Setting up NGINX with a free Let’s Encrypt SSL certificate is a breeze using Docker and the container maintained by Linuxserver.io. The default setup will have a few different DNS options available. If using Cloudflare make sure under the dns-conf folder there is a cloudflare.ini file. If not use the below directions to setup the container and Cloudflare config.

Table of Contents
Setup Docker Compose
Below is an example of my docker compose snippet for the Let’s Encrypt container:
letsencrypt:
container_name: letsencrypt
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- URL=<website.com>
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=cloudflare
- EMAIL=<email@gmail.com>
- DHLEVEL=2048
- ONLY_SUBDOMAINS=true
- STAGING=false
ports:
- '443:443'
- '80:80'
volumes:
- '<config location>:/config'
restart: always
image: linuxserver/letsencrypt
Setup Cloudflare DNS Credentials
The Cloudflare setup requires an API key which can be found in My Profile and tab API tokens after logging into Cloudflare.
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = <email@gmail.com>
dns_cloudflare_api_key = <api key>
Start Let’s Encrypt Container
Now start up the Let’s Encrypt container by running the command “docker-compose up -d” in the folder where the docker-compose file is located. Now navigate to the “config” location setup in the docker compose volume and open folder ‘dns-conf’.
Setup Cloudflare DNS file
Cloudflare.ini file should be located and the above information taken from the Cloudflare website can be setup and saved. If using another DNS provider fill in the proper file.
Restart Let’s Encrypt Container
Now we can restart the container so it can use the updated DNS settings. The following command will recreate the container and start it up at the same time.
docker-compose up -d --force-recreate --no-deps --build letsencrypt
Validate the Container
Open a browser and enter ‘localhost’ and it should load properly. Entering in the URL entered as an environment variable in the docker compose file should also load. Pages should work in HTTPS if not check the container logs.

t
November 23, 2020 at 9:32 pm
If I would have access to your web-servers ip-address, I could still access all your services without knowing your domain. Docker is exposing these ports by default. Is it possible to constrain access to these and only allow connections through the cloudflare network?
Carl
November 25, 2020 at 1:09 am
Yes, Docker is exposing ports for whatever containers I have running but they are not accessible outside of the network due to the NGINX proxy only accepting connections on specific ports. At the router level only ports for the NGINX container are forwarded.