How to Install Nginx and Let’s Encrypt with Docker – Ubuntu 20.04. In this guide you are going to learn how to install and configure Nginx with Let’s Encrypt SSL using Docker and Docker Compose on Ubuntu 20.04.
In this tutorial we will use latest Nginx image and latest Certbot image and setup validation and finally configure SSL with a basic HTML site served using Nginx.
This installation and setup is tested on Google Cloud Compute Engine running Ubuntu 20.04 with Docker and Docker Compose. So this setup will work on other cloud service providers like AWS or Digital Ocean or Azure or any VPS or Dedicated servers.
Best Hosting for your Business
| Platform | Reviews | Pricing |
|---|---|---|
| Cloudways | ★★★★★ | $10 |
| Kinsta – Google Cloud | ★★★★★ | $30 |
Prerequisites
- Running Compute Engine, see the Setting up Compute Engine Instance.
- Follow this guide to Install Docker on Ubuntu 20.04.
- For managing containers install Docker Compose on your server.
- Configure DNS to point the domain to the server to install SSL.
Once you have all the prerequisites done you can proceed to make the setup and install SSL.
Create Docker Compose YML file
Now SSH inside your server or Virtual machine and create a directory to hold all the configurations by running the following command.
sudo mkdir ~/nginx-ssl
Move inside the directory and create a docker-compose.yml file that holds our configuration.
cd ~/nginx-ssl
sudo nano ~/nginx-ssl/docker-compose.yml
Paste the following configurations inside the file.
version: "3.8"
services:
web:
image: nginx:latest
restart: always
volumes:
- ./public:/var/www/html
- ./conf.d:/etc/nginx/conf.d
- ./certbot/conf:/etc/nginx/ssl
- ./certbot/data:/var/www/certbot
ports:
- 80:80
- 443:443
certbot:
image: certbot/certbot:latest
command: certonly --webroot --webroot-path=/var/www/certbot --email [email protected] --agree-tos --no-eff-email -d domain.com -d www.domain.com
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/logs:/var/log/letsencrypt
- ./certbot/data:/var/www/certbot
Hit CTRL-X followed by Y and ENTER to save and exit the file.
Here are the configuration details.
- version: Compose file version which is compatible with the Docker Engine. You can check compatibility here.
- image: We use latest Nginx and Certbot images available in Docker hub.
- volumes:
public: we have configured this directory to be synced with the directory we wish to use as the web root inside the container.conf.d: here we will place the Nginx configuration file to be synced with the default Nginx conf.d folder inside the container.certbot/conf: this is where we will receive the SSL certificate and this will be synced with the folder we wish to inside the container.ports: configure the container to listen upon the listed ports.command: the command used to receive the SSL certificate.
Now you have your docker-compose.yml in place.
Configure Nginx
Now we need to configure Nginx for validation to obtain the Let’s Encrypt SSL certificate.
We will create a directory as mentioned in the docker-compose file as conf.d.
sudo mkdir ~/nginx-ssl/conf.d
Create a configuration file with the .conf extension.
sudo nano ~/nginx-ssl/conf.d/default.conf
Paste the following configuration inside the file.
server {
listen [::]:80;
listen 80;
server_name domain.com www.domain.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
}
Hit CTRL-X followed by Y and ENTER to save and exit the file.
Now you have the Nginx configuration which gets synced to the /etc/nginx/conf.d folder which automatically gets loaded by Nginx.
Start Containers
Now it’s time to start the containers using the following command to receive the SSL certificates.
You need to pass the -d flag which starts the container in background and leaves them running.
docker-compose up -d
You will see an output similar to the one below.
