Custom Certificates
To customize your TLS certificate for STINGAR Server, there is an environment variable you can optionally pass to the container (via stingar.env file) called CERTIFICATE_STRATEGY. This variable can be set to one of the following: CERTBOT,SELFSIGNED or BYO
CERTBOT - Use the certbot package to install a real certificate from
LetsEncrypt, using the
ACME protocol. If you have your own ACME server, you can pass an additional environment variable to your container to use it: ACME_SERVER
Check port 80 is open
As Certbot relies on a challenge-response protocol using the webserver, the CERTBOT strategy will not work with NAT'ed or non-publicly accessible servers.
When using the CERTBOT Certificate strategy, your server will need to have port 80/tcp open and reachable by the world.
This is required by the ACME protocol in order to verify your domain. Once you have successfully received a certificate, port 80/tcp is no longer required to be available.
SELFSIGNED - Use OpenSSL to generate a self signed certificate
BYO - Bring Your Own. This is useful if you have a CA that does not support
ACME. To use this, mount your own directory containing cert.pem and key.pem in
to the /tls volume of the container. To ensure you can see the certs in your
conatiner, use docker-compose exec ls /tls from within your docker-compose
directory
For example, volume mount a local directory to the /tls directory via your docker-compose.yml in the
volumes section for the web (nginx) container:
web:
image: nginx:latest
container_name: nginx
ports:
- 80:80
- 443:443
volumes:
- ./certs:/etc/nginx/conf.d:z
- ./certs:/tls:z
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- credentials:/credentials
restart: on-failure
Then ensure that you place your certificate files in the ./certs directory, and that the private key is named key.pem and the public key is named cert.pem.
Defaults
If the SERVER environment variable is set to an IP address, SELFSIGNED is the default value. If a real name is given, CERTBOT is the default value.