3

I am using nginx as proxy and SSL termination for the site hosted on docker. App & nginx both are on docker. I have installed Let's encrypt SSL using Certbot directly on Ubuntu server. And now using the SSL cert installed on Ubuntu server in Docker by mapping it using volume in docker-compose.

I noticed that Certbot cron job to renew certificate is failing as the port 80 and 443 are in use by docker nginx instance.

And to renew, I need to stop the docker and then run certbot renew command which works fine.

What is the best way to have automated renewal without stopping docker container that runs nginx.

Krunal
  • 251
  • 1
  • 4
  • 16

2 Answers2

2

One of the obvious answers is to not use certbot. There are many other ACME compatible clients, some that could use the DNS-01 challenge.

Or you could use a different proxy that has certificate renewal built in. One popular choice is Traefik, that works nicely as a proxy, and can automatically get certs using either HTTP or DNS challenges, depending on what you configure.

If you really want to stick with certbot, look at switching over to DNS validation if you can. Using DNS validation doesn't require opening any ports, it does require you be able to automatically publish a DNS record though.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
0

Options that I see using certbot:

  • Let nginx serve the HTTP-01 response. While I imagine that the nginx plugin wouldn't play nice in your containerized scenario, the webroot plugin ought to be fine if you just map the .well-known/acme-challenge/ directory as necessary.
  • Have certbot use DNS-01 instead, then nginx is entirely taken out of the picture of the challenge handling.
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94