Docker, Nginx and Https

To set up https in a docker-nginx-service, follow this tutorial.

To use it, enter our email address and domain name. If NGINX is running in any other container than one called „nginx“ start that container instead of „nginx“ whenever needed.

The script mentioned can be used as it doesn’t do anything harmful. Explaination of the script:

#!/bin/bash

Defines language of script, only needed if running as a script (vs. directly on console)

if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi

Checks if docker-compose is installed, not needed

domains=(example.org www.example.org)
rsa_key_size=4096
data_path="./data/certbot"
email="" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

Sets variables for later use important

    • domains = our domain
    • rsa_key_size = Size of the key (In general: The larger, the safer, but larger key will also use more computing time. Could also be set to 2048)
    • data_path = Path to data for certbot, path should be the one declared in docker-compose.yml
    • email: our email-adress
    • staging: The validation server has certain limits as to how many certificates may be registered etc. 0 is default here. Setting to 1 can be useful if planning around and expecting to call the server multiple times, since thresholds are a bit higher in some cases
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi

Asks for permission to delete existing certificates and exists if it is not allowed. not needed

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi

Checks if there are already existing ssl-configurations for nginx, if not downloads the recommended parameters from certbot github page. Not 100% needed but handy

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo

Create dummy certificate so that nginx can start and retrieve the actual certificate important

    • docker-compose run runs a service (certbot) for one time only (so not running the whole setup, but only this one container)
    • –rm removes container when it is being stopped
    • –entrypoint specifies script that should be executed once the container is up. In this case the script is given in „“ right after the flag
    • openssl req Requests and generates a certificate
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

Simply start the nginx container important

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

Delete the intermediate certificate. Therefore run the certbot container again as specified above and as the entrypoint delete all the certificates. important

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done

Now requesting the actual certificate. This need some preparation. First construct domain-args variable out to add to the certbot-string (`-d domain`) later Not 100% necessary since we only have one domain

# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac

Checks if email is valid Not needed

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

Enable staging mode as explained above Not needed

docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo

Docker-compose command for getting the actual certificate important

    • certbot certonly runs command certbot only asking for a standalone certificate
    • webroot enables to get the certificate while the server is running (? this one is a little unclear to me)
    • next all the variables are written into the command
      • agree-tos agree to terms of service
      • –force-renewal renews the certificate even if it is not expired yet (Not sure why it is done, but also not harmful)
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

Reload nginx important

 

Ähnliche Einträge