Let’s Encrypt is a Certificate Authority that is trusted by all major browsers and operating systems. It’s a free service that allows automated SSL certificates to be generated for services, and it’s kinda a big deal.
The main requirement for you to use them is that you need a valid, public domain name. Yes that costs money, but not much money (depending on the TLD you choose). I recommend cloudflare and will be using it as an example
This article will go into the following:
This article will show how to do both a HTTP01 Let’s Encrypt challenge and a DNS01 Let’s Encrypt challenge. You only need to choose one.
A DNS Challenge is where you tell Let’s Encrypt, “I would like a certificate that covers my entire domain”. And Let’s Encrypt says, “Here’s a big text file to stick in your DNS registrar for us to read and validate your domain”. Once you do that, and once they read it, they give you a certificate that covers your entire domain (referred to as a wildcard certificate) for 3 months.
A DNS challenge is really the best option if you have the right pre-requisites. You don’t have to expose any services at all for it to work, which is especially important if you are stuck without a public IPv4 address. You also only need to request one certificate, and you can reuse that certificate for all of your services.
First step is to register an API token from our DNS provider. For this guide we will be using cloudflare.
This should generate a token (a long string) that you can use for Nginx Proxy Manager to interact with your cloudflare account.
*.<your-domain>.<tld>
. Press “Use a DNS Challenge”. Provide your details and paste in the API token you just generated. Press SaveThis option is if you can’t, for whatever reason, use DNS challenges. If you can then you can skip this section.
If you have a provider that is not compatible with certbot, you actually can still use a DNS challenge. You can register a free account with cloudflare and forward your nameservers to cloudflare.
HTTP challenges only work for specific subdomains (like git.<your-domain>.<tld>
as opposed to *.<your-domain>.<tld>
. Furthermore, you must:
HTTP01 challenges require you to expose your server to the internet to work. DNS challenges do not. Expose your docker services at your own risk
Actually using a HTTP challenge is quite easy. If you’ve met the above caveats, you just need to:
Having a valid certificate isn’t very useful if you aren’t protecting your website with it. Luckily this is easy:
Awesome! We now have all the tools and techniques to start setting up our permanent docker infrastructure. Let’s cover that next in Leveraging Reverse Proxying.