To customize your TLS certificate for CHN-Server, there is an environment
variable you can optionally pass to the container called
CERTIFICATE_STRATEGY
. This variable can be set to one of the following:
CERTBOT
- Use the certbot package to install a real certificate from
LetsEncrypt, using the
ACME
protocol. If you have your own ACME server, you can pass an additional
environment variable to your container to use it: ACME_SERVER
. Additionally, see the prerequisites
section on Network Connectivity for additional requirements for using CERTBOT
SELFSIGNED
- Use OpenSSL to generate a self signed certificate
BYO
- Bring Your Own. This is useful if you have a CA that does not support
ACME. To use this, mount your own directory containing cert.pem and key.pem in
to the /tls volume of the container. To ensure you can see the certs in your
conatiner, use docker-compose exec ls /tls
from within your docker-compose
directory
For example, volume mount a local directory to the /tls
directory via your docker-compose.yml in the
volumes
section for the chnserver container:
chnserver:
image: stingar/chn-server:1.9.1
volumes:
- ./storage/chnserver/sqlite:/opt/sqlite:z
- ./certs:/tls:z
env_file:
- chnserver.env
links:
- mongodb:mongodb
ports:
- "80:80"
- "443:443"
Then ensure that you place your certificate files in the ./certs
directory, and that the private key is named key.pem
and the public key is named cert.pem
.
If the SERVER variable is set to an IP address, SELFSIGNED
is the default
value. If a real name is given, CERTBOT
is the default value.
As Certbot relies on a challenge-response protocol using the webserver, the CERTBOT
strategy will not work with
NAT'ed or non-publicly accessible servers.