.
├── docker-compose.yml
├── nginx
│ └── conf
│ └── app.conf
├── certbot
│ ├── conf # Certbot configuration will be stored here
│ └── www # This folder serves the ACME challenge files
└── README.md
This repository provides a Dockerized setup for running Nginx secured with free SSL/TLS certificates from Let's Encrypt using Certbot.
- Docker installed.
- Docker Compose installed.
- A registered domain name pointing to your server.
- Administrative access to the system.
.
├── docker-compose.yml
├── nginx
│ └── conf
│ └── app.conf
├── certbot
│ ├── conf # Let's Encrypt configuration
│ └── www # ACME challenge files served by Nginx
└── README.md
Clone this repository and change into the project directory:
git clone https://github.com/yourusername/yourrepo.git
cd yourrepoOpen nginx/conf/app.conf and replace your-domain.com with your actual domain name:
server {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://your-domain.com$request_uri;
}
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
location / {
proxy_pass http://your-domain.com;
}
}First, perform a dry run to test certificate generation:
docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d your-domain.comIf the dry run succeeds, run the command without the --dry-run flag:
docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d your-domain.comDuring this process, follow the prompts:
- Enter your email when asked.
- Agree to the Let's Encrypt Terms of Service.
Once the certificates are obtained, start the containers:
docker-compose up -dIf Nginx is already running and you need to reload the configuration without downtime:
docker-compose exec webserver nginx -s reloadLet's Encrypt certificates are valid for 90 days. To renew them, run:
docker-compose run --rm certbot renewIt is recommended to set up a cron job (or another scheduler) to run this command regularly.
-
Ports: Ensure ports 80 and 443 are open and accessible.
-
DNS: Verify your domain's DNS records point to your server's IP.
-
Logs: Check Docker logs for any errors:
docker-compose logs
This project is licensed under the MIT License.
version: '3'
services:
webserver:
image: nginx:latest
ports:
- "80:80"
- "443:443"
restart: always
volumes:
- ./nginx/conf/:/etc/nginx/conf.d/:ro
- ./certbot/www/:/var/www/certbot/:ro
certbot:
image: certbot/certbot:latest
volumes:
- ./certbot/www/:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rwserver {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://your-domain.com$request_uri;
}
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
location / {
proxy_pass http://your-domain.com;
}
}-
Certificates Directory:
The certificates generated by Certbot will be stored in thecertbot/conf/directory on your host and mapped to/etc/letsencrypt/in the container. -
ACME Challenge:
The directorycertbot/www/is used to serve the ACME challenge files required by Let's Encrypt during the certificate issuance process. -
Customization:
You can further customize the Nginx configuration or add more services as needed.