Deployment Overview of Nginx Certbot on Server¶

Prerequisites and Basic Requirements¶

To successfully deploy the Nginx Certbot application, the following requirements must be met on the target server:

Operating System: Linux distribution compatible with Docker Engine.
Privileges: Root access or a user with sudo privileges to manage Docker services and firewall rules.
Domain Configuration: A valid domain name pointing to the server's public IP address.
Network Ports: Ports 80 and 443 must be open and accessible from the internet for SSL certificate validation and HTTPS traffic.

The fully qualified domain name (FQDN) for the application follows the format: nginx-certbot<Server ID>.hostkey.in:443

Where <Server ID> is replaced by the specific identifier assigned to the server instance.

The application utilizes the following directory structure for configuration and data storage:

/etc/letsencrypt: Stores SSL certificates and private keys managed by Certbot.
./user_conf.d: Contains custom Nginx server block configurations.
./nginx-certbot.env: Environment variable file for the Nginx service.
./compose.yml: Docker Compose definition file for service orchestration.

The application is deployed using Docker Compose. The deployment process involves the following steps:

Ensure Docker and Docker Compose are installed on the server.
Create the necessary directory structure for the application.
Place the compose.yml file and the nginx-certbot.env file in the deployment directory.
Create the external volume nginx_secrets required for certificate storage.
Execute the command docker compose up -d to start the services.

The deployment uses the jonasal/nginx-certbot:latest container image.

Security measures implemented in the deployment include:

Firewall rules must allow inbound traffic on ports 80 and 443.
The Nginx container runs with the restart: unless-stopped policy to ensure availability.
SSL certificates are stored in an external Docker volume to persist data across container restarts.
The application returns a plain text response confirming successful certificate installation.

The deployment consists of a single Nginx container managed via Docker Compose. The container configuration includes:

The Nginx container acts as a reverse proxy and SSL termination point. It is configured to:

Listen on port 443 for both IPv4 and IPv6 connections.
Serve the domain nginx-certbot<Server ID>.hostkey.in.
Load SSL certificates from the /etc/letsencrypt/live/ directory.
Return a 200 status code with a success message upon successful certificate installation.

File and directory permissions are managed by the Docker container and the host system:

The nginx_secrets volume must be accessible by the Nginx container to read and write certificates.
The user_conf.d directory on the host must be readable by the container to load custom configurations.
The compose.yml and nginx-certbot.env files should be owned by the user executing the Docker commands.

Configuration files and data are located in the following paths:

The following ports are available for external connection:

Service management is handled via Docker Compose commands:

Start the service: docker compose up -d
Stop the service: docker compose down
Update the container image: docker compose pull followed by docker compose up -d
View logs: docker compose logs -f