Table of Contents
Using certbot apply let's encrypt certificate
In order to use NGINX module, certbot
needs to use it's own NGINX server or it needs to modify the NGINX configuration.
Steps
Preparation
- Shutdown application which listening on port 80 and port 443
docker stop nginx
- Install software if haven't installed
Note: skip this step if packages installed
apt install certbot
apt install python3-certbot-nginx
- Request certificate
Note: do not need to start nginx service, certbot will start it automatically
certbot certonly --nginx -d <domain1> -d <domain2> -d <domain3>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/<domain1>.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for <domain1> and <domain2>
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain1>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<domain1>/privkey.pem
This certificate expires on 2023-05-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for <domain1> to /etc/nginx/sites-enabled/default
Successfully deployed certificate for <domain2> to /etc/nginx/sites-enabled/default
Your existing certificate has been successfully renewed, and the new certificate has been installed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- certificate location
Certificate can be found in following directory
ls /etc/letsencrypt/live/domain1/
- stop nginx created by certbot
systemctl stop nginx
systemctl disable nginx
- setup docker certificates
Copy privkey.pem and fullchain.pem into docker configuration directory.
Troubleshooting
All domains in the command lines must be resolved to the running host for both port 80 and port 443, otherwise the certificate can not be created.
Another way
Run certbot docker choud be better as no additional package install, and the certbot service can be stopped using docker command