The request and configuration of the CA certificate can be done in two phases. The first step is to request the certificate form ‘Let’s Encrypt‘ and the second phase is to configure the web server ( or reverse proxy) to use the issued certificate.
Request Certificate
To request a certificate we will need the following:
Web sever that handles web requests from ‘Let’s Encrypt‘
Handle the ‘/.well-known/acme-challenge’
We will be using ‘Let’s Encrypt‘ provided tool known as ‘Certbot’ to initiate a CA Certificate request. This tool exists as a Docker container which we will use in our example. Before initiating the certificate request, we will setup the needed files.
Once you have all the files setup, run the following command to start an Nginx Docker instance. This will create a web server configured to handle the ‘Let’s Encrypt‘ certificate challenge. Check that the site is up using curl command.
1
$ docker-compose up -d
After the Nginx web server is up, use Docker Certbot to initiate a CA domain certificate challenge. The Certificate files generated as part of the challange will be located in the ‘docker-volumes/etc/…’ directory.
Remove –staging option when ready to request the production certificates.
At this point, the docker created in the “Request Certificate” phase is no longer needed and should be cleaned up. The certificates that are generated is what you want to retain.
Generate DH Param (optional)
This is optional and server to enhance the security of the web server. Note that if this step is skipped, subsequent scripts below might need to be adjusted. To generate the (.pem) file, use ‘openssl’ and the below command.
The command generates a ‘dhparam-2048.pem’ file in the ‘dh-param’ directory.
Configure Nginx to use the certificate by adding configurations to the web server settings. In this example, we will be configuring Nginx as a reverse proxy web server.
Before starting up a Docker Nginx instance using the below command, prepare the following files in the relative location. Note the location for the ‘production.conf’ and the ‘dhparam-2048.pem’ files.
docker-compose.yml file, xxx.xx.xxx.xxx points to the docker host IP