Skip to content

Add automated Let's Encrypt support via certbot #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
madest92 wants to merge 2 commits into
base: main
Choose a base branch
from
+57 −1
Open

Add automated Let's Encrypt support via certbot #185

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f7a914e
Add automated Let's Encrypt support via certbot
madest92 Apr 2, 2026
22b63f1
Fixed: email and port
madest92 Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions docker-compose.nginx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,50 @@ services:
- ${CALLS_PORT}:${CALLS_PORT}/udp
- ${CALLS_PORT}:${CALLS_PORT}/tcp

certbot-renew:
image: certbot/certbot
profiles: ["acme"]
depends_on:
- nginx
## Required to reload nginx via kill -HUP 1
pid: "service:nginx"
volumes:
- ./certs/etc/letsencrypt:/etc/letsencrypt
- ./certs/var/lib/letsencrypt:/var/lib/letsencrypt
- ./certs/var/log/letsencrypt:/var/log/letsencrypt
- shared-webroot:/webroot
environment:
- DOMAIN=${DOMAIN}
entrypoint: |
sh -c "
while true; do
certbot renew --cert-name $DOMAIN --webroot-path /webroot --deploy-hook 'kill -HUP 1';
echo 'Sleeping 24h...';
sleep 24h;
done
"

certbot-init:
image: certbot/certbot
profiles: ["acme-init"]
volumes:
- ./certs/etc/letsencrypt:/etc/letsencrypt
- ./certs/var/lib/letsencrypt:/var/lib/letsencrypt
- ./certs/var/log/letsencrypt:/var/log/letsencrypt
environment:
- DOMAIN=${DOMAIN}
- HTTP_PORT=${HTTP_PORT}
ports:
- ${HTTP_PORT}:${HTTP_PORT}
entrypoint: |
sh -c "
if [ -d /etc/letsencrypt/live/$DOMAIN ]; then
echo 'Certificate already exists for $DOMAIN';
exit 0;
fi;
certbot certonly --standalone --http-01-port $HTTP_PORT -d $DOMAIN --register-unsafely-without-email --agree-tos --non-interactive;
"
Comment thread
coderabbitai[bot] marked this conversation as resolved.

# Shared volume for Let's Encrypt certificate renewal with a webroot
volumes:
shared-webroot:
Expand Down
14 changes: 13 additions & 1 deletion env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,22 @@ NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem

CERT_PATH=./volumes/web/cert/cert.pem
KEY_PATH=./volumes/web/cert/key-no-password.pem
#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem
## To use Let's Encrypt certificates, first run:
## `docker compose -f docker-compose.yml -f docker-compose.nginx.yml --profile acme-init up certbot-init`
## (nginx must not be running during the initial certificate request)
## This generates the initial certificate required by nginx.
## Then start the full stack (including automatic certificate renewal):
## `docker compose -f docker-compose.yml -f docker-compose.nginx.yml --profile acme up -d`
#CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
#KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem

## GitLab SSO (optional)
## Provide GitLab PKI chain to avoid "certificate signed by unknown authority" errors
## See:
## https://github.com/mattermost/mattermost-server/issues/13059
## https://github.com/mattermost/docker/issues/34
#GITLAB_PKI_CHAIN_PATH=<path_to_your_gitlab_pki>/pki_chain.pem

## Exposed ports to the host. Inside the container 80, 443 and 8443 will be used
HTTPS_PORT=443
HTTP_PORT=80
Expand Down