Tag Archive: ssl

Create and Trust Local SSL Certificate

I use Jason Wilder’s nginx reverse proxy container as the gateway to my various Docker dev environments. Among it’s other services, it provides SSL termination, so I don’t need to worry about configuring SSL in every container I run.

The set up is pretty simple. Make a directory of certificates and mount it into the container at /etc/nginx/certs. In docker-compose.yml, it would look something like:

version: "2"
    image: jwilder/nginx-proxy
      - "80:80"
      - "443:443"
      - ./nginx/certs:/etc/nginx/certs
      - /var/run/docker.sock:/tmp/docker.sock

You’ll need to create a new certificate for each domain you want to serve. Add them to the certs dir, and the proxy will find them and serve those domains with SSL.

I’ve created a script that will create the certificate and, on OS X at least, add it to your login keychain as a trusted certificate so you can avoid SSL warnings from your browser. Create the file create-cert.sh in your certs directory and run it from there. E.g., certs/create-cert.sh mysite.dev.

CERTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
if [ $# -lt 1 ]; then
  echo 1>&2 "Usage: $0 domain.name"
  exit 2
cat > ${DOMAIN}.cnf < <-EOF
  distinguished_name = req_distinguished_name
  x509_extensions = v3_req
  prompt = no
  CN = *.${DOMAIN}
  keyUsage = keyEncipherment, dataEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
  DNS.1 = *.${DOMAIN}
  DNS.2 = ${DOMAIN}
openssl req \
  -new \
  -newkey rsa:2048 \
  -sha1 \
  -days 3650 \
  -nodes \
  -x509 \
  -keyout ${DOMAIN}.key \
  -out ${DOMAIN}.crt \
  -config ${DOMAIN}.cnf
rm ${DOMAIN}.cnf
if [[ $OSTYPE == darwin* ]]; then
  sudo security add-trusted-cert -d -r trustRoot -k $HOME/Library/Keychains/login.keychain ${DOMAIN}.crt

Reload your proxy, and you can now visit https://mysite.dev/.