HTTPS

Securing web services with Let's Encrypt (Docker and Bitnami)

Paul Wellner Bou

Apr 26, 2018 • 2 min read

As I spent some time trying to get this to work, so I write my steps down, as personal knowledge base.

Docker

One of the most useful docker containers out there is jwilder's nginx-proxy. There is a companion docker container for let's encrypt which works fine... if you know how to use it. The documentation was (for me) not clear at all, so I try to write the important steps down here.

Start nginx-proxy, just as documented, but don't forget the network your web services will join. Remember to adjust /path/to/certs, this volume has to point to an existing (empty) directory.

docker run -d -p 80:80 -p 443:443 \
    --name nginx-proxy \
    --net nginx_default \
    -v /path/to/certs:/etc/nginx/certs:ro \
    -v /etc/nginx/vhost.d \
    -v /usr/share/nginx/html \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \
    jwilder/nginx-proxy

Start letsencrypt-nginx-proxy-companion, just as documented there as well. Adjust the /path/to/certs here as well, pointing to the same directory as above.

docker run -d \
    -v /path/to/certs:/etc/nginx/certs:rw \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --volumes-from nginx-proxy \
    --name letsencrypt-nginx-proxy-companion \
    jrcs/letsencrypt-nginx-proxy-companion

Start your web service, setting the correct environment variables and connecting to the same network (apache, in this example). In general, VIRTUAL_HOST and LETSENCRYPT_HOST should match. Certificates will only be generated automatically if both LETSENCRYPT_HOST and LETSENCRYPT_EMAIL are set.
Of course, your nginx-proxy started above has to be reachable under the given URL (if not, let's encrypt will not be able to verify the domain).

docker run -d \
    --name example-app \
    --net nginx_default \
    -e "VIRTUAL_HOST=my.domain.tld" \
    -e "LETSENCRYPT_HOST=my.domain.tld" \
    -e "LETSENCRYPT_EMAIL=my@valid.email" \
    tutum/apache-php

That's the short documentation. For more and more detailed documentation, read https://github.com/jwilder/nginx-proxy and https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.

Of course, this works together in a docker-compose file as well.

version: '2'
services:
  your-web-app:
    ...
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    restart: always
    ports:
    - 443:443
    - 80:80
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /path/to/certs:/etc/nginx/certs:ro
    - /etc/nginx/vhost.d
    - /usr/share/nginx/html
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-nginx-proxy-companion
    restart: always
    volumes:
    - /path/to/certs:/etc/nginx/certs:rw
    - /var/run/docker.sock:/var/run/docker.sock:ro
    volumes_from:
    - nginx-proxy

Bitnami

This worked without any problems, Just follow the description given here: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

It is not as automated as with the docker nginx solution, but works fine and is quite easy to set up.

I had some problems convincing the apache to redirect automatically from http to https. Eventually this link helped: https://community.bitnami.com/t/http-https-redirect-not-working/46642/2