This page assumes that you have some custom ACME server (see previous post) and you want a reverse proxy (eg Nginx, HaProxy) to use it to generate certs automatically.

SWAG - docker-swag official

  1. Dockerhub image: andywebservices/swag


At time of writing, docker-swag main branch does not support custom ACME servers. Fortunately for the dear reader, I have graciously implemented this feature andrewmzhang/docker-swag. It’s probably easier to see how the feature works by looking at the diff. This feature introduces 2 new environment variables. One sets the ACME server and the other sets the CABUNDLE. The CABUNDLE is required so that docker trusts the certificate authority without having to install the certificate to the OS truststore, although I still recommend installing the certificate to your OS truststore.

Docker-swag is a complete solution. It’ll renew the certificates once a day and refresh Nginx service to pick up the new certs.

HAProxy + - haproxy


HAProxy suffers several issues.

  1. It cannot provision its own SSL certs, ie it cannot do the ACME dance
  2. It hogs port 80 and 443, in order for 3rd party acme to work correctly the acme program needs 80 and 443.
  3. It demands that the SSL privkey be in the same file as the cert bundle
  4. It cannot tell if the SSL cert has changed on disk, thus users need to send commands to get HAProxy to refresh the certs

To fix part 1, we use

# Runs the program on port 8888. 
"/home/pi/"/ --cron --home "/home/pi/" --force --httpport 8888

To fix part 2, we need to tell HAProxy to redirect AMCE dance over http to redirect to

"/home/pi/"/ --cron --home "/home/pi/" --force --httpport 8888
frontend public
        bind :::80 v4v6

        # Redirects AMCE challenges towards our other ACME program
	      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
			  # Set the SSL certificate 
        bind :::443 v4v6 ssl crt /home/pi/
        option forwardfor except
        http-request redirect scheme https code 301 unless { ssl_fc }
        use_backend webcam if { path_beg /webcam/ }
        use_backend webcam_hls if { path_beg /hls/ }
        use_backend webcam_hls if { path_beg /jpeg/ }
        default_backend octoprint
        # Sets the amce backend to the 8888 port 
backend letsencrypt-backend
       server letsencrypt

To fix part 3, concatenate the key and the crt together after running

# This is the code that runs for my Octoprint rpi. 
cat /home/pi/ /home/pi/ > /home/pi/

To fix part 4, we need to send some commands to HAProxy to set a new SSL cert.


echo “========================== SET SSL CERT ==========================“
echo "$(cat /home/pi/"
echo -e "set ssl cert /home/pi/ <<\n$(cat /home/pi/\n" | socat tcp-connect:localhost:9999 -

echo “========================== SHOW SSL CERT - before ==========================“
echo "show ssl cert */home/pi/" | socat tcp-connect:localhost:9999 -

echo “========================== COMMIT SSL CERT ==========================“
echo "commit ssl cert /home/pi/" | socat tcp-connect:localhost:9999 -

echo “========================== SHOW SSL CERT - after ==========================“
echo "show ssl cert /home/pi/" | socat tcp-connect:localhost:9999 -