This repo will hopefully streamline deployment of Open Context. The repo started by forking: https://github.com/evgeniy-khist/letsencrypt-docker-compose
This example automatically obtains and renews Let's Encrypt TLS certificates and set up HTTPS in Nginx for multiple domain names using Docker Compose.
You can set up HTTPS in Nginx with Let's Encrypt TLS certificates for your domain names and get A+ rating at SSL Labs SSL Server Test by changing a few configuration parameters of this example.
Let's Encrypt is a certificate authority that provides free X.509 certificates for TLS encryption. The certificates are valid for 90 days and can be renewed. Both initial creation and renewal can be automated using Certbot.
When using Kubernetes Let's Encrypt TLS certificates can be easily obtained and installed using Cert Manager. For simple web sites and applications Kubernetes is too much overhead and Docker Compose is more suitable. But for Docker Compose there is no such popular and robust tool for TLS certificate management.
The example supports separate TLS certificates for multiple domain names, e.g. example.com, anotherdomain.net etc. For simplicity this example deals with the following domain names:
- test1.devcomanda.com
- test2.devcomanda.com
The idea is simple. There are 3 containers:
- Nginx
- Certbot - for obtaining and renewing certificates
- Cron - for triggering certificates renewal once a day
The sequence of actions:
- Nginx generates self-signed "dummy" certificates to pass ACME challenge for obtaining Let's Encrypt certificates
- Certbot waits for Nginx to become ready and obtains certificates
- Cron triggers Certbot to try to renew certificates and Nginx to reload configuration on a daily basis
The directories and files:
docker-compose.yml
.env
- specifiesCOMPOSE_PROJECT_NAME
to make container names independent from the base directory nameconfig.env
- specifies project configuration, e.g. domain names, emails etc.html/
- directory mounted asroot
for Nginxindex.html
nginx/
Dockerfile
nginx.sh
- entrypoint scripthsts.conf
- HTTP Strict Transport Security (HSTS) policydefault.conf
- Nginx configuration for all domains. Contains a configuration to get A+ rating at SSL Server Test
certbot/
Dockerfile
certbot.sh
- entrypoint script
cron/
Dockerfile
renew_certs.sh
- script executed on a daily basis to try to renew certificates
To adapt the example to your domain names you need to change only config.env
:
DOMAINS=test1.devcomanda.com test2.devcomanda.com
CERTBOT_EMAILS[email protected] [email protected]
CERTBOT_TEST_CERT=1
CERTBOT_RSA_KEY_SIZE=4096
Configuration parameters:
DOMAINS
- a space separated list of domains to manage certificates forCERTBOT_EMAILS
- a space separated list of email for corresponding domains. If not specified, certificates will be obtained with--register-unsafely-without-email
CERTBOT_TEST_CERT
- use Let's Encrypt staging server (--test-cert
)
Let's Encrypt has rate limits. So, while testing it's better to use staging server by setting CERTBOT_TEST_CERT=1
(default value).
When you are ready to use production Let's Encrypt server, set CERTBOT_TEST_CERT=0
.
- Docker and Docker Compose are installed
- You have a domain name
- You have a server with a publicly routable IP address
- You have cloned this repository
git clone https://github.com/opencontext/oc-docker.git
For all domain names configure DNS A records to point to a server where Docker containers will be running.
Specify you domain names and contact emails for these domains in the edit_dot_env
file and then save this file as .env
:
First make an .env
file
cp edit_dot_env .env
Now edit .env
file to change your settings.
nano .env
Here are properties to change based on your specific Web domain. Please note, for now this only supports one domain specified by the DOMAINS
variable (the plural is asperational..).
DOMAINS=prod.opencontext.org
CERTBOT_EMAILS[email protected]
docker volume create --name=logs_nginx
docker volume create --name=nginx_ssl
docker volume create --name=certbot_certs
docker volume create --name=oc_certbot
docker volume create --name=redisdata
This process assumes that you have a copy of the static javascript and css files that are NOT in version control with Open Context (yes, a pain.) Make sure the static directory and its contents have the appropriate permissions:
sudo chmod -R 755 static/
docker compose up --build
Step 5 - Switch to production Let's Encrypt server after verifying HTTPS works with test certificates
Stop the containers:
docker compose down
Configure to use production Let's Encrypt server in config.env
:
CERTBOT_TEST_CERT=0
Re-create the volume for Let's Encrypt certificates:
docker volume rm certbot_certs
docker volume create --name=certbot_certs
Start the containers:
docker compose up
You may run into weirdness permissions issues restarting the docker container. I solved it with:
sudo chmod 666 /var/run/docker.sock
One common need while the oc-docker compose is up and running would be to update the software in the Open Context container. To do so quickly, simply:
# This updates to the latest head of the staging branch:
docker exec -it oc git -C /open-context-py reset --hard origin/staging
# Now restart the container:
docker compose restart oc