Integrating Let's Encrypt with Docker containers, especially in a Swarm Mode environment, allows you to secure your applications with free SSL/TLS certificates. This guide provides a step-by-step overview for setting up automated certificate management in Docker Swarm.

Prerequisites

  • A working Docker Swarm cluster
  • Docker installed on all nodes
  • Basic knowledge of Docker Compose and Docker Swarm
  • Domain name pointing to your server's IP address

Deploying Traefik as a Reverse Proxy

Traefik is a popular reverse proxy that integrates seamlessly with Docker Swarm and supports automatic SSL certificate provisioning with Let's Encrypt.

Step 1: Create a Docker Compose File for Traefik

Define a docker-compose.yml file with Traefik configuration:

version: '3.8'

services:
  traefik:
    image: traefik:v2.10
    command:
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
      - "[email protected]"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    deploy:
      placement:
        constraints:
          - node.role == manager

Step 2: Deploy Traefik to Swarm

Run the following command to deploy Traefik:

docker stack deploy -c docker-compose.yml traefik

Deploying Your Application with SSL

Create a Docker Compose file for your application, specifying labels for Traefik to handle SSL certificates:

version: '3.8'

services:
  myapp:
    image: your-app-image
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.myapp.rule=Host(`yourdomain.com`)"
        - "traefik.http.routers.myapp.entrypoints=websecure"
        - "traefik.http.routers.myapp.tls=true"
        - "traefik.http.routers.myapp.tls.certresolver=le"

Step 1: Deploy Your Application

Deploy your application stack:

docker stack deploy -c docker-compose.yml myapp

Managing Certificates and Renewals

Traefik automatically handles certificate issuance and renewal through Let's Encrypt. Ensure your server is accessible on ports 80 and 443 for the process to work smoothly.

Conclusion

Using Let's Encrypt with Docker Swarm and Traefik simplifies the process of obtaining and renewing SSL certificates, enhancing your application's security. With automated management, you can focus more on development and less on certificate maintenance.