sudo apt install certbot
Line #8 is optional. In this case, we try to obtain an SSL certificate for all of the possible subdomains. and its return some dialog:
certbot certonly \ --manual \ --agree-tos \ -m email@example.com \ --server https://acme-v02.api.letsencrypt.org/directory \ --preferred-challenges dns \ -d example.com \ -d *.example.com
Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
In this place, you must go to the dashboard of your domain provider and for selected domain name add DNS records according to instruction above.
Pay attantion: in the field "host" type "_acme-challenge" only (without domain name as a prefix).
Don't press key Enter. Open a new terminal window. Run
until command will return value you had set for _acme-challenge.example.com in DNS record. In my case it was:
dig -t txt _acme-challenge.example.com
;; ANSWER SECTION: _acme-challenge.examle.com. 6824 IN TXT "CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw"
Now you can press ENTER in that terminal window where the message "Press Enter to Continue" popped up. You will see something like this
As you can see Certbot has created the SSL certificate that is valid for the next three month. Periodically we should run certbot renew to recreate it (just delegate this task to crontab).
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-06-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
and into docker-compose.yaml just added 443 port and couple volume's links:
defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/cert.crt" keyFile = "/key.key"
Then just had restarted (with the rebuild option) the container with Traefik and that is it.
services: traefik: image: traefik command: --docker ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/letsencrypt/live/example.com/fullchain.pem:/cert.crt - /etc/letsencrypt/live/example.com/privkey.pem:/key.key - ./.data/traefik/traefik.toml:/traefik.toml