Table of contents
    blog cover

    How to Manage and Renew SSL Certificates Using Docker Compose

    Software Engineer
    Software Engineer
    Docker
    Docker
    Securing your website with SSL certificates is essential to protect data transmitted between the server and client. Managing and renewing SSL certificates can be a cumbersome task, but Docker simplifies this process. In this blog post, we will demonstrate how to manage and renew SSL certificates using Docker Compose.

    Introduction

    Let's Encrypt
    Let's Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates to enable HTTPS on websites. Its mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Certificates issued by Let's Encrypt are valid for 90 days, after which they must be renewed.

    Certbot
    Certbot is a tool developed by the Electronic Frontier Foundation (EFF) to automate the process of obtaining and renewing Let's Encrypt SSL certificates. It simplifies the certificate issuance and renewal process, making it accessible even to those with limited technical knowledge.

    Prerequisites
    Before you start, ensure you have:
    1. Docker installed on your system. Follow the official installation guide if necessary.
    2. Docker Compose installed. Follow the installation guide if needed.
    3. Basic understanding of Docker and Docker Compose.

    Step 1: Create a Docker Compose File

    Create a file named docker-compose-cert.yml with the following content:
    // language: yaml
    version: "3.9"
    services:
      letsencrypt:
        container_name: "certbot-service"
        image: certbot/certbot
        command: sh -c "certbot certonly --webroot -w /tmp/acme_challenge -d your-app.com --text --agree-tos --email [email protected] --rsa-key-size 4096 --verbose --keep-until-expiring --preferred-challenges=http"
        entrypoint: ""
        volumes:
          - /etc/letsencrypt:/etc/letsencrypt
          - /tmp/acme_challenge:/tmp/acme_challenge
        environment:
          - TERM=xterm
    Make sure to replace your-app.com with your domain and [email protected] with your email address.

    Step 2: Configure Your Web Server

    Ensure that your web server serves the /.well-known/acme-challenge/ directory from the /tmp/acme_challenge path. This is necessary for the webroot method used by Certbot to verify domain ownership.

    If you use NGINX, add the following location block to your Nginx configuration:
    // language: bash
    server {
        listen 80;
        server_name your-app.com;
    
        location /.well-known/acme-challenge/ {
            root /tmp/acme_challenge;
        }
    }

    Step 3: Run Docker Compose

    Navigate to the directory containing your docker-compose-cert.yml file and run the following command
    // language: bash
    docker-compose -f docker-compose-cert.yml up --build
    nginx -s reload

    After renewing the certificates, you need to reload your web server to apply the changes. If you use NGINX, run the below command
    // language: bash
    nginx -s reload

    You can verify the new certificate in your browser


    Step 4: Schedule Automatic Renewals

    To keep your SSL certificates up-to-date, you should renew them periodically. Since Let's Encrypt certificates are valid for 90 days, it's a good practice to renew them every ~80 days. You can automate this process using a cron job.

    Open the crontab editor by running:
    // language: bash
    crontab -e

    Add a new line to schedule the renewal process. The following example schedules the renewal to run every 80 days at 2 AM:
    // language: bash
    0 2 */80 * * docker-compose -f /path/to/docker-compose-cert.yml run --rm letsencrypt && nginx -s reload
    The --rm option is used when running a Docker container. It ensures that the container is automatically removed after it exits. This is useful for containers that are used for one-time tasks, such as renewing SSL certificates, to avoid cluttering your system with stopped containers.
    Make sure to replace /path/to/docker-compose-cert.yml with the actual path to your Docker Compose file.

    Conclusion

    By following these steps, you can efficiently manage and renew SSL certificates using Docker. This setup ensures that your SSL certificates are always up-to-date, enhancing the security and reliability of your website without requiring manual intervention.

    Created at 2024-05-26 15:44:03 +0700

    Related blogs