Letsencrypt – HTTPS is the better way

Letsencrypt is free SSL Certificate Authority (CA). Provides you renewable free of charge secure connection to your resources from the internet. (https://letsencrypt.org/) Here i am going to explain how to secure web app (in my case its Jenkins run on port 8080) using Letsencrypt and NginX.

First you have to have your app running on a cloud environment like Azure or AWS. Make sure you get a domain name for your VM instance (Ex: blog.southeastasia.cloudapp.azure.com). You need a proper domain name configured with your cloud instance otherwise Letsencrypt reject your certificate request.

Things to per-configure in your cloud before begin

  1. Open both 80 and 443 to public
  2. Make sure you have a domain name for your resource

In my case, I have Jenkins up and running in a docker container with internal port 8080 and external port 8081, I have added my Jenkins to a external network called ‘nginx-network’

version: '3.7'

services:

  jenkins:
    image: jenkins/jenkins:latest
    container_name: jenkins
    user: root
    environment:
     - JENKINS_ARGS="--prefix=/jenkins"
    volumes:
     - ./jenkins_home:/var/jenkins_home
     - /var/run/docker.sock:/var/run/docker.sock
     - /usr/bin/docker:/usr/bin/docker
     - /usr/local/bin/docker-compose:/usr/local/bin/docker-compose
    ports:
     - 8081:8080
     - 50000:50000
    networks:
     - nginx-network

networks:
  nginx-network:
    external: true

Configuring NginX with Letsencrypt + Certbot

Download Letsencrypt automated script from here

https://raw.githubusercontent.com/wmnnd/nginx-certbot/master/init-letsencrypt.sh

Replace the domain name to yours

Put ‘init-letsencrypt.sh’ in the same folder where your ‘docker-compose.yml’ exists. The docker-compose for spin up Nginx and get certificates from Letsencript using Certbot as follows.

version: '3.7'

services:

  nginx:
    image: nginx:1.17.6-alpine
    container_name: nginx
    volumes:
     - ./nginx_data:/etc/nginx/conf.d
     - ./certbot_data/conf:/etc/letsencrypt
     - ./certbot_data/www:/var/www/certbot
    ports:
     - 80:80
     - 443:443
    networks:
     - nginx-network

  certbot:
    image: certbot/certbot
    volumes:
     - ./certbot_data/conf:/etc/letsencrypt
     - ./certbot_data/www:/var/www/certbot
    networks:
     - nginx-network

networks:
  nginx-network:
    external: true

Create all empty directories and put your ‘app.conf’ file inside ‘nginx_data’ directory.

upstream jk {
    server jenkins:8080;
    keepalive 256;
}

server {

        listen 80 default_server;
        listen [::]:80 default_server;

        server_name xxx.southeastasia.cloudapp.azure.com;

        location /.well-known/acme-challenge/{
                root /var/www/certbot;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        listen 443 ssl;
        server_name xxx.southeastasia.cloudapp.azure.com;

        ssl_certificate /etc/letsencrypt/live/xxx.xx.cloudapp.azure.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xxx.xx.cloudapp.azure.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        location / {

                proxy_set_header        Host $host:$server_port;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_redirect http:// https://;
                proxy_pass http://jk;

                proxy_http_version 1.1;
                proxy_request_buffering off;
                proxy_buffering off;
        }
}

Now the configurations are done. Lets get the certificates now.

Execute ‘init-letsencrypt.sh’ file and see the magic !

Then visit to your web app in the cloud. You can see now your free SSL certificate is issued from Letsencrypt is in action.

Website SSL
Certificate Details

Lets Encrypt , Coz Self Signed is for Kids 🙂 …..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s