letsencrypt-nginx-proxy-companion is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. See Let's Encrypt section for configuration details.
- Automatic creation/renewal of Let's Encrypt certificates using original nginx-proxy container.
- Support creation of Multi-Domain (SAN) Certificates.
- Automatically creation of a Strong Diffie-Hellman Group (for having an A+ Rate on the Qualsys SSL Server Test).
- Work with all versions of docker.
To use it with original nginx-proxy container you must declare 3 writable volumes from the nginx-proxy container:
/etc/nginx/certsto create/renew Let's Encrypt certificates/etc/nginx/vhost.dto change the configuration of vhosts (need by Let's Encrypt)/usr/share/nginx/htmlto write challenge files.
Example of use:
- First start nginx with the 3 volumes declared:
$ docker run -d -p 80:80 -p 443:443 \
--name nginx-proxy \
-v /path/to/certs:/etc/nginx/certs:ro \
-v /etc/nginx/vhost.d \
-v /usr/share/nginx/html \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
jwilder/nginx-proxy- Second start this container:
$ docker run -d \
-v /path/to/certs:/etc/nginx/certs:rw \
--volumes-from nginx-proxy \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
jrcs/letsencrypt-nginx-proxy-companionThen start any containers you want to proxied with a env var VIRTUAL_HOST=subdomain.youdomain.com
$ docker run -e VIRTUAL_HOST=foo.bar.com ...
The containers being proxied must expose the port to be proxied, either by using the EXPOSE directive in their Dockerfile or by using the --expose flag to docker run or docker create. See nginx-proxy for more informations. To generate automatically Let's Encrypt certificates see next section.
To use the Let's Encrypt service to automatically create a valid certificate for virtual host(s).
Set the following environment variables to enable Let's Encrypt support for a container being proxied.
LETSENCRYPT_HOSTLETSENCRYPT_EMAIL
The LETSENCRYPT_HOST variable most likely needs to be the same as the VIRTUAL_HOST variable and must be publicly reachable domains. Specify multiple hosts with a comma delimiter.
For example
$ docker run -d -p 80:80 \
-e VIRTUAL_HOST="foo.bar.com,bar.com" \
-e LETSENCRYPT_HOST="foo.bar.com,bar.com" \
-e LETSENCRYPT_EMAIL="foo@bar.com" ...Optional letsencrypt-nginx-proxy-companion container environment variables for custom configuration.
ACME_CA_URI- Directory URI for the CA ACME API endpoint (default:https://acme-v01.api.letsencrypt.org/directory)
For example
$ docker run -d \
-e ACME_CA_URI="https://acme-staging.api.letsencrypt.org/directory" \
-v /path/to/certs:/etc/nginx/certs:rw \
--volumes-from nginx-proxy \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
jrcs/letsencrypt-nginx-proxy-companionDEBUG- Set it totrueto enable debugging of the entrypoint script, which could help you pin point any configuration issues.