Proxy server HTTPS certificate

Web-service on the proxy server must use HTTPS to protect the web-traffic. It can be easily requested from Let's Encrypt authority (free of charge). Usually, it's done using the CertBot tool: https://certbot.eff.org/ This web-page contains all the details needed for obtaining an HTTPS certificate.

Running the certificate retrieval command (e.g. sudo /usr/local/bin/certbot-auto certonly) will produce a folder for the corresponding domain name, for example: /etc/letsencrypt/live/ega.elixir.no/.

[root@ega ~]# ls -la /etc/letsencrypt/live/ega.elixir.no/
total 24
drwx------. 2 root    root     143 Oct 12 13:57 .
drwx------. 3 root    root      41 May  8  2020 ..
-rwx------. 1 dmytrot dmytrot 1939 May  8  2020 CA.pem
-rwx------. 1 root    root     692 May  8  2020 README
lrwxrwxrwx. 1 root    root      37 Oct 12 13:57 cert.pem -> ../../archive/ega.elixir.no/cert3.pem
lrwxrwxrwx. 1 root    root      38 Oct 12 13:57 chain.pem -> ../../archive/ega.elixir.no/chain3.pem
-rwx------. 1 root    root    4197 May 18  2020 client.p12
lrwxrwxrwx. 1 root    root      42 Oct 12 13:57 fullchain.pem -> ../../archive/ega.elixir.no/fullchain3.pem
lrwxrwxrwx. 1 root    root      40 Oct 12 13:57 privkey.pem -> ../../archive/ega.elixir.no/privkey3.pem

This folder contains all required files, which they are stored in PEM format. However, Proxy web-service needs the certificate in PKCS#12 format. The conversion can be done using openssl tool:

sudo openssl pkcs12 -export -out /etc/letsencrypt/live/ega.elixir.no/server.p12 -in /etc/letsencrypt/live/ega.elixir.no/fullchain.pem -inkey /etc/letsencrypt/live/ega.elixir.no/privkey.pem -passout pass:<CERT_PASSPHRASE>

Then server.p12 file can be injected into the proxy web-service Docker container as a secret (see further).

P.S. Note that Let's Encrypt certificates are valid only for 3 months. One week before the expiration, the administrator gets an automatic email reminder from Let's Encrypt to renew the certificate. It can be done using the same tool (CertBot).