This setup assumes dockerized containers, we're using this on CoreOS, but you can use whatever that's using docker.
This setup is more complex than the simplest possible, but it's production ready.
- set up a new host, point a DNS name at it
- Sets up a http proxy to get a LetsEncrypt cert up
- Sets up LetsEncrypt for public infra (https to the CA server)
- Sets up caramel server
variables to replace below:
CA_HOSTNAME=ca.kub.modio.se
CA_MAIL=spider@modio.se
copy nginx.http.conf => server copy nginx.https.conf => server
docker create --name certs \
-v /var/www/html \
-v /etc/letsencrypt \
quay.io/letsencrypt/letsencrypt
docker run -d \
-p 80:80 \
--name nginx-http \
--volumes-from certs \
-v /home/core/nginx.http.conf:/etc/nginx/nginx.conf \
nginx
docker run -it \
--name letsencrypt \
--volumes-from certs \
quay.io/letsencrypt/letsencrypt \
certonly \
--noninteractive \
--agree-tos \
--webroot \
--webroot-path /var/www/html \
-m $CA_MAIL \
-d $CA_HOSTNAME
This creates your CA, asks questions about the rules, and generates your CA-cert
docker run -d \
--expose 80 \
--volume=/srv/caramel:/data:rw \
--name caramel \
modioab/caramel
docker run -d \
-p 443:443 \
--name nginx-tls \
--link caramel \
--volumes-from certs \
-v /home/core/nginx.https.conf:/etc/nginx/nginx.conf \
nginx
docker run -it \
--rm=true \
--name certbot-renew \
--volumes-from certs \
quay.io/letsencrypt/letsencrypt \
renew --dry-run
docker run -it \
--rm=true \
--name certbot-renew \
--volumes-from certs \
quay.io/letsencrypt/letsencrypt \
renew