> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fonoster.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Securing the API

> Securing the API with TLS.

import WipDocsWarning from '/snippets/wip-docs-warning.mdx';

<WipDocsWarning />

Securing Fonoster's API with Let's Encrypt certificates is essential to ensure encrypted communication. This process involves setting up a temporary Nginx server, obtaining the certificate, and configuring auto-renewal.

Here are the steps to accomplish this task:

<Steps>
  <Step title="Prepare the environment">
    First, create the necessary directories:

    ```bash theme={"system"}
    mkdir -p letsencrypt/nginx-conf
    mkdir -p letsencrypt/certbot/www
    mkdir -p letsencrypt/certbot/conf
    ```
  </Step>

  <Step title="Configure Nginx">
    Next, create Nginx's configuration file with the following content:

    ```text letsencrypt/nginx-conf/nginx.conf theme={"system"}
    events {
      worker_connections 1024;
    }

    http {
      server {
        listen 80;
        listen [::]:80;
        server_name app.example.com api.example.com sip.example.com;

        location /.well-known/acme-challenge/ {
          root /var/www/html;
        }

        location / {
          return 404;
        }
      }
    }
    ```

    <Note>
      Replace `api.example.com` and `app.example.com` with your domain name, and remember to point the domain to the server's IP address.
    </Note>
  </Step>

  <Step title="Start the container">
    Then, start the Nginx container to handle the ACME challenge:

    ```bash theme={"system"}
    docker run -d --name nginx \
      -p 80:80 \
      -v $(pwd)/letsencrypt/nginx-conf/nginx.conf:/etc/nginx/nginx.conf:ro \
      -v $(pwd)/letsencrypt/certbot/www:/var/www/html \
      nginx:latest
    ```
  </Step>

  <Step title="Retrieve the certificates">
    Now, run Certbot to obtain the Let's Encrypt certificate:

    ```bash theme={"system"}
    docker run -it --rm \
      -v $(pwd)/letsencrypt/certbot/conf:/etc/letsencrypt \
      -v $(pwd)/letsencrypt/certbot/www:/var/www/html \
      certbot/certbot certonly --webroot \
      --webroot-path /var/www/html \
      --email your@email.com --agree-tos --no-eff-email \
      -d app.example.com -d api.example.com -d sip.example.com
    ```

    <Note>
      Replace the email and domain name with your information.
    </Note>

    <Tip>
      You should see a message indicating that the certificate was successfully obtained.
    </Tip>
  </Step>

  <Step title="Remove the container">
    After obtaining the certificate, stop and remove the temporary Nginx container:

    ```bash theme={"system"}
    docker stop nginx
    docker rm nginx
    ```
  </Step>

  <Step title="Set the auto-renewal">
    Next, set up auto-renewal by creating a script named `renew_cert.sh`:

    ```bash renew_cert.sh theme={"system"}
    #!/bin/bash

    docker run --rm \
     -v /path/to/letsencrypt/certbot/conf:/etc/letsencrypt \
      -v /path/to/letsencrypt/certbot/www:/var/www/html \
     certbot/certbot renew
    ```

    <Note>
      Please replace `/path/to` with the actual path to the directories.
    </Note>

    Make the script executable and add a cron job to run it twice daily:

    ```bash theme={"system"}
    chmod +x renew_cert.sh
    (crontab -l 2>/dev/null; echo "0 0,12 * * * /path/to/renew_cert.sh") | crontab -
    ```

    <Note>
      Replace `/path/to` with the actual path to the script.
    </Note>
  </Step>

  <Step title="Finalize settings and run the process">
    Finally, find the Envoy container in your compose file, mount the Let's Encrypt certificates, and open port `443`.
  </Step>
</Steps>

By following these steps, you'll have successfully secured Fonoster's API with Let's Encrypt certificates and set up auto-renewal to maintain the security of your communications.