Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Letsencrypt support #60

Open
jinfeei opened this issue Dec 16, 2019 · 5 comments
Open

Letsencrypt support #60

jinfeei opened this issue Dec 16, 2019 · 5 comments

Comments

@jinfeei
Copy link

jinfeei commented Dec 16, 2019

It is not clear how to integrate Letsencrypt into Prosody using docker. Can someone please point the way? What is the proper way to do so?

Thank so much...

@christf
Copy link

christf commented Feb 16, 2024

it shouldn't. certificates should be created outside the container.

@christf
Copy link

christf commented Feb 29, 2024

While I stand by my previous comment, let me elaborate to make it more useful. Personally I host prosody on kubernetes. Cert-manager (the le equivalent) will obtain certificates an place them in a kubernetes secret which in turn is mounted by the container running prosody and then utilized by the application. When certificates change, a restart of the container is required. This restart can be automated with a component called reloader.

On systems with docker, certbot can renew the certificate to be mounted as volume and a hook in certbot can be used to restart the container. Certbot itself can be managed outside of prosody, potentially handling multiple certificates.

@LeSpocky
Copy link
Contributor

There are even more suitable ways. The documentation basically says:

Our recommended method is to use prosodyctl to import your certificates, as described on this page.

I run prosody in Docker and let dehydrated renew my certs. The directory where dehydrated puts the certs is mounted (read-only) as a volume into the prosody Docker container and the renew hook calls this basically (with "prosody" being the name of the container and the path being the volume path as it appears inside of the container):

docker exec prosody prosodyctl --root cert import xmpp.example.com /var/lib/dehydrated/certs

@jinfeei
Copy link
Author

jinfeei commented Mar 7, 2024

Do you mind sharing your docker (compose) files please? (For dehydrated too...) THANK YOU!

@LeSpocky
Copy link
Contributor

LeSpocky commented Mar 7, 2024

Do you mind sharing your docker (compose) files please? (For dehydrated too...) THANK YOU!

Sorry to disappoint you, but for myself and for @netz39 we do our whole Docker setup with Ansible. Those roles are mostly not public. The dehydrated role is: https://github.com/24367dfa/ansible-role-dehydrated and its deploy_cert_hook contains the call stated few comments earlier here. The Docker image we are using is custom and based on prosody/prosody:0.11 but we are in the process of migrating to the more modern prosodyim/prosody which I would recommend to try. You can find some information on that in issue #72.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants