From 037a352095aad333551fa54913c6bd8eff0c7f63 Mon Sep 17 00:00:00 2001 From: Alvie Rahman Date: Wed, 4 Aug 2021 21:12:06 +0100 Subject: [PATCH] Create notes on docker + nginx + let's encrypt --- docker_nginx_lets_encrypt.md | 109 +++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100755 docker_nginx_lets_encrypt.md diff --git a/docker_nginx_lets_encrypt.md b/docker_nginx_lets_encrypt.md new file mode 100755 index 0000000..fb7596a --- /dev/null +++ b/docker_nginx_lets_encrypt.md @@ -0,0 +1,109 @@ +--- +author: Alvie Rahman +date: \today +title: Setting Up Nginx and Let's Encrypt in Docker +--- + +# Setting Up Nginx and Let's Encrypt in Docker + +This turned out to be way harder than I thought it would be. +I tried to follow +[this](https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71) +post here but the `init-letsencrypt.sh` script didn't work for me. + +Most of the content here is from that post. + +## Create the Necessary Files + +### `docker-compose.yaml` + +Notice how `certbot`'s `entrypoint` field is commented out? +Yeah, that's one of the things that tripped me up. +When the autorenew entrypoint is specified, you can't perform one of the future steps. + +```yaml +version: '3' + +services: + nginx: + image: nginx:1.15-alpine + ports: + - "80:80" + - "443:443" + volumes: + - ./data/nginx:/etc/nginx/conf.d + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot + certbot: + image: certbot/certbot + # entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + volumes: + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot +``` + +### `data/nginx/app.conf` + +Again, things are commented out in this file. +The SSL section is commented out as Nginx cannot start an SSL server without first having SSL +certificates but certbot won't give us SSL certificates unless we have a webserver (the certbot +Docker image supports hosting a standalone server for this purpose but that would mean changing +around the ports in `docker-compose.yaml`). + +Also the 301 redirect in the port 80 section is commented out as we don't want to immediately +redirect certbot to a https URL we aren't listening for. + +``` +server { + listen 80; + server_name DOMAIN.NAME; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + #return 301 https://$host$request_uri; + proxy_pass http://example.com; + } +} + +# server { +# listen 443 ssl; +# server_name DOMAIN.NAME; +# +# location / { +# # anything you want can go in here, of course +# proxy_pass http://example.com; +# } +# ssl_certificate /etc/letsencrypt/live/DOMAIN.NAME/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/DOMAIN.NAME/privkey.pem; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +# } +``` + +## Set Your Domain + +Run the following command, replacing `REPLACEME` with your domain name: + +``` +sed -i 's/DOMAIN.NAME/REPLACEME/g data/nginx/app.conf' +``` + +## Get Your First Certificates + +Run the following commands: + + docker-compose up -d nginx + docker-compose run certbot certonly --webroot /var/www/certbot + +Enter the information your are prompted for. + +## Enable HTTPS on Nginx and Auto Renew Certificates + +1. Uncomment the commented out server block in `data/nginx/app.conf`. +2. Remove the `proxy_pass` line in the port 80 server block. +3. Uncomment the line starting with `return 301` +4. Restart Nginx (`docker-compose restart nginx`) +5. Uncomment line beginning with `entrypoint` in `docker-compose.yaml`