nginx-proxy

SSL Support and Certificates

A comprehensive guide to SSL certificate management in Nginx-Proxy, including automatic Let's Encrypt, custom certificates, and manual acquisition.

SSL Support

Issuing of SSL certificate is done using acme-nginx library for Let's Encrypt. If a precheck determines that the domain we are trying to issue certificate is not owned by current machine, a self-signed certificate is generated instead.

Using SSL for exposing endpoint

Certificate is automatically requested by the nginx-proxy container. It requests for a challenge and verifies the challenge to obtain the certificate. It is saved under directory /etc/ssl/certs and the private key is located inside directoy /etc/ssl/private

Using your Own SSL certificate

If you already have a ssl certificate that you want to use, copy it under the /etc/ssl/certs directory and it's key under the directory /etc/ssl/private file should be named domain.crt and domain.key.

Wildcard certificates can be used. For example to use *.example.com wildcard, you should create files /etc/ssl/certs/*.example.com.crt and /etc/ssl/private/*.example.com.key in the container's filesystem.

Note that *.com or * is not a valid wildcard. Wild card must have at least 2 dots.

/etc/ssl/certs/*.example.com.crt certificate will :

  • be used for host1.example.com
  • be used for www.example.com
  • not be used for xyz.host1.example.com
  • not be used for example.com

DHPARAM_SIZE : Default size of DH key used for https connection is 2048bits. The key size can be changed by changing DHPARAM_SIZE environment variable

Manually obtaining certificate.

You can manually obtain Let's encrypt certificate using the nginx-proxy container. Note that you must set ip in DNS entry to point the correct server.

To issue a certificate for a domain you can simply use this command.

  • docker exec nginx-proxy getssl www.example.com

    Obtained certificate is saved on /etc/ssl/certs/www.example.com and private is saved on /etc/ssl/private/www.example.com

To issue certificates for multiple domain you can simply add more parameters to the above command

  • docker exec nginx-proxy getssl www.example.com example.com ww.example.com

    All the domains are registered on the same certificate and the filename is set from the first parameter passed to the command. so /etc/ssl/certs/www.example.com and /etc/ssl/private/www.example.com are generated

Use docker exec nginx-proxy getssl --help for getting help with the command