Let's Encrypt + Nginx + cron automation in docker-compose
Complete Docker guides with optimization techniques, deployment strategies, and automation prompts to streamline your containerization workflow.
*Does this sound familiar? Manually copying SSL certificates into Docker containers every few months, setting calendar reminders, and inevitably forgetting until the site goes down with an expired certificate.
If yes, then you might find this article helpful.
After wrestling with this setup for way too long, I finally cracked the code for fully automated SSL renewal with Docker. Here's everything I learned, documented down to the last semicolon.*
Picture this: You have a beautiful Docker setup with nginx serving your application over HTTPS. Your Let's Encrypt certificates are working perfectly... until they expire 90 days later.
The typical pain points:
Sound familiar? Let's fix this once and for all.
We'll create a bulletproof system that:
The foundation of our solution is mounting the Let's Encrypt certificates directly into our containers. No more manual copying!
version: '3.8'
services:
frontend:
build: ./frontend
ports:
- "80:80"
- "443:443"
volumes:
- .:/workspace:cached
- frontend-node-modules:/workspace/frontend/node_modules
# 🔑 This is the magic line - mount certificates read-only
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
backend:
build: ./backend
ports:
- "8000:8000"
volumes:
- .:/workspace:cached
# Mount certificates in backend too if needed
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
redis:
image: redis:alpine
restart: unless-stopped
volumes:
frontend-node-modules:
Update your nginx configuration file:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
# Redirect HTTP to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# 🔑 Point directly to mounted certificates
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Your application configuration
location / {
proxy_pass http://backend:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Stop current containers
docker-compose down
# Start with new volume mounts
docker-compose up -d
Before we set up automation, let's make sure our containers can actually see the certificates.
# Get your nginx container ID
docker ps
# Access the container shell (replace CONTAINER_ID with actual ID)
docker exec -it CONTAINER_ID sh
# Verify certificates are accessible
ls -la /etc/letsencrypt/live/yourdomain.com/
You should see output like this:
total 12
drwxr-xr-x 2 root root 4096 May 29 16:40 .
drwxr-xr-x 3 root root 4096 May 29 16:40 ..
-rwxr-xr-x 1 root root 692 May 29 16:40 README
lrwxrwxrwx 1 root root 48 May 29 16:40 cert.pem -> ../../archive/yourdomain.com/cert1.pem
lrwxrwxrwx 1 root root 49 May 29 16:40 chain.pem -> ../../archive/yourdomain.com/chain1.pem
lrwxrwxrwx 1 root root 53 May 29 16:40 fullchain.pem -> ../../archive/yourdomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 51 May 29 16:40 privkey.pem -> ../../archive/yourdomain.com/privkey1.pem
# Check that the actual certificate files exist
ls -la /etc/letsencrypt/archive/yourdomain.com/
# Test reading the certificate
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem | head -5
# Inside the container, test nginx config
nginx -t
# Should output:
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful
If everything checks out, exit the container:
exit
Here's the critical issue most tutorials don't mention: certbot needs port 80 for the HTTP challenge, but your nginx container is already using it.
When you run certbot renew, you might see this error:
Failed to renew certificate yourdomain.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
This is why many people think their auto-renewal is working (because certbot renew returns success for certificates that don't need renewal yet), but when renewal time actually comes, it fails silently.
Try this to see the issue:
# This will fail if nginx is running on port 80
sudo certbot renew --cert-name yourdomain.com --force-renewal
You'll get the port binding error. This is exactly what we need to solve.
Certbot hooks are scripts that run at different stages of the renewal process. We'll use a deploy hook that runs after successful certificate renewal to restart our Docker containers.
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
sudo nano /etc/letsencrypt/renewal-hooks/deploy/restart-docker.sh
Add this content:
#!/bin/bash
# Certbot deploy hook for Docker-based applications
# This script runs after successful certificate renewal
set -e # Exit on any error
# Configuration - UPDATE THESE PATHS FOR YOUR SETUP
DOCKER_COMPOSE_PATH="/path/to/your/docker-compose-directory" # ⚠️ CHANGE THIS
LOG_FILE="/var/log/letsencrypt/deploy-hook.log"
# Function to log messages with timestamps
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
log_message "=== Deploy hook started - SSL certificates renewed ==="
# Change to docker-compose directory
if [ ! -d "$DOCKER_COMPOSE_PATH" ]; then
log_message "ERROR: Docker compose directory not found: $DOCKER_COMPOSE_PATH"
exit 1
fi
cd "$DOCKER_COMPOSE_PATH"
log_message "Changed to directory: $DOCKER_COMPOSE_PATH"
# Determine which docker compose command to use
if command -v docker-compose >/dev/null 2>&1; then
DOCKER_COMPOSE="docker-compose"
log_message "Using docker-compose command"
elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
DOCKER_COMPOSE="docker compose"
log_message "Using docker compose command"
else
log_message "ERROR: Neither docker-compose nor docker compose found"
exit 1
fi
# Try to gracefully reload nginx first
NGINX_CONTAINER=$(docker ps --format "{{.Names}}" | grep -E "(frontend|nginx|web)" | head -1)
if [ -n "$NGINX_CONTAINER" ]; then
log_message "Found nginx container: $NGINX_CONTAINER"
log_message "Attempting graceful nginx reload..."
