Setting up Self Signed SSLwith Docker, Nginx and multiple containers

Posted on Updated on

This is for me so i am not going to dance about the instructions here.

Docker Compose

  nginx:
    container_name: nginx
    tty: true
    restart: always
    environment:
      TZ: Australia/Hobart
    image: uozi/nginx-ui
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
      - /etc/ssl/certs/:/etc/ssl/certs/
      - /etc/ssl/private/:/etc/ssl/private/
      - './nginx:/etc/nginx'
      - './nginx-ui:/etc/nginx-ui'

    ports:
      - "80:80"
      - "443:443"

Nginx Template

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 443 ssl;
    server_name pihole.local;

    ssl_certificate /etc/ssl/certs/selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/selfsigned.key;
    
    location / {
        proxy_pass http://pihole:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}


server {
    listen 80;
    server_name pihole.local;

    return 301 https://$host$request_uri;
}

Now we have that crap out of the way, make sure its launched and working. Everything will be unsecured. So lets fix that

sudo openssl genrsa -out /etc/ssl/private/rootCA.key 2048

sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -days 1024 -out /etc/ssl/certs/rootCA.crt -subj "/C=US/ST=California/L=San Francisco/O=MyOrganization/OU=IT Department/CN=MyRootCA"

sudo nano /etc/ssl/private/openssl-san.cnf

The contents for the new conf file:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = your_primary_domain.local

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your_primary_domain.local
DNS.2 = pihole.local
DNS.3 = anotherdomain.local

Primary domain can be the one hosting nginx. So nginx.local

You cannot alter this later so try to anticipate all your domains. Its not the end of the world if you cant, just run these instructions again.

sudo openssl genrsa -out /etc/ssl/private/selfsigned.key 2048

sudo openssl req -new -key /etc/ssl/private/selfsigned.key -out /etc/ssl/private/selfsigned.csr -config /etc/ssl/private/openssl-san.cnf

sudo openssl x509 -req -in /etc/ssl/private/selfsigned.csr -CA /etc/ssl/certs/rootCA.crt -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/selfsigned.crt -days 500 -sha256 -extfile /etc/ssl/private/openssl-san.cnf -extensions v3_req

Thats pretty much it on the server end. You just need to add new nginx configs for each service.

Now, I cant yet speak for chrome, but to get firefox to stop being weird:

  1. Download rootCA.crt.
  2. Go into Settings > Privacy… > Veiw cert… > Authorities > Import
  3. Import the file. Check the website box.

That should make firefox play nice with all the domains in the cert.

That’s it! Get on with it.