SSL Certificates - Certbot
SSL Certificates
Certbot is a free solution for issuing SSL/TLS certificates via Let’s Encrypt, which enables a secure HTTPS connection for websites. Compared to paid providers, which often involve additional administrative work and recurring costs, Certbot offers an automated, free alternative that simplifies the management of certificates and handles ongoing renewals.
Setup
It is recommended to install Certbot → natively on the host, obtain certificates once via Certbot and integrate it as a volume into the nginx container.
1. Install Certbot
Prerequisites:
→ ALMA / Rocky Linux as host
→ Docker installed according to instructions
→ Relution configured according to instructions
Certbot can be installed with the following command
sudo dnf install epel-release -y
sudo dnf install certbot -y
2. Stop Nginx
Nginx must be stopped temporarily because Certbot in --standalone
mode briefly starts its own web server on port 80.
docker stop docker_nginx
3. Create a certificate
Start Certbot and follow the instructions in the wizard.
sudo certbot certonly --standalone -d example.com
4. Adjust the certificate path
In docker-compose.yml
, the path to the created SSL certificates must be adjusted.
services:
nginx:
...
volumes:
- '/etc/letsencrypt/live/<example.com>/fullchain.pem:/etc/nginx/server.pem'
- '/etc/letsencrypt/live/<example.com>/privkey.pem:/etc/nginx/server.key'
Important: If Nginx is started with the volumes (path to the certificates) in the docker-compose.yml and the certificates are not present, Docker will create folders instead of files. These folders must be deleted so that the certificates can be created when Docker is started.
5. Start Docker container
If the certificates are successfully created, all containers can be started and checked
docker compose up --detach
docker ps
6. Pre- and post-hooks
For renewal, pre- and post-hooks can be configured in Certbot to stop and then restart the nginx container. The hooks are only executed if Certbot determines when calling Renwal that the certificates actually need to be replaced. Certbot is usually configured to run twice a day and checks whether a replacement is necessary. The certificates are valid for 90 days.
Depending on the host system, Certbot should already automatically set up a renewal (e.g. as a systemd service + timer). The call there can then be extended accordingly by these hooks, e.g.
ExecStart=/usr/bin/certbot [--dry-run] -q renew --pre-hook “…” --post-hook “…”
Pre- and post-hooks would then be accordingly:
--pre-hook “/usr/bin/docker compose -f /opt/relution/docker-compose.yml down nginx”
--post-hook ”/usr/bin/docker compose -f /opt/relution/docker-compose.yml up --detach nginx”
The hooks can also point to script files that contain the actual call, which is usually clearer.
Important: When trying it out for the first time, you should always use
--dry-run
so that Let’s Encrypt is not blocked for several days by too many failed attempts. In a productive environment, this must of course be removed, otherwise there will be no certificate.