This document outlines the certificate management procedures for the Docker server.
The server uses Let's Encrypt SSL certificates for all web-facing services. Certificate management is handled through:
Traefik manages certificates for:
These certificates are automatically renewed 30 days before expiration.
Some services require special certificate handling:
The firewall requires a specific certificate format and manual import.
Traefik automatically handles certificate renewal with the following configuration:
certificatesResolvers:
le:
acme:
email: [email protected]
storage: /letsencrypt/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
Certificates are stored in the ACME JSON format at /home/ali3nz/docker/traefik/letsencrypt/acme.json.
The renewcerts.sh script handles special certificate renewals:
#!/bin/bash
# Certificate renewal script
# This script is scheduled to run bi-monthly
# Set variables
CERT_DIR="/home/ali3nz/docker/certificates"
DOMAIN_LIST="cloud.example.com home.example.com"
EMAIL="[email protected]"
# Ensure cert directory exists
mkdir -p $CERT_DIR
# Renew certificates
for DOMAIN in $DOMAIN_LIST; do
echo "Renewing certificate for $DOMAIN"
# Use certbot to obtain/renew the certificate
certbot certonly --standalone --agree-tos --email $EMAIL -d $DOMAIN --pre-hook "docker stop traefik" --post-hook "docker start traefik"
# Copy certificates to the certificate directory
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $CERT_DIR/$DOMAIN.crt
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $CERT_DIR/$DOMAIN.key
# Create PFX certificate for services that need it
openssl pkcs12 -export -out $CERT_DIR/$DOMAIN.pfx -inkey $CERT_DIR/$DOMAIN.key -in $CERT_DIR/$DOMAIN.crt -password pass:certificate
# Set correct permissions
chmod 644 $CERT_DIR/$DOMAIN.crt
chmod 600 $CERT_DIR/$DOMAIN.key $CERT_DIR/$DOMAIN.pfx
done
# Copy certificates to respective service directories
echo "Copying certificates to services..."
# Copy to Nextcloud
cp $CERT_DIR/cloud.example.com.crt /home/ali3nz/docker/nextcloud/certs/cert.crt
cp $CERT_DIR/cloud.example.com.key /home/ali3nz/docker/nextcloud/certs/cert.key
# Copy to Home Assistant
cp $CERT_DIR/home.example.com.crt /home/ali3nz/docker/homeassistant/certs/fullchain.pem
cp $CERT_DIR/home.example.com.key /home/ali3nz/docker/homeassistant/certs/privkey.pem
# Export Fortigate certificate to OneDrive for manual import
echo "Exporting Fortigate certificate to OneDrive..."
cp $CERT_DIR/home.example.com.pfx /mnt/onedrive/FortigateCert/fortigate.pfx
echo "Certificate renewal completed."
This script runs bi-monthly via cron to ensure certificates are renewed well before expiration.
The Fortigate firewall requires manual certificate import:
To verify certificates and their expiration dates:
# Check Traefik certificates
docker exec traefik cat /letsencrypt/acme.json | jq -r '.letsencrypt.Certificates[] | .domain.main + " expires on " + (.certificate | @base64d | openssl x509 -noout -enddate -in /dev/stdin)'
# Check special service certificates
for CERT in /home/ali3nz/docker/certificates/*.crt; do
echo "$CERT expires on: $(openssl x509 -enddate -noout -in $CERT)"
done
If certificate renewals fail:
docker logs traefikIn case automatic renewal fails:
# For Traefik-managed certificates
docker restart traefik
# For special certificates
certbot certonly --standalone -d domain.example.com
If a certificate needs immediate replacement:
docker stop traefikcertbot certonly --standalone -d domain.example.com| Domain | Type | Managed By | Renewal | Expiry Check Command |
|---|---|---|---|---|
| *.example.com | Wildcard | Traefik | Automatic | docker exec traefik cat /letsencrypt/acme.json |
| cloud.example.com | Standard | renewcerts.sh | Bi-monthly | openssl x509 -enddate -noout -in /home/ali3nz/docker/certificates/cloud.example.com.crt |
| home.example.com | Standard | renewcerts.sh | Bi-monthly | openssl x509 -enddate -noout -in /home/ali3nz/docker/certificates/home.example.com.crt |
| fortigate.example.com | Standard | renewcerts.sh | Manual Import | openssl x509 -enddate -noout -in /home/ali3nz/docker/certificates/fortigate.example.com.crt |
This document outlines the SSL certificate management system for the server.
