Table of contents
How to Manage and Renew SSL Certificates Using Docker Compose
Software Engineer
Software Engineer
Docker
Docker
Securing your website with SSL certificates is essential to protect data transmitted between the server and client. Managing and renewing SSL certificates can be a cumbersome task, but Docker simplifies this process. In this blog post, we will demonstrate how to manage and renew SSL certificates using Docker Compose.
Introduction
Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates to enable HTTPS on websites. Its mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Certificates issued by Let's Encrypt are valid for 90 days, after which they must be renewed.
Certbot
Certbot is a tool developed by the Electronic Frontier Foundation (EFF) to automate the process of obtaining and renewing Let's Encrypt SSL certificates. It simplifies the certificate issuance and renewal process, making it accessible even to those with limited technical knowledge.
Prerequisites
Before you start, ensure you have:
- Docker installed on your system. Follow the official installation guide if necessary.
- Docker Compose installed. Follow the installation guide if needed.
- Basic understanding of Docker and Docker Compose.
Step 1: Create a Docker Compose File
Create a file named docker-compose-cert.yml with the following content:
// language: yaml version: "3.9" services: letsencrypt: container_name: "certbot-service" image: certbot/certbot command: sh -c "certbot certonly --webroot -w /tmp/acme_challenge -d your-app.com --text --agree-tos --email [email protected] --rsa-key-size 4096 --verbose --keep-until-expiring --preferred-challenges=http" entrypoint: "" volumes: - /etc/letsencrypt:/etc/letsencrypt - /tmp/acme_challenge:/tmp/acme_challenge environment: - TERM=xterm
Step 2: Configure Your Web Server
Ensure that your web server serves the /.well-known/acme-challenge/ directory from the /tmp/acme_challenge path. This is necessary for the webroot method used by Certbot to verify domain ownership.
If you use NGINX, add the following location block to your Nginx configuration:
// language: bash server { listen 80; server_name your-app.com; location /.well-known/acme-challenge/ { root /tmp/acme_challenge; } }
Step 3: Run Docker Compose
Navigate to the directory containing your docker-compose-cert.yml file and run the following command
// language: bash docker-compose -f docker-compose-cert.yml up --build nginx -s reload
After renewing the certificates, you need to reload your web server to apply the changes. If you use NGINX, run the below command
// language: bash nginx -s reload
You can verify the new certificate in your browser
Step 4: Schedule Automatic Renewals
To keep your SSL certificates up-to-date, you should renew them periodically. Since Let's Encrypt certificates are valid for 90 days, it's a good practice to renew them every ~80 days. You can automate this process using a cron job.
Open the crontab editor by running:
Open the crontab editor by running:
// language: bash crontab -e
Add a new line to schedule the renewal process. The following example schedules the renewal to run every 80 days at 2 AM:
// language: bash 0 2 */80 * * docker-compose -f /path/to/docker-compose-cert.yml run --rm letsencrypt && nginx -s reload
The --rm option is used when running a Docker container. It ensures that the container is automatically removed after it exits. This is useful for containers that are used for one-time tasks, such as renewing SSL certificates, to avoid cluttering your system with stopped containers.
Make sure to replace /path/to/docker-compose-cert.yml with the actual path to your Docker Compose file.
Make sure to replace /path/to/docker-compose-cert.yml with the actual path to your Docker Compose file.
Conclusion
By following these steps, you can efficiently manage and renew SSL certificates using Docker. This setup ensures that your SSL certificates are always up-to-date, enhancing the security and reliability of your website without requiring manual intervention.
Created at
2024-05-26 15:44:03 +0700
Related blogs
One Design Pattern a Week: Week 4
Welcome back to my "One Design Pattern a Week" series!Try to solve this real problem: Request HandlingImagine you're building an enterprise applicatio...
Software Engineer
Software Engineer
2024-10-28 16:46:15 +0700
How to customize YJIT in the Rails app
In this post, we'll dive into what YJIT is, how to enable it in your Rails app, and how to monitor and configure it for optimal performance.What is YJ...
Software Engineer
Software Engineer
2024-12-04 16:29:15 +0700