How to Set Up letsencrypt with Nginx on Docker

Introduction

Let's Encrypt is a certificate authority that provides users with a simple way to obtain SSL/TLS certificates for their domain free of charge. Using Let's Encrypt to secure an Nginx installation in Docker allows you to utilize the benefits of a containerized server deployment and simplify certificate management.

This article shows how to use Certbot to set up Let's Encrypt on a Nginx server running in Docker.

Prerequisites

• Docker installed.
• Docker Compose installed.
• Administrative access to the system.

Setting up Nginx Webserver with letsencrypt on Docker

Installation of Let's Encrypt certificates on a dockerized Nginx deployment involves:

• Creating a Docker Compose file.
• Adjusting the Nginx server configuration.
• Running the Certbot client.

The steps below describe the most straightforward method to obtain Let's Encrypt certificates.

Step 1: Create Directory

Create a project directory in which to store the Docker Compose file. Use the cd command to navigate to the newly created directory. Execute both commands on a single line:

sudo mkdir letsencrypt && cd letsencrypt

Step 2: Create Docker Compose File

Docker Compose is a tool for creating and running multi-container Docker applications. The docker-compose.yml file defines and configures the containers participating in the deployment.

Create the file with a text editor such as Nano:

nano docker-compose.yml

Next, paste the following code into the file:

version: '3'

services:
  webserver:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    restart: always
    volumes:
      - ./nginx/conf/:/etc/nginx/conf.d/:ro
      - ./certbot/www/:/var/www/certbot/:ro
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

Save the file and exit.

The code defines two containers (webserver and certbot) and connects them by mapping them to the /var/www/certbot/ directory. It also provides read and write permissions for the certbot container to allow Certbot to create certificates.

Step 3: Create Configuration File

Before applying the Docker Compose file, configure the Nginx server to allow Certbot to access the files it needs. To achieve this, create a configuration file:

sudo nano /etc/nginx/conf.d/app.conf

Copy and paste the code below, replacing [domain-name] with your actual domain name:

server {
    listen 80;
    listen [::]:80;

    server_name [domain-name] www.[domain-name];
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://[domain-name]$request_uri;
    }
}

Save the file and exit.

The first location block serves the files necessary for Certbot to authenticate the server and create the certificate. The second location block sends the rest of the port 80 HTTP traffic to HTTPS.

Step 4: Run Certbot

With the necessary configuration in place, apply the Docker Compose file with the docker-compose run command. Since Let's Encrypt limits the amount of available free certificates per month, test the command in a dry run first:

docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d [domain-name]

When prompted, enter your email for notices from Let's Encrypt. This step is optional, and you can skip it by typing c and pressing Enter.

Agree to the Terms of Service by typing y and pressing Enter.

Wait for the procedure to finish. If Docker reports no errors, run the command without the --dry-run flag:

docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d [domain-name]

Step 5: Add HTTPS to Nginx Configuration File

Once Certbot authenticates the server, add an HTTPS server block to the configuration file you created earlier. Follow the steps below to edit your Nginx deployment:

1. Open the configuration file:

sudo nano /etc/nginx/conf.d/app.conf

2. Add the following server block to the end of the file. Replace [domain-name] with your actual domain name.

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name [domain-name];

    ssl_certificate /etc/nginx/ssl/live/[domain-name]/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/[domain-name]/privkey.pem;
    
    location / {
    	proxy_pass http://[domain-name];
    }
}

The entire file should look like in the example below.

3. Reload Nginx:

docker-compose restart

Alternatively, if you cannot afford the downtime the command above causes, execute the command below:

docker-compose exec webserver nginx -s reload

Step 6: Renew Certificates

Let's Encrypt certificates last for three months, after which it is necessary to renew them. To renew certificates, execute the following command:

docker-compose run --rm certbot renew

Conclusion

After reading this article, you should know how to set up your dockerized Nginx server to get certified with free Let's Encrypt certificates. The certificates allow you to secure your website or app with an HTTPS connection.

For more tips on how to create a secure website, read our Simple Guide to Website Security.