Output
Creating network "nginx-ssl_default" with the default driver
Pulling web (nginx:latest)…
latest: Pulling from library/nginx
8559a31e96f4: Pull complete
8d69e59170f7: Pull complete
3f9f1ec1d262: Pull complete
d1f5ff4f210d: Pull complete
1e22bfa8652e: Pull complete
Digest: sha256:21f32f6c08406306d822a0e6e8b7dc81f53f336570e852e25fbe1e3e3d0d0133
Status: Downloaded newer image for nginx:latest
Pulling certbot (certbot/certbot:latest)…
latest: Pulling from certbot/certbot
cbdbe7a5bc2a: Pull complete
26ebcd19a4e3: Pull complete
a29d43ca1bb4: Pull complete
979dbbcf63e0: Pull complete
30beed04940c: Pull complete
48a1f8a4d505: Pull complete
4416e9b4bbe0: Pull complete
8173b4be7870: Pull complete
21c8dd124dab: Pull complete
c19b04e11dc7: Pull complete
1b560611cec1: Pull complete
Digest: sha256:568b8ebd95641a365a433da4437460e69fb279f6c9a159321988d413c6cde0ba
Status: Downloaded newer image for certbot/certbot:latest
Creating nginx-ssl_certbot_1 … done
Creating nginx-ssl_web_1 … done
This output indicates Nginx and Certbot images are pulled from Docker hub and the containers are created successfully.
To view the containers you can execute the following command.
docker-compose ps
Output
Name Command State Ports
nginx-ssl_certbot_1 certbot certonly --webroot … Exit 0
nginx-ssl_web_1 /docker-entrypoint.sh ngin … Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
The state Exit 0 indicates the setup is completed without any error.
Now when you check your work directory, there will be a new directory created as certbot inside which you will have the SSL certificate synced.
ls ~/nginx-ssl/certbot/conf/live/domain.com
Configure SSL with Nginx
As you have received the Let’s Encrypt SSL certificate you can configure HTTPS and setup redirection to HTTPS.
Edit the default.conf and make the following changes.
Your file should like the one below at the final stage.
server {
listen [::]:80;
listen 80;
server_name domain.com www.domain.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
# redirect http to https www
return 301 https://www.domain.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name domain.com;
# SSL code
ssl_certificate /etc/nginx/ssl/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/domain.com/privkey.pem;
root /var/www/html;
location / {
index index.html;
}
return 301 https://www.domain.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name www.domain.com;
# SSL code
ssl_certificate /etc/nginx/ssl/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/domain.com/privkey.pem;
root /var/www/html/domain-name/public;
location / {
index index.html;
}
}
Hit CTRL-X followed by Y and ENTER to save and exit the file.
Create index.html file
Now you can create the index.html file inside the public directory which then syncs to the directory configured.
Create the public directory.
sudo mkdir ~/nginx-ssl/public
sudo nano ~/nginx-ssl/public/index.html
<html>
<body>
<h1>Docker setup with Nginx and Let's Encrypt SSL.</h1>
</body>
</html
Hit CTRL-X followed by Y and ENTER to save and exit the file.
Restart the containers
Now you can restart the containers to load the new configurations.
docker-compose restart
Once the containers are restarted you can check your domain name. You will get a redirection to HTTPS and your SSL.
Get your Professional Google Cloud Architect certificate with this easy to learn course now.
Conclusion
Now you have learned how to install and configure Nginx and Let’s Encrypt with Docker on Ubuntu 20.04.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
12 Comments
Can you help me? I am getting this error and cannot continue with the process to upload the certificates.
10-listen-on-ipv6-by-default.sh: error: /etc/nginx/conf.d/default.conf differs from the packaged version
Could you help please? Everything works and redirects to ssl however, the index.html file is not rendering. I only get the nginx 404 page.
Probably you have already resolved it in the meantime but there is a mistake in the default.conf above.
Where it reads:
root /var/www/html/domain-name/public;
should actually be simply:
root /var/www/html;
This does not work, as Nginx will not be able to start up without at least some certificate/key (such as a placeholder, self signed cert) is available in /etc/nginx/ssl/… beforehand.
Maybe you can mention this important step above?
Certbot relies on nginx to answer the challenge, and nginx relies on cerbot to get the cert so it can start up in the first place.
nginx-ssl_certbot_1 certbot certonly –webroot … Exit 1
Does not work. Followed instructions to the letter, could not get initial certs created.
It should work, you must have missed something
Thanks for much for this tutorial. Got it working after a lot of heartache trying to do it myself.
How to deploy the same configuration in k8s cluster?
Thanks for the guide. Since I am on raspberry pi I had to use the “certbot/certbot:arm32v6-latest” docker image instead of the “certbot/certbot:latest” one in docker-compose.yml
It works, but at the beginning remove
” – 443:443 ” from nginx config
and latter add it
it really works.