Docker

Setup NGINX with Let’s Encrypt SSL using Docker and Cloudflare

Published

June 3, 2020

Setting up NGINX with a free Let’s Encrypt SSL certificate is a breeze using Docker and the container maintained by Linuxserver.io. The default setup will have a few different DNS options available. If using Cloudflare make sure under the dns-conf folder there is a cloudflare.ini file. If not use the below directions to setup the container and Cloudflare config.

Table of Contents

Setup Docker Compose

Below is an example of my docker compose snippet for the Let’s Encrypt container:

    letsencrypt:
        container_name: letsencrypt
        cap_add:
            - NET_ADMIN        
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=America/New_York
            - URL=<website.com>
            - SUBDOMAINS=wildcard
            - VALIDATION=dns
            - DNSPLUGIN=cloudflare
            - EMAIL=<email@gmail.com>
            - DHLEVEL=2048
            - ONLY_SUBDOMAINS=true
            - STAGING=false
        ports:
            - '443:443'
            - '80:80'
        volumes:
            - '<config location>:/config'
        restart: always
        image: linuxserver/letsencrypt

Setup Cloudflare DNS Credentials

The Cloudflare setup requires an API key which can be found in My Profile and tab API tokens after logging into Cloudflare.

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = <email@gmail.com>
dns_cloudflare_api_key = <api key>

Start Let’s Encrypt Container

Now start up the Let’s Encrypt container by running the command “docker-compose up -d” in the folder where the docker-compose file is located. Now navigate to the “config” location setup in the docker compose volume and open folder ‘dns-conf’.

Setup Cloudflare DNS file

Cloudflare.ini file should be located and the above information taken from the Cloudflare website can be setup and saved. If using another DNS provider fill in the proper file.

Restart Let’s Encrypt Container

Now we can restart the container so it can use the updated DNS settings. The following command will recreate the container and start it up at the same time.

docker-compose up -d --force-recreate --no-deps --build letsencrypt

Validate the Container

Open a browser and enter ‘localhost’ and it should load properly. Entering in the URL entered as an environment variable in the docker compose file should also load. Pages should work in HTTPS if not check the container logs.

In this article:Docker

2 Comments

t
November 23, 2020 at 9:32 pm
If I would have access to your web-servers ip-address, I could still access all your services without knowing your domain. Docker is exposing these ports by default. Is it possible to constrain access to these and only allow connections through the cloudflare network?
Reply
- Carl
  November 25, 2020 at 1:09 am
  Yes, Docker is exposing ports for whatever containers I have running but they are not accessible outside of the network due to the NGINX proxy only accepting connections on specific ports. At the router level only ports for the NGINX container are forwarded.
  Reply