What is the easiest way to generate an SSL cert in 2020?
I've been using this tutorial for a few years. I want to set up SSL for 2 subdomains with docker compose.
When I tried to edit init-letsencrypt.sh in one of the steps, it always went wrong.
Any better way comes out in 2020?
Updated 7/7/2020:
My production is hosting several WordPress blogs. When I tried to put my app on prod, ports 80 & 443 are used on the nginx installed on host. My dockers simply can't pass through ACME http challenge in order to get a cert. ACME challenge requires to use 80 port
Trending on Indie Hackers
certbot generating Let's Encrypt certs, as cron job, placing the cert on apache and other web servers paths never failed me.
yes, I can generate certs with certbot if there is no docker / docker compose. When there is docker, it's getting complicated
sorry I didn't pay attention to the context.
If it's a docker image, then why not having RUN(s) that install certbot, with a config. This would then generate an image that has certbot configured as cron job.
I don't see anything a Dockerfile can't do :)
Yes, I finally managed to generate the cert with the certbot docker image. But I missed the nginx conf folder in the docker compose yml file. It took me half a day to figure it out
Imo, SSL is a must-have for standard websites. The application process should be as easy as possible.
All of my domains are connected to Cloudflare. They handle public facing certificates, and for Cloudflare to my server, I generate certificates using the cloudflare plugin. The whole process is automated and runs in a docker container. If you want it, let me know and I will share the script file.
Yes, please share the script. Feel free to ping me in twitter
One thing I feel like I need to clarify is, I export the certs to /etc/nginx-ssl which is a directory mounted in both the certbot container and nginx container. Add these two lines in nginx.conf and you should be good to go,
You can also forward any http traffic to https
Here you go
https://gist.github.com/nazmulpcc/de347b48e146bf8428efd6954543003b
Please keep in mind that the Dockerfile It may not work straight out of the box as I just copy pasted the related portions from my actual Dockerfile. You should pass some environment variables to the docker container, see the certbot.sh file for the variables you will need. If you need any more help, feel free to reach out at [email protected]
I created my own ui for this, but is not production ready yet. where do you host docker in AWS? Maybe I should give you a test server to try out 😉
I host my apps in digital ocean.
send me an email, can explain more if you want to give it a try.
This comment was deleted 5 years ago.
If you are self hosting Docker I recommend using Traefik.
I am using docker via Dokku add cert with one line and config autorenew just once for all certs
dokku letsencrypt <domain>
dokku letsencrypt:cron-job --add
try traefik and it will automanage the certs
Kubernetes with nginx-ingress and cert-manager
I think it depends on what your hosting strategy is. For example, if you're on heroku, you just click the SSL box and done (of course, theoretically, if someone compromises heroku, then they could intercept between the load balancer and your dyno).
Similarly, on AWS, if your app is behind a Load Balancer, you can do SSL termination at the load balancer and lock down your VPC. At that point, you could run http between the LB and your host, or you could use a self-signed cert that doesn't need to go through the hoops of of certbot (that would only be for intra-vpc traffic, you'd still have a real cert between the VPC and your customers). Most of the cloud providers should have a fairly straightforward way to do SSL-termination at a load balancer and never have to deal with certbot inside the VPC.
I've been using Cloudflare SSL on my root domain. It handles subdomains as well.
I've read some tutorials. If you're using Cloudflare flexible SSL, you can still be intercepted. This is because Cloudflare only encrypts the path between users and Cloudflare CDN. The path between CDN and your server is not encrypted.
That's why people use certbot / let's encrypt to generate a cert