if docker exec "$NGINX_CONTAINER" nginx -s reload 2>/dev/null; then
log_message "✅ Nginx reloaded successfully"
log_message "=== Deploy hook completed successfully ==="
exit 0
else
log_message "⚠️ Nginx reload failed, falling back to container restart"
fi
fi
# Fallback: restart all containers
log_message "Restarting all Docker containers..."
if $DOCKER_COMPOSE restart; then
log_message "✅ Docker containers restarted successfully"
# Wait a moment and verify services are up
sleep 10
if curl -f -s -I https://$(hostname -f) >/dev/null 2>&1; then
log_message "✅ HTTPS verification successful"
else
log_message "⚠️ HTTPS verification failed - please check manually"
fi
else
log_message "❌ ERROR: Failed to restart Docker containers"
exit 1
fi
log_message "=== Deploy hook completed successfully ==="
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-docker.sh
This is crucial! Edit the script and replace /path/to/your/docker-compose-directory with your actual path:
sudo nano /etc/letsencrypt/renewal-hooks/deploy/restart-docker.sh
# Change this line:
DOCKER_COMPOSE_PATH="/path/to/your/docker-compose-directory"
# To your actual path, for example:
DOCKER_COMPOSE_PATH="/root/my-awesome-app"
# or
DOCKER_COMPOSE_PATH="/home/ubuntu/my-project"
To solve the port binding issue, we need to stop our containers before renewal and start them after. We'll use pre and post hooks for this.
sudo mkdir -p /etc/letsencrypt/renewal-hooks/pre
sudo nano /etc/letsencrypt/renewal-hooks/pre/stop-docker.sh
#!/bin/bash
# Pre-hook: Stop Docker containers before certificate renewal
set -e
# Configuration - UPDATE THIS PATH
DOCKER_COMPOSE_PATH="/path/to/your/docker-compose-directory" # ⚠️ CHANGE THIS
LOG_FILE="/var/log/letsencrypt/pre-hook.log"
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
log_message "=== Pre-hook started - Stopping containers for renewal ==="
cd "$DOCKER_COMPOSE_PATH"
# Determine docker compose command
if command -v docker-compose >/dev/null 2>&1; then
DOCKER_COMPOSE="docker-compose"
elif command -v docker >/dev/null 2>&1; then
DOCKER_COMPOSE="docker compose"
else
log_message "ERROR: Docker compose not found"
exit 1
fi
# Stop containers
log_message "Stopping Docker containers..."
if $DOCKER_COMPOSE down; then
log_message "✅ Containers stopped successfully"
# Wait for ports to be freed
sleep 5
else
log_message "❌ ERROR: Failed to stop containers"
exit 1
fi
log_message "=== Pre-hook completed - Port 80 is now free for certbot ==="
sudo mkdir -p /etc/letsencrypt/renewal-hooks/post
sudo nano /etc/letsencrypt/renewal-hooks/post/start-docker.sh
#!/bin/bash
# Post-hook: Start Docker containers after certificate renewal
set -e
# Configuration - UPDATE THIS PATH
DOCKER_COMPOSE_PATH="/path/to/your/docker-compose-directory" # ⚠️ CHANGE THIS
LOG_FILE="/var/log/letsencrypt/post-hook.log"
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
log_message "=== Post-hook started - Starting containers after renewal ==="
cd "$DOCKER_COMPOSE_PATH"
# Determine docker compose command
if command -v docker-compose >/dev/null 2>&1; then
DOCKER_COMPOSE="docker-compose"
elif command -v docker >/dev/null 2>&1; then
DOCKER_COMPOSE="docker compose"
else
log_message "ERROR: Docker compose not found"
exit 1
fi
# Start containers
log_message "Starting Docker containers..."
if $DOCKER_COMPOSE up -d; then
log_message "✅ Containers started successfully"
# Wait for services to be fully ready
log_message "Waiting for services to initialize..."
