certbot support broken in ≥ 4.9-0

zulip / docker-zulip

Container configurations, images, and examples for Zulip.

https://zulip.com/

Apache License 2.0

586 stars 244 forks source link

certbot support broken in ≥ 4.9-0 #381

Open andersk opened 1 year ago

andersk commented 1 year ago

Between 4.8-1 and 4.9-0, we backported zulip/zulip#20512 and started unconditionally installing certbot, resulting in /etc/letsencrypt existing in the base image, so this symlink never happens. This results in a broken symlink where the certificate should be.

root@70b1222620d1:/# namei /etc/ssl/certs/zulip.combined-chain.crt
f: /etc/ssl/certs/zulip.combined-chain.crt
 d /
 d etc
 d ssl
 d certs
 l zulip.combined-chain.crt -> /data/certs/zulip.combined-chain.crt
   d /
   d data
   d certs
     zulip.combined-chain.crt - No such file or directory

Discussion.

thelazyoxymoron commented 1 year ago

Getting this on my self-hosted docker instance as well, even though I'm using an external certificate deployed by Nginx Proxy Manager to talk to the zulip container. I'm able to connect to the deployed URL, however zulip clients intermittently throw a self-signed certificate error.

andersk commented 1 year ago

@thelazyoxymoron You’re seeing something unrelated that you’re going to have to debug on the Nginx Proxy Manager side. This issue is about the internal Certbot support inside docker-zulip.

InfinityRed-Code commented 1 year ago

Was anyone able to fix this or work around this? I thought of using self signed certs in the container and using certbot on the host itself. But I dont know if this works with passing through to the container. With one Org this might work fine but I want to host several orgs with differrent domains where the main org wold be smth like: zulip.example.com anf the following ones org1.zulip.example.com ... Maybe even a wildcard cert on the host to adress all domains. Has anyone tried this or experimented with this?