Implement a valid SSL certificate on an NGINX server running under Docker container
INTRODUCTION
Securing communication on the world wide web is essential. The purpose of this article is to show you how to deploy free certificates, valid for 90 days and issued by a certified authority. To do this, we will use Docker, Certbot and Nginx on a Linux server.
I had to deal with this problem when setting up my site ngconsulting.io. Indeed I needed a valid SSL certificate to be able to deploy it in the rules of the art
Prerequisites
- Point the DNS record of the domain name to be secured on the server. In this article, we will use www.ngconsulting.io for the example.
- Install Docker.
- Install Nginx.
- Make sure that no process is listening on ports 80 and / or 443.
STEP 1 - RECOVER THE CERTIFICATE
We will first use the official Certbot Docker container to retrieve a TLS certificate for our subdomain to be secured:
docker run -it --rm --name certbot -p 80:80 -p 443:443 -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --standalone --email "ntounga@gmail.com" -d "www.ngconsulting.io"
This command will therefore launch the container for the Certbot application. Let's see what parameters are used here, starting with those passed to Docker:
-it tells Docker that we want to be able to interact with the app. You will surely have to accept the conditions of use of Certbot the first time you use it.
--rm will delete the container once its work is finished, without deleting the recovered certificates of course.
-p 80:80 -p 443: 443 exposes the container's HTTP (80) and HTTPS (443) ports, so that it can be contacted by Let’s Encrypt, who will verify that you are the owner of the server.
-v "/ etc / letsencrypt: / etc / letsencrypt" -v "/ var / lib / letsencrypt: / var / lib / letsencrypt exposes to the container the folders necessary for Certbot to persistently store certificates on the server. Without these parameters, the generated certificates would simply be destroyed at the same time as the container at the end of the execution.
certbot / certbot tells Docker which container to launch, here the official Certbot container.
The following parameters are those passed directly to Certbot:
certonly tells Certbot that we just want to retrieve a certificate.
--standalone launches the application in standalone mode, ie with its own web server (hence the need to pass the HTTP (S) ports to the container, as seen above).
--email allows Let’s Encrypt to have a contact point with the certificate holder and thus send them an email when the certificate expiration date approaches.
-d finally indicates the domain name or subdomain concerned by the certificate. It may be interesting to note that you can specify several “-d domain_name” options here, if you wish to have a single certificate for several domain names. The certificate in question will then bear the name of the first domain passed in parameter.
Once the command is executed, if everything went well, you will find the certificate in the folder “/ etc / letsencrypt / live /”.
Note that you can also retrieve a wildcard certificate, managing all the sub-domains of a domain name. In our example, this "super-certificate" can be retrieved by passing "* .ngconsulting.io" to the "-d" option of Certbot. To do this, the DNS of “ngconsulting.io” must of course point to your server.
STEP 2 - RENEW CERTIFICATES
This step is very simple, just pass the “renew” instruction to Certbot:
docker run -it --rm --name certbot -p 80:80 -p 443:443 -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot renew
We can note the important resemblance to the previous command. The only change here is therefore the "renew" instruction passed to Certbot, which will therefore check for each certificate stored if the expiration date is approaching (less than 10 days by default) and renew them if necessary.
STEP 3 - USE OF THE CERTIFICATE WITH NGINX
Now that our certificate is retrieved, let's see what we have to set up at Nginx level to use HTTPS through this example:
server {
listen 443 ssl; # Port HTTPS
server_name www.ngconsulting.io;
ssl_certificate /etc/letsencrypt/live/tls.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tls.example.com/privkey.pem;
}
server {
listen 80; # Port HTTP
server_name www.ngconsulting.io;
return 301 https://$host$request_uri; # Redirection automatique sur le HTTPS
}
CONCLUSION
So we could see in this article how to easily set up HTTPS with Docker, Certbot and Nginx. It’s pretty easy to set up everything.
```server { listen 80; # Port HTTP server_name www.ngconsulting.io; return 301 https://$host$request_uri; # Redirection automatique sur le HTTPS } ``` 3rd line - variable is "server_name", and 4th line instead of $host my be better to use server_name?
I am stuck, I am getting 404 when I enable SSL! It works fine over http.