Let's encrypt with Nginx

In this article, I will share the way of using nginx, let’s encrypt and docker/docker-compose to deploy ssl with automatically cert-renew.

Let’s Encrypt + Nginx + Docker

is a web server that I used to replace . Since I have to deploy my application which will provide SSL connection through the internet, I utilize Let’s Encrypt, a that provides free for (TLS) encryption.

Apart from that, docker and docker-compose will be used to setup my environment which is really really convenient tools for deployment. I guess you should already know what this items are so I am not going to explain how to use these tools here.

Given the directory structure like this:

/
|- certs
|- certs-data
|- conf.d
|- log
    |- renew
    |- nginx
|- www

Nginx

Create a docker-compose.yml file under root directory.

version: '3'
services:
  nginx:
    container_name: nginx
    image: nginx:latest
    restart: always
    volumes:
      - ./www:/usr/share/nginx/html
      - ./conf.d:/etc/nginx/conf.d
      - ./log:/var/log/nginx
      - ./certs:/etc/letsencrypt
      - ./certs-data:/var/lib/letsencrypt
    environment:
    TZ: Asia/Hong_Kong
    ports:
      - 80:80
      - 443:443

Configure files for Nginx

Create and configure Nginx configure in cond.d directory.

You can apply proxy_pass in location if you need.

Configure 1

normal.conf

server {
    listen       80;
    server_name  <url>;

    #charset koi8-r;
    access_log  /var/log/nginx/host.access.log  main;

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root     /data/letsencrypt;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

Configure 2

ssl.conf

server {
    listen      443           ssl http2;
    listen [::]:443           ssl http2;
    server_name               <url>;

    ssl                       on;

    add_header                Strict-Transport-Security "max-age=31536000" always;

    ssl_session_cache         shared:SSL:20m;
    ssl_session_timeout       10m;

    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";

    ssl_stapling              on;
    ssl_stapling_verify       on;
    resolver                  8.8.8.8 8.8.4.4;

    ssl_certificate           /etc/letsencrypt/live/<url>/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/<url>/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/<url>/chain.pem;

    access_log                /dev/stdout;
    error_log                 /dev/stderr info;

    # other configs
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

}

Let's Encrypt

Sign Cert

Navigate to the root directory and run the following command to sign the certificate from Let’s Encrypt.

sudo docker run -it --rm \
    -v $PWD/certs:/etc/letsencrypt \
    -v $PWD/certs-data:/var/lib/letsencrypt deliverous/certbot certonly\
    --webroot --webroot-path=/var/lib/letsencrypt -d <domain>

Note! You have to use full path in Volume Mirror

Renew

If you want to automatically renew the cert, you can use crontab to do the schedule job. You can use contab -e to do the job but this will only apply in the user-level. I would recommend you to do this in system-level — edit the config directly in /etc/crontab.

You can use following script to schedule the task. it will run every 15 days.

Note! Cert can only be renewed within last 30 days.

0 0 */15 * * docker run -it --rm -v /root/nginx/certs:/etc/letsencrypt -v /root/nginx/certs-data:/var/lib/letsencrypt -v /root/nginx/letsencryptlog:/var/log/letsencrypt deliverous/certbot renew --webroot --webroot-path=/var/lib/letsencrypt >> renew_log.log &&  docker kill -s HUP nginx >/dev/null 2>&1

References

PreviousReverse SSH NextMiniconda

Last updated 5 years ago