Create a certificate and CSR in the proxy's ./certs directory (this volume was mounted in the proxy's docker-compose.yml file above).
data/proxy# mkdir -p certs data/proxy# cd certs data/proxy/certs# # Create a private key: data/proxy/certs# openssl genrsa -out demo.example.com.key 2048 data/proxy/certs# # Create a CSR from the new key: data/proxy/certs# openssl req -new -sha256 -key demo.example.com.key -out demo.example.com.csr ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) :Archbold Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization name Organizational Unit Name (eg, section) :Your OU Common Name (e.g. server FQDN or YOUR name) :*.demo.example.com. Email Address :hostmaster@email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Send the CSR to your favorite signing authority, or self sign it:
data/proxy/certs# openssl x509 -req -sha256 -days 3650 -in demo.ssdtexample.iocom.csr -signkey demo.ssdtexample.iocom.key -out demo.ssdtexample.iocom.crt
Configure nginx to listen on port 443. Add port mapping to the proxy's docker-compose.yml file:
proxy: image: jwilder/nginx-proxy restart: always volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro - ./vhost.d:/etc/nginx/vhost.d - ./html:/usr/share/nginx/html environment: - DEFAULT_HOST=demo.example.com ports: - "80:80" - "443:443"
Recreate the proxy container with:
docker-compose up -d
This exposes port 443 for SSL. We are leaving port 80 exposed because the nginx-proxy will automatically redirect port 80 to 443. Now we can access our application at:/. If the cert is self-signed, you'll get a browser warning. It will go away when/if you have the certificate signed.
After receiving the signed certificate from the signing authority, replace the
.crt file created above with the signed certificate. In the example above, the self-signed certificate is named
demo.example.com.crt. That file should be replaced with the file from the signing authority. Note: The names of the certificate files are important. The certificate file name must be must match the domain name it applies to. Again, from the above example, the wildcard domain name is *.demo.example.com so the certificate and keys must be named
By convention, nginx-proxy will use the domain name to find the most specific certificate first and then drop prefixes until it finds a match. In this case, it will look for sampletown.demo.example.com.crt and then
demo.example.com.crt . This allows you to have different signed certificates for different domain names on the same proxy.
Automatic Signed Certificates with LetsEncrypt.org