Skip to main content
Apply for Free SSL Certificates

1. Introduction

The Docker - HTTPD type deployment node is used to automatically deploy SSL certificates applied for in CertOne to Apache's http server httpd containers.

If the official image does not meet your needs, you can refer to the [Docker Custom] documentation, and introduce our official push-node binary package in the Dockerfile for building custom containers to achieve automated certificate deployment.

2. Usage

To use the Docker - HTTPD type deployment node, you need to use our official httpd container image certone/certone-httpd.
This image is built based on the httpd official stable image httpd:2.4 with certificate renewal service added. The other content and usage methods in the certone/certone-httpd image are completely consistent with the httpd official image, please use with confidence.

Pull image command:

 # Docker Hub
 docker pull certone/certone-httpd

When using this image, you need to set the following two environment variables:

  • PUSH_NODE_ID: The deployment node ID generated by the system after the deployment node is created. Deployment node IDs all start with push, example: push-53ejqm8p60gd7no9
  • PUSH_NODE_TOKEN: The 32-bit token generated by clicking the generate button when creating the deployment node, example: 6b2440b1e3f180a3c9453f9d7766a565

When a container using this image starts for the first time, it will pull the latest certificate from the CertOne server based on the configured PUSH_NODE_ID and PUSH_NODE_TOKEN. If the deployment node corresponding to PUSH_NODE_ID is configured as a deployment node for multiple certificates, multiple certificates will be pulled simultaneously. The pulled certificate files are stored in the /etc/httpd/certificates folder in the container, and then stored in subfolders according to certificate ID (certificate ID is the certificate ID generated by the system after certificate creation is complete, certificate IDs all start with cert, example: cert-2enm4pr1q09g3x5z), then the full path of certificate files is:

  • Private key file cert.key (PEM format):
`/etc/httpd/certificates/${certificateID}/cert.key`
  • Certificate file fullchain.cer (PEM format):
`/etc/httpd/certificates/${certificateID}/fullchain.cer`

Replace the '${certificateID}' part in the above path with your certificate ID to get the storage path of the corresponding file in the container. Note: Before starting the container, please complete the certificate deployment node configuration and associate the certificate with the deployment node, otherwise the container will fail to start successfully.


3. Best Practices

Here we will give an example to illustrate how to use the Docker - HTTPD type deployment node. For example, we created a Docker - HTTPD type deployment node with PUSH_NODE_ID and PUSH_NODE_TOKEN values:

  • PUSH_NODE_ID: push-53ejqm8p60gd7no9
  • PUSH_NODE_TOKEN: 6b2440b1e3f180a3c9453f9d7766a565

We applied for a single domain certificate for the domain www.example.com, and the certificate ID of this certificate is cert-2enm4pr1q09g3x5z. Then we configured the node we just created as one of the deployment nodes for this certificate in the certificate configuration. The certificate file paths in the container are:

  • Private key file cert.key (PEM format): /etc/httpd/certificates/cert-2enm4pr1q09g3x5z/cert.key
  • Certificate file fullchain.cer (PEM format): /etc/httpd/certificates/cert-2enm4pr1q09g3x5z/fullchain.cer

Then we need to modify the httpd base configuration file httpd.conf and SSL configuration file httpd-ssl.conf:

  • Find the line 'Listen 80' in httpd.conf, then add a line below it. This line is used to enable the 443 listening port for https.
Listen 443
  • Find the following modules in httpd.conf and remove the comment symbol # in front of the modules. These modules are used to start https service.
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule headers_module modules/mod_headers.so
LoadModule http2_module modules/mod_http2.so
  • Find the line that introduces the httpd-ssl.conf configuration file in httpd.conf and remove the comment symbol # in front.
Include conf/extra/httpd-ssl.conf
  • Edit the httpd-ssl.conf file as:
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com

    SSLEngine on
    SSLCertificateFile      /etc/httpd/certificates/cert-2enm4pr1q09g3x5z/fullchain.cer
    SSLCertificateKeyFile   /etc/httpd/certificates/cert-2enm4pr1q09g3x5z/cert.key

    Protocols h2 http/1.1

    Header always set Strict-Transport-Security "max-age=63072000"

    DocumentRoot "/usr/local/apache2/htdocs"
</VirtualHost>

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

The corresponding Dockerfile is:

FROM certone/certone-httpd
WORKDIR /etc/httpd
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
ENV PUSH_NODE_ID='push-53ejqm8p60gd7no9'
ENV PUSH_NODE_TOKEN='6b2440b1e3f180a3c9453f9d7766a565'

Generate your own image based on the above Dockerfile.

1
CertOne
Automated SSL for every domain
Get Free SSL Certificate
TRUSTED AUTOMATED CERT MANAGEMENT
Issue, renew, and deploy SSL in one click.
Zero-touch certificate lifecycle across all your clouds, CDNs, and clusters.
LetsEncrypt · Sectigo
Auto deploy to Nginx · CDN · Kubernetes · Docker · Synology