sudo apt install certbot
next run
certbot certonly \
--manual \
--agree-tos \
-m you_email@gmail.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d example.com \
-d *.example.com
Line #8 is optional. In this case, we try to obtain an SSL certificate for all of the possible subdomains.
and its return some dialog:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
In this place, you must go to the dashboard of your domain provider and for selected domain name add DNS records according to instruction above.
Pay attantion: in the field "host" type "_acme-challenge" only (without domain name as a prefix).
Don't press key Enter. Open a new terminal window. Run
dig -t txt _acme-challenge.example.com
until command will return value you had set for _acme-challenge.example.com in DNS record.
In my case it was:
;; ANSWER SECTION:
_acme-challenge.examle.com. 6824 IN TXT "CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw"
Now you can press ENTER in that terminal window where the message "Press Enter to Continue" popped up. You will see something like this
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
As you can see Certbot has created the SSL certificate that is valid for the next three month. Periodically we should run certbot renew to recreate it (just delegate this task to crontab).
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert.crt"
keyFile = "/key.key"
and into docker-compose.yaml just added 443 port and couple volume's links:
services:
traefik:
image: traefik
command: --docker
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/letsencrypt/live/example.com/fullchain.pem:/cert.crt
- /etc/letsencrypt/live/example.com/privkey.pem:/key.key
- ./.data/traefik/traefik.toml:/traefik.toml
Then just had restarted (with the rebuild option) the container with Traefik and that is it.