Securing web services with Let's Encrypt (Docker and Bitnami)
As I spent some time trying to get this to work, so I write my steps down, as personal knowledge base.
One of the most useful docker containers out there is jwilder's nginx-proxy. There is a companion docker container for let's encrypt which works fine... if you know how to use it. The documentation was (for me) not clear at all, so I try to write the important steps down here.
- Start nginx-proxy, just as documented, but don't forget the network your web services will join. Remember to adjust
/path/to/certs, this volume has to point to an existing (empty) directory.
docker run -d -p 80:80 -p 443:443 \ --name nginx-proxy \ --net nginx_default \ -v /path/to/certs:/etc/nginx/certs:ro \ -v /etc/nginx/vhost.d \ -v /usr/share/nginx/html \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \ jwilder/nginx-proxy
- Start letsencrypt-nginx-proxy-companion, just as documented there as well. Adjust the
/path/to/certshere as well, pointing to the same directory as above.
docker run -d \ -v /path/to/certs:/etc/nginx/certs:rw \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --volumes-from nginx-proxy \ --name letsencrypt-nginx-proxy-companion \ jrcs/letsencrypt-nginx-proxy-companion
- Start your web service, setting the correct environment variables and connecting to the same network (apache, in this example). In general,
LETSENCRYPT_HOSTshould match. Certificates will only be generated automatically if both
Of course, your
nginx-proxystarted above has to be reachable under the given URL (if not, let's encrypt will not be able to verify the domain).
docker run -d \ --name example-app \ --net nginx_default \ -e "VIRTUAL_HOST=my.domain.tld" \ -e "LETSENCRYPT_HOST=my.domain.tld" \ -e "LETSENCRYPT_EMAILemail@example.com" \ tutum/apache-php
That's the short documentation. For more and more detailed documentation, read https://github.com/jwilder/nginx-proxy and https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.
Of course, this works together in a
docker-compose file as well.
version: '2' services: your-web-app: ... nginx-proxy: image: jwilder/nginx-proxy container_name: nginx-proxy restart: always ports: - 443:443 - 80:80 volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - /path/to/certs:/etc/nginx/certs:ro - /etc/nginx/vhost.d - /usr/share/nginx/html labels: com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" nginx-letsencrypt: image: jrcs/letsencrypt-nginx-proxy-companion container_name: letsencrypt-nginx-proxy-companion restart: always volumes: - /path/to/certs:/etc/nginx/certs:rw - /var/run/docker.sock:/var/run/docker.sock:ro volumes_from: - nginx-proxy
This worked without any problems, Just follow the description given here: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
It is not as automated as with the docker nginx solution, but works fine and is quite easy to set up.
I had some problems convincing the apache to redirect automatically from http to https. Eventually this link helped: https://community.bitnami.com/t/http-https-redirect-not-working/46642/2