This repo is a tutorial on how to set up letsencrypt certificates on an nginx container.
docker-compose.yaml
version: "3"
services:
nginx:
image: nginx
ports:
- 80:80
- 443:443
volumes:
- /home/azure/tests/site-files:/usr/share/nginx/html
- /home/azure/tests/nginx/default.conf:/etc/nginx/conf.d/default.conf
- /home/azure/tests/nginx/ssl-params.conf:/etc/ssl/ssl-params.conf
- /home/azure/tests/nginx/dhparam.pem:/etc/ssl/certs/dhparam.pem
- /home/azure/tests/letsencrypt/etc:/etc/letsencrypt
volumes
- /home/azure/tests/site-files:/usr/share/nginx/html
Website files are stored here
- /home/azure/tests/nginx/default.conf:/etc/nginx/conf.d/default.conf
This is the nginx configuration file
- /home/azure/tests/nginx/ssl-params.conf:/etc/ssl/ssl-params.conf
These are the SSL settings
- /home/azure/tests/nginx/dhparam.pem:/etc/ssl/certs/dhparam.pem
This is a file containing Diffie-Hellman parameters used in the SSL/TLS handshake. The contents have been redacted
- /home/azure/tests/letsencrypt/etc:/etc/letsencrypt
Letsencrypt will store certificates and logs here.
All instances of example.com need to be replaced with your domain name.
Use the command below to create a certificate in letsencrypt's staging environment to avoid rate limits while testing.
docker run -it --rm \
-v "/home/azure/tests/letsencrypt/etc:/etc/letsencrypt" \
-v "/home/azure/tests/letsencrypt/lib:/var/lib/letsencrypt" \
-v "/home/azure/tests/letsencrypt/log:/var/log/letsencrypt" \
-v "/home/azure/tests/site-files:/data/letsencrypt" \
certbot/certbot \
certonly --webroot \
--register-unsafely-without-email --agree-tos --no-eff-email \
--webroot-path=/data/letsencrypt \
--staging \
-d example.com -d www.example.com
Once you are done testing, use this for prod.
docker run -it --rm \
-v "/home/azure/tests/letsencrypt/etc:/etc/letsencrypt" \
-v "/home/azure/tests/letsencrypt/lib:/var/lib/letsencrypt" \
-v "/home/azure/tests/letsencrypt/log:/var/log/letsencrypt" \
-v "/home/azure/tests/site-files:/data/letsencrypt" \
certbot/certbot \
certonly --webroot \
--email test@gmail.com --agree-tos --no-eff-email \
-d example.com -d www.example.com
Set up a cron to run this to automate renewals.
docker run --rm \
--name certbot \
-v "/home/azure/tests/letsencrypt/etc:/etc/letsencrypt" \
-v "/home/azure/tests/letsencrypt/lib:/var/lib/letsencrypt" \
-v "/home/azure/tests/letsencrypt/log:/var/log/letsencrypt" \
-v "/home/azure/tests/site-files:/data/letsencrypt" \
certbot/certbot renew --webroot -w /data/letsencrypt
To set up a wildcard cert, we have to use dns challenge. Note that we specify that we shall create a TXT manually using the --manual flag. This certificate thus cannot be renewed automatically. We have to run the cmd below again when we want to renew.
staging
docker run -it --rm \
-v "/home/azure/tests/letsencrypt/etc:/etc/letsencrypt" \
-v "/home/azure/tests/letsencrypt/lib:/var/lib/letsencrypt" \
-v "/home/azure/tests/letsencrypt/log:/var/log/letsencrypt" \
certbot/certbot \
certonly \
--manual \
--preferred-challenges=dns \
--register-unsafely-without-email --agree-tos --no-eff-email \
--staging \
-d *.example.com
prod
docker run -it --rm \
-v "/home/azure/tests/letsencrypt/etc:/etc/letsencrypt" \
-v "/home/azure/tests/letsencrypt/lib:/var/lib/letsencrypt" \
-v "/home/azure/tests/letsencrypt/log:/var/log/letsencrypt" \
certbot/certbot \
certonly \
--manual \
--preferred-challenges=dns \
--email test@gmail.com --agree-tos --no-eff-email \
-d *.example.com
Follow this if you are using wildcard certificates on Azure and would like to automatically perform the DNS challenge.
Run this script in order to add the required TXT record in R53 automatically.
# Set up a virtual environment and install certbot
apt install python3.8-venv -y
python3 -m venv venv
source venv/bin/activate
pip install certbot-dns-route53
# Request a certificate using DNS validation. The needed TXT record is created automatically in R53
certbot certonly --dns-route53 \
--email admin@example.com --agree-tos --no-eff-email \
-d pexample.com