Letsencrypt support
Opened this issue ยท 5 comments
It is not clear how to integrate Letsencrypt into Prosody using docker. Can someone please point the way? What is the proper way to do so?
Thank so much...
it shouldn't. certificates should be created outside the container.
While I stand by my previous comment, let me elaborate to make it more useful. Personally I host prosody on kubernetes. Cert-manager (the le equivalent) will obtain certificates an place them in a kubernetes secret which in turn is mounted by the container running prosody and then utilized by the application. When certificates change, a restart of the container is required. This restart can be automated with a component called reloader.
On systems with docker, certbot can renew the certificate to be mounted as volume and a hook in certbot can be used to restart the container. Certbot itself can be managed outside of prosody, potentially handling multiple certificates.
There are even more suitable ways. The documentation basically says:
Our recommended method is to use
prosodyctlto import your certificates, as described on this page.
I run prosody in Docker and let dehydrated renew my certs. The directory where dehydrated puts the certs is mounted (read-only) as a volume into the prosody Docker container and the renew hook calls this basically (with "prosody" being the name of the container and the path being the volume path as it appears inside of the container):
docker exec prosody prosodyctl --root cert import xmpp.example.com /var/lib/dehydrated/certs
Do you mind sharing your docker (compose) files please? (For dehydrated too...) THANK YOU!
Do you mind sharing your docker (compose) files please? (For dehydrated too...) THANK YOU!
Sorry to disappoint you, but for myself and for @netz39 we do our whole Docker setup with Ansible. Those roles are mostly not public. The dehydrated role is: https://github.com/24367dfa/ansible-role-dehydrated and its deploy_cert_hook contains the call stated few comments earlier here. The Docker image we are using is custom and based on prosody/prosody:0.11 but we are in the process of migrating to the more modern prosodyim/prosody which I would recommend to try. You can find some information on that in issue #72.