Who needs all those paid certificate providers while we have such a brilliant project as Letsencrypt? It allows a domain owner to obtain a valid certificate for his domain in a matter of seconds without the boring stuff like generating CSR, making DNS verification records or even passing documents to the certificate issuer center. However, paid certificates most often have an expiration time of a year. And free Letsencrypt certificates live only for a couple of months. But it’s definitely not a huge problem if there is a way to automate the renewal process. And there it is.
Let’s assume we are trying to generate a certificate for the awesome-domain.comwith nginx running in project_nginx_1 container.
To keep nginx running while letsencrypt verifies the domain, we need to serve verification files using it. To do so, add the following lines to nginx config:
location /.well-known/ {
root /var/www/awesome-domain.com;
}To renew certificate use the following command:
mkdir -p /var/www/awesome-domain.com
docker pull certbot/certbot
docker run -it --rm --name letsencrypt \
# mount letsencrypt main directories to letsencrypt container
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
--volumes-from project_nginx_1 \
certbot/certbot \
certonly \
--webroot \
--webroot-path /var/www/awesome-domain.com \
--agree-tos \
--renew-by-default \
-d awesome-domain.com \
--email support@awesome-domain.com
# restart nginx container to use new certs (make sure it's configured to restart!)
docker kill --signal=HUP project_nginx_1Make sure nginx has access to required directories:
nginx:
restart: unless-stopped
image: nginx:1.13-alpine
depends_on:
- backend
volumes:
- /var/www:/var/www
- /etc/letsencrypt:/etc/letsencrypt
- ./nginx.conf:/etc/nginx/conf.d/default.conf
ports:
- '0.0.0.0:80:80'
- '0.0.0.0:443:443'That’s it! Now you can use certificates from /etc/letsencrypt/live/awesome-domain.com/ directly. Just put the renewal script to cron and enjoy your secure experience.
