Poly4's Blog
Securing Your Nginx Container with Let's Encrypt SSL Certificates

Securing Your Nginx Container with Let's Encrypt SSL Certificates

Alhazan Mubarak Olajuwon's photo
Alhazan Mubarak Olajuwon
·

8 min read

Introduction

In the modern web landscape, securing web applications with SSL has become a non-negotiable best practice. Secure Sockets Layer (SSL) encryption protects sensitive user data from being intercepted, enhances trust and improves search engine rankings.

Nginx is a popular choice for serving web traffic, especially in containerized environments. Running Nginx in a container allows for lightweight, scalable, and portable deployments, making it a go-to solution for many DevOps engineers and system administrators.

Let's Encrypt is a free, and automated SSL certificate authority. With Let's Encrypt, obtaining and renewing SSL certificates is streamlined, removing the financial and operational barriers that once deterred many from implementing robust encryption.

This article will guide you through securing an Nginx server running inside a Docker container using Let's Encrypt SSL certificates. By the end, you will have a solid understanding of how to:

  • Configure your Nginx container for SSL.

  • Obtain and install Let's Encrypt certificates.

  • Automate certificate renewal for uninterrupted security.

Prerequisites

Before diving into securing your Nginx container with Let's Encrypt SSL certificates, ensure you meet the following prerequisites:

  1. Familiarity with Docker and Nginx: You should have a basic understanding of Docker's containerization concepts and be comfortable working with Nginx as a web server.

  2. A Server with a Public Domain: You'll need access to a server with a public IP address and a registered domain name. Additionally, you must have permission to modify your domain's DNS records to point it to your server.

Setting Up The Environment

The first step in securing your Nginx container with Let's Encrypt SSL certificates is to prepare your environment. This involves installing Docker, setting up Nginx in a container, and configuring a directory structure for Let's Encrypt.

Step 1: Install Docker and Set Up Nginx in a Container

  1. Install Docker: Ensure Docker is installed on your server. If not, you can install it by following this official guide.

  2. Pull the Nginx Docker Image: Pull the latest Nginx image from Docker Hub

     docker pull nginx:latest

  3. Run the Nginx Container: Launch an Nginx container, exposing port 80 for HTTP traffic and 443 for HTTPS traffic:

     docker run --name nginx-container -d -p 80:80 -p 443:443 nginx

    Confirm the container is running:

     docker ps

Step 2: Create a Directory Structure for the Let's Encrypt Webroot

Let's Encrypt uses a webroot for the HTTP-01 challenge to verify domain ownership. Create a directory to act as the webroot:

sudo mkdir -p yourdirectory/certbot/webroot/.well-known/acme-challenge

This directory will hold the temporary files Let's Encrypt uses during the certificate issuance process.

Also, ensure that necessary permissions are granted to access the directory:

sudo chown -R $(whoami):$(whoami) yourdirectory/certbot/webroot  
sudo chmod -R 755 yourdirectory/certbot/webroot

Step 3: Mount the Webroot to the Nginx Container

To allow Let's Encrypt to place challenge files in your webroot, mount the directory into your Nginx container. Stop the running container, then rerun it with the volume mounted:

  1. Stop and remove the container:

     docker stop nginx-container
 docker rm nginx-container

  2. Run the container with the webroot mounted:

     docker run --name nginx-container -d -p 80:80 \
 -v yourdirectory/certbot/webroot:/var/www/certbot \
 nginx

  3. Test the setup by creating a test file in the webroot:

     echo "Let's Encrypt Webroot Test" > yourdirectory/certbot/webroot/test.html

    Access the file in your browser:

     http://<your-domain>/test.html

    Once you see the test file content in your browser, your environment is correctly set up for Let's Encrypt.

Configuring Nginx for SSL

Securing the Nginx server for Let's Encrypt SSL involves configuring a dedicated location block to handle ACME HTTP-01 challenges and ensuring the container reflects these changes.

Step 1: Add a Dedicated Location Block for ACME Challenges

Let's Encrypt uses the ACME HTTP-01 challenge to validate your domain ownership. For this to work, you'll need to configure a specific location block in your Nginx configuration to serve the challenges from the webroot.

 location /.well-known/acme-challenge/ {
     root /var/www/certbot;
 }

Step 2: Update the Nginx Configuration

To make the configuration process easily maintainable, you can create an nginx.conf file in your local directory. The updated configuration file should include the location block defined above.

Here’s an example of how your nginx.conf file might look:

events {}
http {
    # Include mime types
    include       mime.types;
    default_type  application/octet-stream;
    # Proxy settings
    sendfile        on;
    keepalive_timeout 65;

    #... other ngnix configuration

    # Server block for HTTPS
    server {  
        listen 443 ssl;  
        server_name yourdomain.com;  # Replace with your domain

        #... other server configuration
    }  

    # Server block for HTTP
    server {
        listen 80;
        server_name yourdomain.com www.yourdomain.com;

        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }
    }
}

Once the file is ready, stop and remove the container:

docker stop nginx-container
docker rm nginx-container

Then rerun the container with nginx.conf file mounted to it as a volume:

docker run --name nginx-container -d \
  -p 80:80 \
  -p 443:443 \
  -v yourdirectory/nginx.conf:/etc/nginx/nginx.conf \
  -v yourdirectory/certbot/webroot:/var/www/certbot \
  nginx

Installing and Using Certbot

Certbot is a widely used client for obtaining SSL certificates from Let's Encrypt. In this section, we’ll install Certbot, generate an initial certificate, and configure Nginx to use it for secure communication.