sleep 15
# Verify HTTPS is working
if curl -f -s -I https://$(hostname -f) >/dev/null 2>&1; then
log_message "✅ HTTPS verification successful"
else
log_message "⚠️ HTTPS verification failed - services may still be starting"
fi
else
log_message "❌ ERROR: Failed to start containers"
exit 1
fi
log_message "=== Post-hook completed successfully ==="
# Make executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/pre/stop-docker.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/start-docker.sh
# Update paths in both files
sudo nano /etc/letsencrypt/renewal-hooks/pre/stop-docker.sh
sudo nano /etc/letsencrypt/renewal-hooks/post/start-docker.sh
Now let's test our entire renewal system end-to-end.
# Test pre-hook (this will stop your containers!)
sudo /etc/letsencrypt/renewal-hooks/pre/stop-docker.sh
# Check if containers are stopped
docker ps
# Test post-hook (this will start them again)
sudo /etc/letsencrypt/renewal-hooks/post/start-docker.sh
# Check if containers are running
docker ps
# Test the complete renewal process without actually renewing
sudo certbot renew --cert-name yourdomain.com --dry-run
You should see output like:
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem (success)
Warning: This will temporarily take your site offline for a few seconds.
# Force an actual renewal to test everything
sudo certbot renew --cert-name yourdomain.com --force-renewal
# Check all hook logs
sudo tail -20 /var/log/letsencrypt/pre-hook.log
sudo tail -20 /var/log/letsencrypt/post-hook.log
sudo tail -20 /var/log/letsencrypt/deploy-hook.log
# Check general certbot log
sudo tail -20 /var/log/letsencrypt/letsencrypt.log
# Test your site
curl -I https://yourdomain.com
# Check certificate expiration
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -dates
The final step is ensuring certbot runs automatically. Most modern systems use systemd timers, but you can also use cron.
# Check if certbot timer is enabled
sudo systemctl status certbot.timer
# If not active, enable it
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
If you prefer cron or don't have systemd timers:
# Edit root's crontab
sudo crontab -e
# Add this line to run twice daily at random minutes
23 2,14 * * * /usr/bin/certbot renew --quiet
# See when certbot will next run
sudo systemctl list-timers certbot.timer
# Or check certificate expiration dates
sudo certbot certificates
# Certbot main log
sudo tail -f /var/log/letsencrypt/letsencrypt.log
# Your custom hook logs
sudo tail -f /var/log/letsencrypt/pre-hook.log
sudo tail -f /var/log/letsencrypt/post-hook.log
sudo tail -f /var/log/letsencrypt/deploy-hook.log
# System journal for certbot service
sudo journalctl -u certbot.service -f
Issue: "nginx: command not found" in deploy hook
# The nginx binary might not be in PATH inside the container
# Update the hook to use full path or docker exec differently
docker exec CONTAINER_NAME /usr/sbin/nginx -s reload
Issue: Containers don't restart properly
# Check container status
docker ps -a
# Check compose logs
docker-compose logs
# Manual restart
cd /your/compose/path && docker-compose restart
Issue: Certificates don't update in containers
# Verify volume mount is working
docker exec CONTAINER_ID ls -la /etc/letsencrypt/live/
# Force container recreation
docker-compose down && docker-compose up -d
Create a simple monitoring script:
sudo nano /usr/local/bin/check-ssl-expiry.sh
#!/bin/bash
DOMAIN="yourdomain.com"
DAYS_WARNING=14
# Get certificate expiration date
EXPIRY=$(openssl s_client -connect $DOMAIN:443 -servername $DOMAIN </dev/null 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
if [ $DAYS_LEFT -lt $DAYS_WARNING ]; then
echo "WARNING: SSL certificate for $DOMAIN expires in $DAYS_LEFT days!"
# Add your notification method here (email, Slack, etc.)
fi
Congratulations! You now have a bulletproof SSL certificate renewal system that:
✅ Automatically renews certificates before they expire
✅ Handles port conflicts by stopping/starting containers
✅ Updates running containers immediately after renewal
✅ Logs everything for easy troubleshooting
✅ Requires zero manual intervention
Your SSL certificates will now renew automatically every 60-90 days, your containers will restart to pick up the new certificates, and your site will never go down due to expired SSL certificates again. For complete production deployment context, see my React Vite Docker deployment guide.
Found this helpful? The struggle with SSL automation is real, but once you get it right, it's incredibly satisfying. Feel free to adapt this setup for your specific needs - the principles remain the same across different Docker configurations.