Sample config files to demonstrate seup that creates and updates free SSL certificates from Let's Encrypt given that the domains are maintained at CloudFlare service.
Certbot verifies domains ownership by accessing CloudFlare API that adds temporary TXT DNS records. To enable it You must provide your CloudFlare API token. More details in documentation for dns-cloudflare Certbot plugin.
Certbot saves created certificates in Docker volume certbot_etc
. Pay attention to output of the certbot run - it mentions path to the created certificates.
-
Setup docker, docker-compose, domains, nginx – make your website work via plain HTTP.
-
docker-compose run certbot
to create certificates. It will wait for 60 seconds in the middle. Note the output of the command – it will contain actual paths to certificates. -
Update
nginx.conf
to use the right paths to certificates. -
ssl-dhparams.pem
is like a cryptographic "salt" - required by some of algorithms. Copy that file from somewhere or generate one with command:openssl dhparam -out ssl-dhparams.pem 2048
- that will take some minutes to generate.Copy the file into
certbot_etc
volume by command similar to:docker cp ./ssl-dhparams.pem my_app_nginx_1:/etc/letsencrypt/ssl-dhparams.pem
supposing the running NGINX container name is "my_app_nginx_1" - check withdocker ps
-
Test if NGINX config is OK:
docker-compose exec nginx nginx -t
-
Make NGINX reload the updated config:
docker-compose exec nginx nginx -s reload
@red-avtovo You are welcome. This gist is quite outdated by now.
CloudFlare has introduced API Tokens to replace the less secure global API Key. It is better to create a token using
Zone:DNS:Edit
template.NGINX config file is not required at all in the certbot container. Thanks for spotting! Will remove.