Step 1: Install Certbot on the Host Machine

Install Certbot using your Linux distribution’s package manager.

sudo apt update
sudo apt install certbot

You can also check the Certbot official documentation and select your operating system for tailored guidance.

Step 2: Obtain the Initial SSL Certificate

Run Certbot with the webroot plugin, pointing to the directory mounted as the webroot in your Nginx container:

sudo certbot certonly --webroot -w yourdirectory/certbot/webroot -d yourdomain.com

Once successful, Certbot will generate the certificate files, typically found in etc/letsencrypt/live/yourdomain.com/.

Step 3: Update the Nginx Configuration

Once the certificate has been issued, update the nginx.conf file to use SSL. Open the nginx.conf file in your local directory and update the HTTPS server block with the following:

# Server block for HTTPS
server {  
    listen 443 ssl;  
    server_name yourdomain.com;  # Replace with your domain  

    # SSL Certificates  
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;  
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;  

    # SSL Settings  
    ssl_protocols TLSv1.2 TLSv1.3;  
    ssl_prefer_server_ciphers on;  
    ssl_ciphers HIGH:!aNULL:!MD5;  

    # Other https server configuration...  
}

To ensure all HTTP traffic is redirected to HTTPS, update the HTTP server block in the same nginx.conf file:

# Server block for HTTP
server {  
    listen 80;  
    server_name yourdomain.com;  

    location /.well-known/acme-challenge/ {
            root /var/www/certbot;
    }

    # Redirect all HTTP traffic to HTTPS  
    location / {  
        return 301 https://$host$request_uri;  
    }  
}

After updating the configuration file, stop and remove the container:

docker stop nginx-container
docker rm nginx-container

Then rerun the container with an additional volume for the SSL certificates:

docker run -d --name nginx-container \
  -p 80:80 -p 443:443 \
  -v yourdirectory/nginx.conf:/etc/nginx/nginx.conf \
  -v /etc/letsencrypt:/etc/letsencrypt:ro \
  -v yourdirectory/certbot/webroot:/var/www/certbot \
  nginx

Step 4: Verify SSL is Working

  • Open your domain in a browser and ensure it loads over HTTPS.

  • Alternatively, use curl to test the connection:

      curl -I https://yourdomain.com

If everything is set up correctly, you should see a response with a status code of 200 and the protocol HTTPS.

Automating Certificate Renewal

SSL certificates issued by Let's Encrypt are valid for 90 days, so automating the renewal process ensures your web services remain secure without manual intervention. In this section, you’ll configure a cron job for certificate renewal, test it, and automate the Nginx container reload after a successful renewal.

Step 1: Set Up a Renewal Cron Job for Certbot

To ensure certificates are renewed before expiration, you can configure a cron job. Open the cron configuration for editing:

crontab -e

Add the following line to schedule a daily check for renewal:

0 0 * * * sudo certbot renew --webroot -w yourdirectory/certbot/webroot --quiet && docker exec nginx-container nginx -s reload

Here’s a breakdown of the command:

  • sudo certbot renew: Automatically renews certificates close to expiration.

  • --webroot -w yourdirectory/certbot/webroot: Specifies the webroot directory for the renewal challenge.

  • --quiet: Suppresses non-critical output for cleaner logs.

  • docker exec nginx-container-name nginx -s reload: Reload the Nginx container to apply the renewed certificate.

Step 2: Test the Cron Job Manually

Before relying on automation, test the command manually to ensure it works as expected:

sudo certbot renew --webroot -w yourdirectory/certbot/webroot --dry-run

The --dry-run flag simulates the renewal process without actually renewing the certificates. Check for a success message.

If successful, run the reload command manually to confirm Nginx applies the changes:

docker exec nginx-container nginx -s reload

If both commands are successful, you can be sure the Cron job will work effectively.

Conclusion

Securing your Nginx server with Let's Encrypt SSL certificates enhances your web services’ security and ensures compliance with modern web standards. By leveraging Docker for containerized deployment and Certbot for automated SSL certificate management, you can achieve a streamlined, scalable, and secure web environment.

The steps outlined in this guide—from setting up the environment to automating certificate renewals—are designed to simplify the process, even for those new to containerized web hosting. Implementing SSL through Let's Encrypt eliminates traditional barriers such as cost and complexity, making it accessible to developers and organizations of all sizes.

With your Nginx container now secured, you can focus on other aspects of application development and deployment, confident that your web traffic is encrypted and protected.

Thank You For Reading

You can follow me on LinkedIn and subscribe to my YouTube Channel, where I share more valuable content. Also, Let me know your thoughts in the comment section.

Happy Deploying 🚀

DockerSSLnginx