This example compose stack has create and auto renew letsencrypt SSL certs for nginx without any manual intervantion.
-
Add domain in your DNS provider. Most of the time your instance/LB IP already mapped to the domain.
-
Clone this repo
-
Update your domain name in
.env
file variableNGINX_HOST
-
Update your email address in
.env
file variableLETSENCRYPT_ALERT_MAIL
-
Run
./init-letsencrypt.sh
, if its the first time you are creating certs for the domain. -
Then make sure everything is running
docker-compose ps
-
Now access httpbin service with letsencrypt certificate https://myapp.example.com
The following version used in this.
-
Nginx 1.21.1
-
Certbot 1.18.0
The keypoints are
-
Certs volume shared between nginx and certbot
-
Nginx route http challenge traffic to certbot container
-
Nginx route https traffic to upstream service
In the ./init-letsencrypt.sh
-
Nginx first start with self signed certificate
-
Certbot will create new certificate from letsencrypt
-
Reload nginx
This certbot has post renew hook up script. That will restart nginx container after the certificate got renewed.
-
You don’t get the host machine docker sock in production. Reload the nginx via certbot renew post hook.
-
If its kube the init script will not be useful.
-
Open 80 port only for letsencrypt not to entire world.
The idea of init script got from here https://github.com/wmnnd/nginx-certbot/ . We can say this repo is an improvised version of that.
Author