Adding TLS certificates in CHT 4.x

How to add TLS certificates to your docker hosted CHT 4.x instance

By default, CHT 4.x will create a self-signed certificate for every deployment. These instructions are for changing to either a pre-existing certificate or automatically creating and renewing a Certbot based certificate using ACME, like Let’s Encrypt.

This guide assumes you’ve already met the hosting requirements, specifically around Docker being installed.

Pre-existing certificate

To load your certificates into your CHT instance, we’ll be creating an interstitial container called cht-temp-tls which will enable you to copy your local certificate files into the native docker volume.

Prerequisites

You have two files locally on your workstation in the directory you’re currently in:

key.pem - the private key for your TLS certificate
chain.pem - both the public and any interstitial keys concatenated into one file

Also, be sure you have started your CHT instance once and all your volumes are created.

Loading the certificate

Note

docker compose should work, but you may need to use the older style docker-compose if you get an error docker: 'compose' is not a docker command.

Find the name of your cht-ssl volume with this call:
```
docker volume ls --filter "name=cht-ssl"
```
It is very likely that cht_cht-ssl is the name of our cht-ssl volume.
Using the volume name found in step 1, start a container called temp which allow us to copy files into the docker volume:
```
docker run -d --rm --name temp -v cht_cht-ssl:/etc/nginx/private/ alpine tail -f /dev/null
```

Copy the two pem files into the volume via the temporary container:

docker cp key.pem temp:/etc/nginx/private/.
docker cp cert.pem temp:/etc/nginx/private/.

Stop the temp container:
```
docker kill temp
```

Your certificates are now safely stored in the native docker volume. Restart your CHT instance the way you started it, being sure to set the correct CERTIFICATE_MODE and SSL_VOLUME_MOUNT_PATH per the prerequisites.

Certbot certificate

If you have a deployment with a publically accessible domain name, you can have Certbot automatically create free TLS certificates by using their Docker image.

Assuming your CHT instance is running with the default self signed cert:

Create certbot compose and env files by copying and pasting this code:

mkdir -p /home/ubuntu/cht/certbot
cd /home/ubuntu/cht/certbot
cat > docker-compose.yml << EOF
version: '3.9'
services:
  certbot:
      container_name: certbot
      hostname: certbot
      image: certbot/certbot
      volumes:
        - ssl-storage:/etc/nginx/private/
        - ssl-storage:/var/log/letsencrypt/
      command: certonly --debug --deploy-hook /etc/nginx/private/deploy.sh --webroot -w /etc/nginx/private/certbot/ --domain \$DOMAIN --non-interactive --key-type rsa --agree-tos --register-unsafely-without-email \$STAGING
volumes:
  ssl-storage:
      name: \${CHT_SSL_VOLUME}
      external: true
EOF

cat > .env << EOF
DOMAIN=deleteme2-certbot-nginx-cht.plip.com
STAGING=
CHT_SSL_VOLUME=cht_cht-ssl
TZ=America/Whitehorse
EOF

Generate certs:

cd /home/ubuntu/cht/certbot
docker compose up

Run this command to find the name of your CHT ngnix container:

docker ps --filter "name=nginx"  --format '{{ .Names }}'

Assuming the name is cht_nginx_1 from the prior step, reload your nginx config with this command:
```
docker exec -it cht_nginx_1 nginx -s reload
```
Attempt to renew your certificates once a week by adding this cronjob via crontab -e. Certbot will only renew them as needed:
```
0 0 * * 0 cd /home/ubuntu/cht/certbot&&docker compose up
```

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified 25.04.2023: Fix docker volume ls call to work in more scenarios than production (#1031) (78ba9b4)

Edit this page Create documentation issue Create project issue