AMCE SSL

From Master of Neuroscience Wiki

Pre-Challenge Phase

Make the challenge dir

mkdir -p /var/www/acme/.well-known/acme-challenge

Change the nginx.conf for the challenge

Port 80 block

http {
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        # ACME challenge — must come before the redirect
        location /.well-known/acme-challenge/ {
            root /var/www/acme;
        }
        # Everything else redirects to HTTPS
        location / {
            return 301 https://$host$request_uri;
        }
    }

Add the challenge dir to the nginx compose file

    volumes:
      - "./nginx.conf:/etc/nginx/nginx.conf:ro"
      - "./key.pem:/certs/key.pem:ro"
      - "./ca.pem:/certs/ca.pem:ro"
      - "/var/www/acme:/var/www/acme:ro" # <-- add this

Reload the changed nginx compose settings

# Use your dir and container name
cd /docker/compose_cep/nginx
docker compose up -d nginx

Install certbot

apt -y install certbot

First time run of certbot

Key ID, HMAC Key, Server URL from https://cm.harica.gr/Acme via Academic Login

Obviously, use your domain... You can add more domain names but the http needs to be able to resolve the DNS names 

certbot certonly \
  --webroot \
  --webroot-path /var/www/acme \
  --non-interactive \
  --agree-tos \
  --email <your-email> \
  --eab-kid <Key ID> \
  --eab-hmac-key <HMAC Key> \
  --server <Server URL> \
  --domain overleaf.pip.uni-bremen.de

Post-Challenge Phase

Switch to the new certificates in the nginx compose file

      volumes:
      - "./nginx.conf:/etc/nginx/nginx.conf:ro"
#      - "./key.pem:/certs/key.pem:ro"
#      - "./ca.pem:/certs/ca.pem:ro"
      - "/etc/letsencrypt/live/overleaf.pip.uni-bremen.de/fullchain.pem:/certs/ca.pem:ro"
      - "/etc/letsencrypt/live/overleaf.pip.uni-bremen.de/privkey.pem:/certs/key.pem:ro"
      - "/var/www/acme:/var/www/acme:ro"

Reload the changes settings

# Use your dir and container name
cd /docker/compose_cep/nginx
docker compose up -d nginx

Update hook

cat > /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh << 'EOF'
#!/bin/bash
docker exec nginx nginx -s reload
EOF

chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Check if cerbot timer is there:

systemctl list-timers | grep certbot
# Sat 2026-04-18 09:30:06 CEST 17h -  - certbot.timer certbot.service
Retrieved from "https://mscneuro.neuro.uni-bremen.de/index.php?title=AMCE_SSL&oldid=903"
Powered by MediaWiki