The server uses Let's Encrypt for SSL certificates with automatic renewal. Certificates are managed in two ways:
/home/ali3nz/docker/scripts/renewcerts.sh/home/ali3nz/docker/scripts/renew_certs.logThe following domains have dedicated certificate renewal processes:
| Domain | Service | Container |
|---|---|---|
| home.risingflow.com | Home Assistant | homeassistant |
| cloud.risingflow.com | Nextcloud | nextcloud |
| fortigate.risingflow.com | Fortigate | (External) |
WordPress sites and other Docker services use Traefik for certificate management.
The certificate renewal process works as follows:
The Traefik container is stopped to free up port 80:
demyx compose traefik down
Certificates are renewed using certbot:
certbot renew --cert-name home.risingflow.com --non-interactive --quiet
certbot renew --cert-name cloud.risingflow.com --non-interactive --quiet
certbot renew --cert-name fortigate.risingflow.com --non-interactive --quiet
Renewed certificates are copied to the appropriate locations:
Home Assistant certificates:
cp /etc/letsencrypt/live/home.risingflow.com/fullchain.pem /home/ali3nz/docker/homeassist/config/fullchain.pem
cp /etc/letsencrypt/live/home.risingflow.com/privkey.pem /home/ali3nz/docker/homeassist/config/privkey.pem
Nextcloud certificates:
cp /etc/letsencrypt/live/cloud.risingflow.com/fullchain.pem /home/ali3nz/docker/nextcloud/config/keys/cert.crt
cp /etc/letsencrypt/live/cloud.risingflow.com/privkey.pem /home/ali3nz/docker/nextcloud/config/keys/cert.key
Fortigate certificates:
cp /etc/letsencrypt/live/fortigate.risingflow.com/fullchain.pem /home/ali3nz/docker/scripts/forticert/fullchain.pem
cp /etc/letsencrypt/live/fortigate.risingflow.com/privkey.pem /home/ali3nz/docker/scripts/forticert/privkey.pem
cp /etc/letsencrypt/live/fortigate.risingflow.com/fullchain.pem /mnt/onedrive/forticert/fullchain.pem
cp /etc/letsencrypt/live/fortigate.risingflow.com/privkey.pem /mnt/onedrive/forticert/privkey.pem
Proper permissions are set on the certificate files
The Traefik container is restarted:
demyx compose traefik up -d
If certificates need to be manually renewed (e.g., if the automatic renewal fails), you can run:
# Run the renewal script manually
sudo /home/ali3nz/docker/scripts/renewcerts.sh
# Or run certbot directly for a specific domain
sudo certbot renew --cert-name domain.com
To add a new certificate for a domain:
# Stop Traefik
demyx compose traefik down
# Issue a new certificate
certbot certonly --standalone -d newdomain.com
# Start Traefik
demyx compose traefik up -d
# If needed, add the certificate to the renewal script
For Traefik-managed domains, simply ensure the domain is correctly configured in the Traefik routes (usually via labels in the Docker Compose file).
Certificate Not Renewed
cat /home/ali3nz/docker/scripts/renew_certs.log
cat /var/log/letsencrypt/letsencrypt.log
Certificate Not Trusted by Browsers
curl -I https://domain.com
Certificate Permissions
ls -la /path/to/certificate/files
chown appropriate_user:appropriate_group /path/to/certificate/files
chmod 600 /path/to/private/key.pem
Traefik Not Using Certificates
docker logs demyx_traefik | grep -i "certificate"
All Let's Encrypt certificates are stored in:
/etc/letsencrypt/live/<domain>/
Each domain directory contains:
cert.pem: The domain certificate onlychain.pem: The intermediate certificate chainfullchain.pem: cert.pem and chain.pem combinedprivkey.pem: The private key for the certificateHome Assistant:
/home/ali3nz/docker/homeassist/config/fullchain.pem
/home/ali3nz/docker/homeassist/config/privkey.pem
Nextcloud:
/home/ali3nz/docker/nextcloud/config/keys/cert.crt
/home/ali3nz/docker/nextcloud/config/keys/cert.key
Fortigate:
/home/ali3nz/docker/scripts/forticert/fullchain.pem
/home/ali3nz/docker/scripts/forticert/privkey.pem
/mnt/onedrive/forticert/fullchain.pem
/mnt/onedrive/forticert/privkey.pem
Let's Encrypt has rate limits:
Ensure DNS records are correctly configured before attempting certificate issuance to avoid hitting these limits.