The request and configuration of the CA certificate can be done in two phases. The first step is to request the certificate form 'Let's Encrypt' and the second phase is to configure the web server ( or reverse proxy) to use the issued certificate.
To request a certificate we will need the following:
Web sever that handles web requests from 'Let's Encrypt'
Handle the '/.well-known/acme-challenge'
We will be using 'Let's Encrypt' provided tool known as 'Certbot' to initiate a CA Certificate request. This tool exists as a Docker container which we will use in our example. Before initiating the certificate request, we will setup the needed files.
Once you have all the files setup, run the following command to start an Nginx Docker instance. This will create a web server configured to handle the 'Let's Encrypt' certificate challenge. Check that the site is up using curl command.
docker-compose up -d
After the Nginx web server is up, use Docker Certbot to initiate a CA domain certificate challenge. The Certificate files generated as part of the challange will be located in the 'docker-volumes/etc/...' directory.
Verify the certificates by using the following command, if valid, you should see the relevant certificate details:
At this point, the docker created in the "Request Certificate" phase is no longer needed and should be cleaned up. The certificates that are generated is what you want to retain.
Generate DH Param (optional)
This is optional and server to enhance the security of the web server. Note that if this step is skipped, subsequent scripts below might need to be adjusted. To generate the (.pem) file, use 'openssl' and the below command.
docker kill --signal=HUP production-nginx-container
# Check for renewal errors in the logs
# Check that date on the files has been renewed by Certbot
ls -l /docker-volumes/etc/letsencrypt/renewal
For more articles that cover Let's Encrypt:
source - Lets Encrypt container source - Reverse proxy Nginx source - Details on Docker, Nginx and 'Let's Encrypt'.