Certification for a docker container


Apache/2.4.57 (Debian)

OS 6.1.0-rpi6-rpi-v8

Root shell access - yes
Explanation of querry:
Currently, I have Nextcloud installed on rpi and it uses ports 80 and 443
I want to install a service with docker container and this service needs to be certified for its web connection.
Any advice please or recommended resources?

Only one service at a time can bind a port.

I have no idea what your system is currently doing. You can have multiple services on the same port by using a reverse proxy with multiple virtualhosts.


For clarification - Nextcloud (without docker) installed and certified.
Now I am trying to add a docker service which will need certification - all the online solutions explain the usage of nginx reverse proxy with various docker containers.
I am trying to avoid the need to reinstall nextcloud within a docker container.

1 Like

Please ignore whatever nginx proxy manager story they're selling you. That's usually a mess.

You can have your current webserver proxy a different fqdn to a different service. Just add a virtualhost (Apache) or a server block (nginx) and follow documentation/examples on how to reverse proxy another service.


thnak you

1 Like

To clarify a little bit more: you'd run your services in Docker on different ports than your current Nextcloud webserver is running (80 and 443). I'm not that familiar with Docker, but I believe you can map external "listening" ports in Docker to different "internal" ports.

E.g., on the "outside" of docker, you could have:

  • Nextcloud listening on 80 and 443;
  • Docker service A listening externally on 81 and 444, mapped to internally 80 and 443 respectively;
  • Docker service B listening externally on 82 and 445, mapped to internally 80 and 443 respectively;
  • Et c.

Then, you could add a reverse proxy virtualhost in your Apache (which would be running your Nextcloud I assume) for those Docker services A and B, reverse proxying to localhost:81 and localhost:82 respectively.

Note that for connections to localhost, it's usually not required to have HTTPS. That's usually handled by the reverse proxy. So you could leave out the "444 -> 443" and "445 -> 443" stuff and just use the HTTP ports.


NB, if you want the service not to be exposed on 81, 82, etc... bind ports and IP addresses (you have all to play with, you can use 80 and 443 if the IP is different) and then reverse proxy using ip and port.


Really appreciate the details
I am working on it
thank you v much

1 Like

many many thanks
very much appreciated

1 Like

so it is the docker's 81 444 listening to the hosts 80 443 ?

so I added this

<VirtualHost *:80>
        ServerName sherab.duckdns.org
        ProxyPass / http://localhost:xxxx/
        ProxyPassReverse / http://localhost:xxxx/

        ErrorLog ${APACHE_LOG_DIR}/sherab_error.log
        CustomLog ${APACHE_LOG_DIR}/sherab_access.log combined

and I get to the docker service just fine
now my problem is that the lockpad in firefox indicates the traffic is not secured
I run
sudo /snap/bin/certbot certonly --standalone -d sherab.duckdns.org
and it seemed to work fine
then I added this in /etc/apache2/sitesavailable/sherab.duckdns.org.conf

    ServerName sherab.duckdns.org

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/sherab.duckdns.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sherab.duckdns.org/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sherab.duckdns.org/chain.pem

    ProxyPass / http://localhost:5230/
    ProxyPassReverse / http://localhost:5230/

    ErrorLog ${APACHE_LOG_DIR}/sherab_error.log
    CustomLog ${APACHE_LOG_DIR}/sherab_access.log combined

now the site is not reachable :frowning:

I see your website. It's only missing a redirect from http to https.


thank you - I followed your point and realized I could do the http request

how do I do that?
just to show:

/sites-available $ sudo /snap/bin/certbot certonly --standalone -d sherab.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sherab.duckdns.org

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sherab.duckdns.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sherab.duckdns.org/privkey.pem
This certificate expires on 2024-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sherab@raspberrypi:/etc/apache2/sites-available $ sudo service apache2 start

I think you can run certbot enhance --redirect but you'd have to check on that.


ok thank you - I think I might go to bed now as it begins to be late for me
I really appreciate your time and advice.
Thank you
:pray: :bouquet:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.