How to use docker to generate wildcard SSL certificates for your website?
Google Chrome has started giving a warning for a non-SSL website and hence it has become more important than ever to generate SSL certificate for your website today!
When it comes to “docker” idea is simple, you mount a volume to share certificates with other containers. There are many docker images which have ‘in-built’ SSL generator. However, if you want it to be scalable, then this is a pretty bad way to do it. You would want to keep a track of all subdomains and their certificates along with where they have been generated. Load-balancers need not to be pointing to the “right” container during validation. So problems are many.
I am using adferrand/letsencrypt-dns for this and it comes with ‘auto-restarting’ a docker container if a matching certificate has been renewed. It supports for 50+ dns managers and I am sure yours is covered 😉 . I am a fan of Linode, if you are serious about your business growth, give them a shot.
Docker Compose content:
version: '3.2' services: letsencrypt-dns: image: adferrand/letsencrypt-dns restart: always volumes: - "/etc/passwd:/etc/passwd:ro" - "/etc/group:/etc/group:ro" - "/var/run/docker.sock:/var/run/docker.sock" - "./letsencrypt:/etc/letsencrypt" environment: - CERTS_USER_OWNER= - CERTS_GROUP_OWNER= - CERTS_DIRS_MODE=0755 - CERTS_FILES_MODE=0644 - LETSENCRYPT_USER_MAIL=@.com - LEXICON_SLEEP_TIME=1500 - LEXICON_PROVIDER=linode - LEXICON_LINODE_TOKEN=
Explaining the docker-compose.yml
We are mounting passwd and group as read-only to enable host user and group respectively.
Adding docker.sock ensures that it can restart related docker containers OR execute a command inside the targetted container. If you don’t mount it, containers will have old certificates even after certificates have been renewed and thus, it is very important that you mount it.
Since, dns server is using Linode’s DNS manager, we are adding LEXICON for linode and token. Sleep timing is 1500 seconds that means 25 mins, making each domain to be validated after 25 mins of adding the verification code in dns. If you are in USA, it will probably work with much lesser like 500 seconds.
Example content of domains.conf
webapplicationconsultant.com *.webapplicationconsultant.com autorestart-containers=nginx_nginx_1,nginx_nginx_2 varunbatra.com *.varunbatra.com autocmd-containers=varunbatra_static_1:service nginx reload
- webapplicationconsultant.com *.webapplicationconsultant.com autorestart-containers=nginx_nginx_1,nginx_nginx_2 will restart containers by the name nginx_nginx_1 and nginx_nginx_2 once certificates of webapplicationconsultant.com has been renewed
- varunbatra.com *.varunbatra.com autocmd-containers=varunbatra_static_1:service nginx reload will execute the command service nginx reload once certificates of varunbatra.com have been renewed.
Generated SSL locations
Now you can use these certificates in NGINX or APACHE or ‘Whatever’ 🙂 Just make sure whatever you do, you don’t forget to add a proper autorestart and autocmd lines for their respective containers.