- docker with docker-compose
- working AWS ECR access]
- working Gitlab Container registry access
dev-setup/ directory contains development setup.
use docker-compose:
cd dev-setup/
docker compose up
Assume that you're going to ask for a primary domain dev.example.org with
an optional alias www.dev.example.org:
- check that everything is working with
--dry-runtest:
./certbot.sh certonly -n -d dev.example.org,www.dev.example.org --dry-run
- ask for a certificate
./certbot.sh certonly -n -d dev.example.org,www.dev.example.org
This results in the following new files being generated:
conf/live/dev.example.org/cert.pem
conf/live/dev.example.org/chain.pem
conf/live/dev.example.org/fullchain.pem
conf/live/dev.example.org/privkey.pem
These files are now accessible in nginx frontend as /etc/letsencrypt/live/dev.example.org folder
Expand details for full certbot commands.
- check that everything is working with
--dry-runtest:
docker compose run certbot certonly \
--agree-tos \
--email info@example.org \
--webroot \
-w /var/www/certbot \
-n \
--dry-run \
-d dev.example.org,www.dev.example.org
- ask for a certificate
docker compose run certbot certonly \
--agree-tos \
--email info@example.org \
--webroot \
-w /var/www/certbot \
-n \
-d dev.example.org,www.dev.example.org
[+] Building 0.0s (0/0) docker:default
[+] Building 0.0s (0/0) docker:default
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for dev.example.org and www.dev.example.org
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/dev.example.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/dev.example.org/privkey.pem
This certificate expires on 2024-01-28.
These files will be updated when the certificate renews.
This results in the following new files being generated:
conf/live/dev.example.org/cert.pem
conf/live/dev.example.org/chain.pem
conf/live/dev.example.org/fullchain.pem
conf/live/dev.example.org/privkey.pem
These files are now accessible in nginx frontend as /etc/letsencrypt/live/dev.example.org folder
For each new site that has its own certificate and implements https we should also generate dhparam file
simplified command:
./certbot-dhparam.sh dev.example.org
Expand details for full certbot commands.
docker compose run --entrypoint= certbot \
openssl \
dhparam \
-out /etc/letsencrypt/live/dev.example.org/dhparam.pem \
2048
The steps above allow us to come up with a final TLS enabled site server configuration:
server {
include "extra/listening-port-https.conf";
server_name dev.example.org www.dev.example.org
dev.example.lan.local www.dev.example.lan.local;
##################################################
# SSL/TLS
include "extra/tls-common.conf";
ssl_certificate "/etc/letsencrypt/live/dev.example.org/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/dev.example.org/privkey.pem";
ssl_trusted_certificate "/etc/letsencrypt/live/dev.example.org/chain.pem";
ssl_dhparam "/etc/letsencrypt/live/dev.example.org/dhparam.pem";
# ocsp stapling
include "extra/tls-ocsp-stapling.conf";
# hsts
include "extra/tls-hsts.conf";
##################################################TODO
- mkcert :: tool for easy creation of trusted development certificates
- mkcert usage example