7

I know how to configure let's encrypt for nginx. I'm having hard time configuring let's encrypt with nginx inside a docker image. Let's encrypt certificates are symlinked in etc/letsencrypt/live folder and I don't have permission to view the real certificate files inside /etc/letsencrypt/archive

Can someone suggest a way out ?

Penkey Suresh
  • 5,816
  • 3
  • 36
  • 55

3 Answers3

5

I add my mistake. Maybe someone will find it useful.

I mounted the /live directory of letsencrypt and not the whole letsencrypt directory tree.

The problem with this:
The /live folder just holds symlinks to the /archive folder that is not mounted to the docker container with my approach. (In fact I even mounted a /certs folder that symlinked to the live folder because I had that certs folder in the development environment, same problem..the real (symlinked) files were not mounted)

All problems went away when I mounted /etc/letsencrypt instead of /live

A part of my docker-compose.yml

  services:
    ngx:
      image: nginx
      container_name: ngx
      ports:
        - 80:80
        - 443:443
      links:
        - php-fpm
      volumes:
        - ../../com/website:/var/www/html/website
        - ./nginx.conf:/etc/nginx/nginx.conf
        - ./nginx_conf.d/:/etc/nginx/conf.d/
        - ./nginx_logs/:/var/log/nginx/
        - ../whereever/you/haveit/etc/letsencrypt/:/etc/letsencrypt

The last line in that config is the important one. Changed it from

- ./certs/:/etc/nginx/certs/

And /certs was a symlink to /etc/letsencrypt/live in my case. This can not work as I described above.

andymel
  • 4,538
  • 2
  • 23
  • 35
4

If anyone having this problem, I've solved it by mounting the folders into docker container.

  • I've mounted both etc/letsencrypt and etc/ssl folders into docker
  • Docker has -vflag to mount volumes. Don't forget to open port 443 for the container.

Based on how you mount it it's possible to enable https in docker container without changing nginx paths. 

docker run -d -p 80:80 -p 443:443 -v /etc/letsencrypt/:/etc/letsencrypt/ -v /etc /ssl/:/etc/ssl/ <image name>
Penkey Suresh
  • 5,816
  • 3
  • 36
  • 55
  • 2
    So you had the letsencrypt (certbot) client on your host machine? The problem I'm having is that the nginx container needs to be running in order to obtain and install the certificates. Then, you must change the nginx configuration to include those certificates. Did you come across this problem without attaching to the container and manually running these commands? – adam-beck Nov 16 '16 at 05:41
  • @adam-beck yes. I have the certbot and nginx installed on host machine. Once I generated the certificates, dhpharm group, I stopped the nginx on the host and mounted the folder on to the container. This is not a very clear cut way as I'll have to stop the container and start the host nginx to renew the certificates at the end of 3 months. – Penkey Suresh Nov 16 '16 at 05:49
  • @adam-beck I explained the process more clearly here http://stackoverflow.com/a/40202586/2538729 Do let me know if you could fine a more easier way – Penkey Suresh Nov 16 '16 at 05:51
  • 1
    Thank you soooo much for mentioning I should open port 443. – Desprit Mar 24 '17 at 10:56
0

If you are using nginx, Docker and Letsencrypt you might like the following Github project: https-portal.

It automates a lot of manual actions, and makes it easy to manage your configurations using docker-compose. From the README:

Features

  • Test Locally
  • Redirections
  • Automatic Container Discovery
  • Hybrid Setup with Non-Dockerized Apps
  • Multiple Domains
  • Serving Static Sites
  • Share Certificates with Other Apps
  • HTTP Basic Auth

How it works

  • obtains an SSL certificate for each of your subdomains from Let's Encrypt.
  • configures Nginx to use HTTPS (and force HTTPS by redirecting HTTP to HTTPS)
  • sets up a cron job that checks your certificates every week, and renew them. if they expire in 30 days.

For some background.. The project was also discussed on Hacker News: HTTPS-Portal: Automated HTTPS server powered by Nginx, Let’s Encrypt and Docker

(Disclaimer: I have no affiliation to the project, just a user)

Arnold Schrijver
  • 3,588
  • 3
  • 36
  • 65