Letsencrypt with docker

Oct 20th 2016 (updated Apr 3rd 2023)

dev

Letsencrypt with docker

Setting up letsencrypt to replace your paid for SSL certificates in your existing nginx or apache setup.

Running Letsencrypt

Create Data Container

First off, create a data container to hold the data created by letsencrypt (namely the certificates). Using a data container solely for the letsencrypt data means we can keep it isolated to only linked containers using the volumes-from option.

1
docker create -v /etc/letsencrypt -v /var/lib/letsencrypt --name letsencryptdata tianon/true /bin/true

The volumes we need to persist for letsesncrypt are the /etc/letsencrypt and /var/lib/letsencrypt directories which contain the certificates (in /etc/letsencrypt) and other letsencrypt data.

Generate Certificates

To generate certificates we need to run the letsencrypt command, we can do this using the following docker command, which will generate them into the mounted volumes (from the letsencryptdata container).

1
2
3
docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt\
 --volumes-from letsencryptdata\
 quay.io/letsencrypt/letsencrypt:latest auth

Using the certificates

Recreate your nginx/apache containers to use the '--volumes-from letsencryptdata' option and update the configuration like the examples below (replacing 'yourdomain.co.uk' with your own domain). Letsencrypt - Where are my certificates?

Apache

1
2
3
4
5
6
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.co.uk/privkey.pem
# Apache < 2.4.8
SSLCertificateFile /etc/letsencrypt/live/yourdomain.co.uk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.co.uk/chain.pem
# Apache >= 2.4.8
SSLCertificateFile /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem

Nginx

1
2
3
4
ssl_certificate    /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem;
ssl_certificate_key    /etc/letsencrypt/live/yourdomain.co.uk/privkey.pem;
#  nginx >= 1.3.7
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.co.uk/chain.pem;

Renewing Certificates

Letsencrypt certificates expire after 90 days, so you will need to create new ones, to do so re-run the letsencrypt 'renew' command from a temporary docker container.

1
sudo docker run -it --rm --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" quay.io/letsencrypt/letsencrypt:latest renew

Backup & Restore

The following backup and restore commands will link to the letsencrypt data container and create a tar into the current directory. Since this tar contains your private key it's important to keep it safe and secure.

Backup

1
docker run --volumes-from letsencrypt -v $PWD:/backup ubuntu bash -c "tar cvf /backup/letsencrypt.tar /etc/letsencrypt"

Restore

1
docker run --volumes-from letsencrypt -v $PWD:/backup ubuntu bash -c "tar xvf /backup/letsencrypt.tar"