NGINX and HTTPs With Let’s Encrypt, Certbot, and Cron Dockerization In Production
Automatically create and renew website SSL certificates using the Let's Encrypt and its client certbot. Nginx server dockerization and crontab configuration.
Join the DZone community and get the full member experience.Join For Free
Docker is a popular open source containerization platform and it frees your hands to build your applications in development and production. In this post, I'm going to walk you through how to build a production grade HTTPs secured Nginx server with Docker, Docker Compose, Let’s Encrypt(its client certbot). Let’s Encrypt certificates last 90 days and will need to be renewed after the certificate expires. So I will also provide details to script the renewal in crontab in Docker container.
1. Basic Example
In development, we need a basic Nginx container without HTTPs to fast setup our local test environment. I use Nginx official docker image and wrap up all the stuff with docker-compose.
I choose to use nginx.conf along with conf.d folder to manage all the configurations. So nginx.conf is for generic configuration while conf.d folder is for site specific configurations like below.
2. Configure HTTPs
2.1 Let’s Encrypt
To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a free, automated, and open certificate authority (CA). In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.
we recommend using
certbot-auto, which automates the process of installing Certbot on your system.The
certbot-auto wrapper script installs Certbot, obtaining some dependencies from your web server OS and putting others in a python virtual environment. You can download and run it as follows. In addition, Certbot needs port 80 to be enabled, so the host firewall should allow incoming traffic on port 80 (HTTP) from anywhere.
wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto
2.3 Setup NGINX
We need configure ports, domain names, certificates as well as reverse proxy mappings for the servers. Here is a quick example grabbed from my project which contains two servers: one is for HTTPs and another is for HTTP that will redirect to HTTPs.
2.4 Automatically Renew Certificates
We just need to add the following script to crontab, which will run monthly to check and renew the certificate.
2.5 Wrap all in Docker
We will need a Dockerfile and docker-compose.yml.
We use network mode - host at the time of docker build so that it can share host network, which is quite tricky because the port mapping(80,443) are not ready at building phrase. Otherwise, running certbot-auto will fail due to HTTP port 80 is not reachable.
That's it. You're good to go. Contact me if you need whole source code.
Published at DZone with permission of Kunkka Li. See the original article here.
Opinions expressed by DZone contributors are their own.