Securing your Open-WebUI application with HTTPS is a crucial step in ensuring the privacy and integrity of data exchanged between your users and your server. HTTPS, powered by SSL/TLS certificates, encrypts the communication, making it difficult for malicious actors to intercept or tamper with the data. One of the most popular and trusted sources for SSL/TLS certificates is Let’s Encrypt, a free, automated, and open certificate authority.
In this guide, we’ll walk you through the process of setting up a Let’s Encrypt certificate for your Open-WebUI application hosted on an Ubuntu server. We’ll use Certbot, the official Let’s Encrypt client, to obtain and automatically renew your SSL certificate. Given that your Open-WebUI is containerized and uses an NGINX proxy, we’ll leverage the Certbot NGINX plugin to streamline the setup.
Understanding the Approach
Certbot simplifies the process of obtaining and renewing SSL certificates. The Certbot NGINX plugin can automatically configure your NGINX server to serve the challenge files Let’s Encrypt uses to verify your domain ownership. This automation reduces the complexity and potential errors in manual configuration.
Prerequisites
Before we begin, ensure you have the following:
- A Registered Domain Name: You’ll need a domain name that points to the public IP address of your Ubuntu server.
- Port 80 and 443 Open: Ensure that ports 80 (HTTP) and 443 (HTTPS) are open on your server’s firewall and any network firewalls. Let’s Encrypt needs to reach your server on port 80 to perform domain validation.
- NGINX Proxy Configuration: Your containerized NGINX proxy should be correctly configured to listen on port 80 and forward requests to your Open-WebUI container. You’ll need to know the name of your NGINX container and its internal port mapping.
- Docker and Docker Compose (if applicable): You’ll need Docker installed on your Ubuntu server. If you used Docker Compose to set up your NGINX proxy, you’ll need that as well.
Step-by-Step Guide
Step 1: Install Certbot
First, we need to install Certbot on your Ubuntu server.
sudo apt update
sudo apt install certbot python3-certbot-nginx
This command updates your package lists and then installs Certbot and the NGINX plugin for Certbot.
Step 2: Stop Your NGINX Container (Temporarily)
Certbot needs to be able to modify your NGINX configuration. To avoid potential conflicts while Certbot makes changes, it’s best to stop your NGINX container temporarily.
Identify your NGINX container name (you can use docker ps to list running containers). Let’s assume your NGINX container is named nginx-proxy.
docker stop nginx-proxy
If you’re using Docker Compose, navigate to the directory containing your docker-compose.yml file and run:
docker-compose stop nginx-proxy
Step 3: Obtain the Let’s Encrypt Certificate
Now, we’ll use Certbot to request the certificate. Replace your_domain.com with your actual domain name.
sudo certbot --nginx -d your_domain.com
If you have multiple subdomains you want to include in the certificate (e.g., your_domain.com and www.your_domain.com), you can specify them with multiple -d flags:
sudo certbot --nginx -d your_domain.com -d www.your_domain.com
Certbot will then:
- Verify your domain: It will communicate with Let’s Encrypt to verify that you own the domain name. This usually involves placing temporary files on your web server that Let’s Encrypt can access. The
--nginxplugin helps automate this by configuring your (currently stopped) NGINX. - Request a certificate: Once verified, Certbot will request an SSL/TLS certificate for your domain from Let’s Encrypt.
- Update NGINX configuration: The
--nginxplugin will automatically configure your NGINX virtual host configuration to use the newly obtained certificate and private key. It will also set up redirects from HTTP to HTTPS. - Ask about HTTP to HTTPS redirection: Certbot will likely ask if you want to redirect all HTTP traffic to HTTPS. It’s highly recommended to choose this option for security.
Step 4: Start Your NGINX Container
Once Certbot has finished and successfully obtained and configured the certificate, you can restart your NGINX container.
docker start nginx-proxy
Or, if using Docker Compose:
docker-compose start nginx-proxy
Step 5: Verify HTTPS Access
Now, open your web browser and navigate to https://your_domain.com. You should see the lock icon in the address bar, indicating a secure HTTPS connection. You can also inspect the certificate details to confirm it’s issued by Let’s Encrypt.
Step 6: Configure Your Open-WebUI Container (If Necessary)
In most cases, your NGINX proxy will handle the SSL termination (the process of decrypting HTTPS traffic). Your Open-WebUI container will likely still communicate with the proxy over HTTP internally. You generally don’t need to make changes within your Open-WebUI container for this setup to work.
However, if your Open-WebUI application relies on knowing if the connection is secure (e.g., for generating absolute URLs), you might need to configure your NGINX proxy to pass the appropriate headers (like X-Forwarded-Proto: https) to your Open-WebUI container. Consult the Open-WebUI documentation for details on how it handles secure connections behind a proxy.
Step 7: Set Up Automatic Certificate Renewal
Let’s Encrypt certificates are only valid for 90 days. To ensure continuous HTTPS access, you need to set up automatic renewal. Certbot provides a built-in mechanism for this.
You can test the renewal process with a dry run:
sudo certbot renew --dry-run
If the dry run is successful, you can set up a systemd timer or cron job to run the renewal command periodically.
Using systemd Timers (Recommended for Ubuntu)
- Certbot should have automatically created a systemd timer unit file during installation. You can check its status:
systemctl status certbot.timer - If it’s not enabled, enable and start it:
sudo systemctl enable --now certbot.timer - The timer will automatically run the
certbot renewcommand twice daily. If a certificate is nearing its expiration (within 30 days), Certbot will attempt to renew it.
Using Cron Jobs (Alternative)
- Open your crontab for editing:
crontab -e - Add the following line to run the renewal command twice daily:
0 */12 * * * /usr/bin/certbot renew --quietThe--quietflag suppresses output during the renewal process.
Important Considerations
- Firewall: Double-check your firewall rules (e.g., using
ufw) to ensure ports 80 and 443 are open for incoming traffic. - NGINX Configuration: Review your NGINX virtual host configuration file (usually in
/etc/nginx/sites-available/) to ensure it correctly uses the new certificate and key files (typically located in/etc/letsencrypt/live/your_domain.com/). Certbot should have handled this, but it’s good to verify. - Docker Networking: Ensure your NGINX container and Open-WebUI container are on the same Docker network or that the necessary ports are correctly exposed and linked.
- Troubleshooting: If you encounter issues, check the Certbot logs (usually in
/var/log/certbot/) and your NGINX error logs (/var/log/nginx/error.log).
By following these steps, you should be able to successfully obtain and configure a publicly signed Let’s Encrypt certificate for your containerized Open-WebUI application, enhancing its security and trustworthiness.
About the Author
Joshua Makuru Nomwesigwa is a seasoned Telecommunications Engineer with vast experience in IP Technologies; he eats, drinks, and dreams IP packets. He is a passionate evangelist of the forth industrial revolution (4IR) a.k.a Industry 4.0 and all the technologies that it brings; 5G, Cloud Computing, BigData, Artificial Intelligence (AI), Machine Learning (ML), Internet of Things (IoT), Quantum Computing, etc. Basically, anything techie because a normal life is boring.
