How to use Certbot to provide valid SSL via LetsEncrypt for your Quick-Start deployment

In my lab, I used CentOS 7 for my Conjur OSS deployment.

This quick guide assumes you’ve completed the Conjur Quick-Start at It also assumes you are in the conjur-quickstart directory.

In my lab, I use the public domain name Since it is a .dev TLD, I am forbidden to access it in Google Chrome due to required HSTS restrictions. The only way around this restriction is through valid SSL.


Let’s start by getting certbot:

  1. sudo yum install epel-release -y
  2. sudo yum install certbot -y
  3. sudo certbot certonly --standalone

Answer certbot’s questions and provide the domain name your Conjur OSS solution is available on. For the http-challenge, you will need port 80 open for a few moments during this process.

Take note as to where certbot stores your SSL certificates. In my case, they were located at /etc/letsencrypt/live/ In your case, it would be /etc/letsencrypt/live/ where is the domain you provided to certbot when generating the SSL certificates.

In the following steps, replace with the domain name you provided to certbot previously:

  1. sudo cat /etc/letsencrypt/live/ > conf/tls/cert.pem
  2. sudo cat /etc/letsencrypt/live/ > conf/tls/privkey.pem

Next, we need to edit the docker-compose.yml file and update the local private key and certificate to the ones we just created:

  1. nano docker-compose.yml

In the proxy: section, change:

- ./conf/tls/nginx.key:/etc/nginx/nginx.key:ro
- ./conf/tls/nginx.crt:/etc/nginx/nginx.crt:ro


- ./conf/tls/privkey.pem:/etc/nginx/nginx.key:ro
- ./conf/tls/cert.pem:/etc/nginx/nginx.crt:ro

Finally, restart the proxy container so it takes the new changes:

  1. docker-compose up -d

You can now browse to and you should have valid SSL via LetsEncrypt!


1 Like

Awesome, thanks @joe.garcia!