docker compose exec nginx nginx -s reload") | crontab -