Securing Fonoster’s API with Let’s Encrypt certificates is essential to ensure encrypted communication. This process involves setting up a temporary Nginx server, obtaining the certificate, and configuring auto-renewal. Here are the steps to accomplish this task:
1

Prepare the environment

First, create the necessary directories:
mkdir -p letsencrypt/nginx-conf
mkdir -p letsencrypt/certbot/www
mkdir -p letsencrypt/certbot/conf
2

Configure Nginx

Next, create Nginx’s configuration file with the following content:
letsencrypt/nginx-conf/nginx.conf
events {
  worker_connections 1024;
}

http {
  server {
    listen 80;
    listen [::]:80;
    server_name app.example.com api.example.com sip.example.com;

    location /.well-known/acme-challenge/ {
      root /var/www/html;
    }

    location / {
      return 404;
    }
  }
}
Replace api.example.com and app.example.com with your domain name, and remember to point the domain to the server’s IP address.
3

Start the container

Then, start the Nginx container to handle the ACME challenge:
docker run -d --name nginx \
  -p 80:80 \
  -v $(pwd)/letsencrypt/nginx-conf/nginx.conf:/etc/nginx/nginx.conf:ro \
  -v $(pwd)/letsencrypt/certbot/www:/var/www/html \
  nginx:latest
4

Retrieve the certificates

Now, run Certbot to obtain the Let’s Encrypt certificate:
docker run -it --rm \
  -v $(pwd)/letsencrypt/certbot/conf:/etc/letsencrypt \
  -v $(pwd)/letsencrypt/certbot/www:/var/www/html \
  certbot/certbot certonly --webroot \
  --webroot-path /var/www/html \
  --email your@email.com --agree-tos --no-eff-email \
  -d app.example.com -d api.example.com -d sip.example.com
Replace the email and domain name with your information.
You should see a message indicating that the certificate was successfully obtained.
5

Remove the container

After obtaining the certificate, stop and remove the temporary Nginx container:
docker stop nginx
docker rm nginx
6

Set the auto-renewal

Next, set up auto-renewal by creating a script named renew_cert.sh:
renew_cert.sh
#!/bin/bash

docker run --rm \
 -v /path/to/letsencrypt/certbot/conf:/etc/letsencrypt \
  -v /path/to/letsencrypt/certbot/www:/var/www/html \
 certbot/certbot renew
Please replace /path/to with the actual path to the directories.
Make the script executable and add a cron job to run it twice daily:
chmod +x renew_cert.sh
(crontab -l 2>/dev/null; echo "0 0,12 * * * /path/to/renew_cert.sh") | crontab -
Replace /path/to with the actual path to the script.
7

Finalize settings and run the process

Finally, find the Envoy container in your compose file, mount the Let’s Encrypt certificates, and open port 443.
By following these steps, you’ll have successfully secured Fonoster’s API with Let’s Encrypt certificates and set up auto-renewal to maintain the security of your communications.