unclev
commented
4 years ago I do not know a proper way.
Even though I used LetsEncrypt certificates with my Prosody installation, I've just used to deliver the certificates manually:
- jwilder's nginx-proxy + JrCs's docker-letsencrypt-nginx-proxy-companion for a separate site;
- then copied (it is possible with a cron, but I did this manually) into the prosody certs directory, giving them proper ownership and permission.
The essential point here that the certificate files must be readable by the prosody user (uid/gid 1000/1000 in the container).
The better way would probably be using prosodyctl as described in the Prosody documentation: Let's Encrypt.
For eg. (not tested),
# start with /etc/letsencrypt/live mounted into container
docker run -d \
--name prosody_xmpp_server \
--hostname shakespeare.lit \
-p 5222:5222 \
-p 5269:5269 \
-v /etc/letsencrypt/live:/letsencrypt \
unclev/prosody-docker-extended:0.11-disco
# to renew the certificate
docker exec prosody_xmpp_server prosodyctl --root import /letsencryptOther cases I think about:
-
I recently replaced jwilder's nginx-proxy with traefik, which stores Letsencrypt certificates in a json file. So it is not clear how to deliver the generated certificate to Prosody.
-
In a Kubernetes cluster an approach with Cert Manager seems to be the proper one. Then generated secret can be delivered to Prosody with (parts of Kubernetes Workload):
spec:
securityContext:
fsGroup: 1000
# ... (skipped), and
volumes:
- name: certs
secret:
defaultMode: 0640this brings the certificate files owned by prosody group (gid 1000) into prosody pod main container.
In general, this issue is not resolved so far. Every good suggestion and PR is welcome! :)
Update: there is also the same issue prosody/prosody-docker#60.
Update 2: In case of traefik + Lets Encrypt this https://github.com/containous/traefik/issues/1152#issuecomment-472905620 may help.
What is the proper way to add in Letsencrypt support into this? It would be good if this can be made clear in the documentation.
Thanks so much...