Get SSL certificate (optional)
Having secure HTTP in case the Terminology Server is a public-facing instance is definitely a must. For such cases, we are providing a pre-configured environment and a convenience script to acquire the necessary SSL certificate.
SSL certificate retrieval and renewal are managed by certbot, the official ACME client recommended by Let's Encrypt.
To be able to obtain an SSL certificate the following requirements must be met:
docker and docker compose are installed
the server instance has a public IP address
a DNS A record is configured for the desired domain name routing to the server's IP address
For the sake of example let's say the target domain name is snow-owl.b2ihealthcare.com .
Go to the sub-folder called ./snow-owl/docker/configs/cert. Make sure the init-certificate.sh script has permission to be executable and get some details about its parameters:
[root@host]# pwd
/opt/snow-owl/docker/configs/cert
[root@host]# chmod +x init-certificate.sh
[root@host]# ./init-certificate.sh -h
DESCRIPTION:
Get certificate for the specified domain name using Let's Encrypt and certbot
OPTIONS:
-h
Show this help
-d domain
Define the domain name to get the certificate for
-e email (optional)
The email address to use for the certificate registration
EXAMPLES:
./init-certificate.sh -d mywebsite.com -e [email protected]
./init-certificate.sh -d example.com
As you can see -d is used for specifying the domain name, and -e is used for specifying a contact email address (optional). Now execute the script with our example parameters:
Script execution will overwrite the files under ./snow-owl/docker/docker-compose.yml and ./snow-owl/docker/configs/nginx/nginx.conf. Make a note of any changes if required.
./init-certificate.sh -d snow-owl.b2ihealthcare.com -e [email protected]After successful execution, a new folder is created ./snow-owl/cert which contains all the certificate files required by NGINX. The docker-compose.yml file is also amended with a piece of code that guarantees automatic renewal of the certificate:
nginx:
image: nginx:stable
container_name: nginx
volumes:
- ./configs/nginx/conf.d/:/etc/nginx/conf.d/
- ./configs/nginx/nginx.conf:/etc/nginx/nginx.conf
- ${CERT_FOLDER}/conf:/etc/letsencrypt
- ${CERT_FOLDER}/www:/var/www/certbot
depends_on:
- snowowl
ports:
- "80:80"
- "443:443"
# Reload nginx config every 6 hours and restart
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
restart: unless-stopped
certbot:
image: certbot/certbot:latest
container_name: certbot
volumes:
- ${CERT_FOLDER}/conf:/etc/letsencrypt
- ${CERT_FOLDER}/www:/var/www/certbot
# Check for SSL cert renewal every 12 hours
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
restart: unless-stoppedAt this point everything is prepared for having secure HTTP, let's see what else needs to be configured before spinning up the service.
Last updated