Docker Community Forums

Share and learn in the Docker community.

Get SSL certificate for use in Docker container

docker

(Desmondlim) #1

Hi there,

I’m very new to Docker and I need help.

I’ve created some Spring Boot applications and I’m going to dockerise them but how do I secure them with SSL from Let’s Encrypt.

In Spring Boot, if I’m running it on a server, I just have to point my applications.properties to the certificate file and since I’m going to auto deploy them on Amazon ECS, this method can’t work.

How can I go about securing my APIs with SSL from Let’s Encrypt?

Thanks.


(Cvgaviao) #2

Have you managed this challenge ?

I also would like to do that…


(Archimedes Trajano) #3

My recommendation is don’t. Leave the let’s encrypt to nginx which proxies to your spring boot app. If you really have to, simply use a self signed certificate for each microservice behind nginx (it’s cheaper than a wildcard certificate).

Personally I gave up on the linuxserver/nginx-letsencrypt image, it was just too bulky for my needs.

My Dockerfile

FROM nginx:alpine
EXPOSE 443
VOLUME /etc/letsencrypt
RUN apk add py-urllib3 openssl certbot curl --no-cache \
    --repository http://dl-3.alpinelinux.org/alpine/v3.7/community/ \
    --repository http://dl-3.alpinelinux.org/alpine/v3.7/main/ \
  && rm -rf /var/cache/apk/*
COPY conf.d/* /etc/nginx/conf.d/
COPY bootstrap.sh /
RUN chmod 700 /bootstrap.sh
CMD [ "/bootstrap.sh" ]

bootstrap.sh (customize to your own needs

#!/bin/sh -e
if [ ! -e /etc/letsencrypt/live ]
then
  certbot -n -q certonly --standalone --email arch@trajano.net --agree-tos \
          --rsa-key-size 4096 -d trajano.net
  openssl dhparam -out /etc/letsencrypt/dhparams.pem 4096 > /dev/null
fi
exec nginx -g "daemon off;"

conf.d/ssl.conf

server {
listen unix:/var/run/nginx.sock ssl http2 default_server;
ssl_certificate     /etc/letsencrypt/live/trajano.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trajano.net/privkey.pem;
ssl_dhparam         /etc/letsencrypt/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!AES256-GCM-SHA384:!AES128-GCM-SHA256;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.11;
}

Finally conf.d/microservice.conf

server {
server_name ms.trajano.net;
    listen 443 ssl http2;

    location / {
        proxy_pass http://192.168.1.113:3000;
    }
}

(Archimedes Trajano) #4

To simplify this process for everyone I made https://hub.docker.com/r/trajano/nginx-letsencrypt/ which manages letsencrypt but is quite lighter weight than the more popular linuxserver/nginx-letsencrypt