12

I have a Nginx server running on Docker on a Ubuntu host and I wanted to integrate Letsencrypt certificates on it. As I had the Nginx image already created with all the conf setup, after reading different articles I decided to install Letsencrypt on the host and mount the /etc/letsencrypt/ folder in a shared volume in the Nginx container. The problem I had is that symlinks belongs to the file system itself and cannot be resolved by the container which makes sense.

My question is then: what would be the best way to approach this: Should I add all the Letsencrypt setup inside my Nginx custom Dockerfile to get it up and running? Is it possible though to create a separate container which only has Letsencrypt and share a volume from there? Or is it possible somehow to resolve this via changes on my current solution?

Note that at the moment I'm creating a copy of the certificates and pasting them into the volume which is fine but I want to automate the renewal (using certbot renew --dry-run ).

Any help is much appreciated!

Carlos Torrecillas
  • 4,965
  • 7
  • 38
  • 69
  • don't understand the negative rating. I'm not looking for a detailed solution but the pattern to follow – Carlos Torrecillas Dec 13 '17 at 12:13
  • no need to install SSL service in docker,only used old generated certificates and copy it into container by dockerfile. and other option is bind run time as https://medium.com/@mvuksano/using-tls-certificates-with-nginx-docker-container-74c6769a26db – dom Dec 13 '17 at 13:13

2 Answers2

13

The symlinks within the letsencrypt folder will resolve within a docker container as long as the entire /etc/letsencrypt directory is mounted as the volume. Or rather, as long as both the live and archive directory for the site of interest are mounted. What I mean is, one of the symlinks for a letsencrypt domain cert looks like this:

/etc/letsencrypt/live/example.com/cert.pem --> ../../archive/example.com/cert1.pem

To be able to reference the "live" cert name from within my docker container, I created the following volume mounting the whole letsencrypt etc directory:

-v /etc/letsencrypt:/certs

Since the full /etc/letsencrypt is mounted, the volume gets both live and also archive, so the symlink of ../../archive resolves as long as I'm referencing the absolute path to the file I want. In my server config file:

certfile /certs/live/example.com/cert.pem

This works!

Now the really ugly part of this is that I just made all of my letsencrypt certs available to just this one container. But it works for my use case right now where I only have one domain I'm using letsencrypt for on this server. I have used letsencrypt-nginx-proxy-companion before and I prefer that by far, when I can do it.

Edit: Thought of a way to only share the certs needed for the site. Two volume entries:

  • /etc/letsencrypt/live/example.com:/etc/letsencrypt/live/example.com
  • /etc/letsencrypt/archive/example.com:/etc/letsencrypt/archive/example.com
deargle
  • 487
  • 4
  • 8
4

Instead of running let's encrypt on the host, you should do everything inside Docker. And the best is there is already a solution for that: https://hub.docker.com/r/nginxproxy/acme-companion

This enables the proxy to automatically obtain and renew certificates.

Jonas Heinisch
  • 363
  • 2
  • 12