docker-ejabberd
docker-ejabberd copied to clipboard
rroemhild
Letsencrypt setup
Hi, I could use some help in integrating Letsencrypt with ejabberd. When we get this done, I'd be happy to expand the Readme with this topic.
Here is how far I have come:
Basic setup with docker compose
I decided to to use docker-compose and put all the files into a folder ejabberd-compose:
root@labor:~/ejabberd-compose# tree
.
├── cron
│ └── renew_ssl.sh
├── docker-compose.yml
└── ssl
├── host.pem -> /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
└── labor.bugabinga.net.pem
root@labor:~/ejabberd-compose# cat docker-compose.yml
version: "3"
services:
ejabberd-data:
image: rroemhild/ejabberd-data
ejabberd:
image: rroemhild/ejabberd
hostname: labor.bugabinga.net
volumes:
- ejabberd-data
volumes:
- ./ssl:/opt/ejabberd/ssl:ro
ports:
- 5222:5222
- 5269:5269
- 5280:5280
- 4560:4560
- 5443:5443
environment:
- ERLANG_NODE=ejabberd
- XMPP_DOMAIN=labor.bugabinga.net
- [email protected]
- [email protected] [email protected] [email protected]
- EJABBERD_SSLCERT_HOST=/opt/ejabberd/ssl/host.pem
- EJABBERD_SSLCERT_LABOR_BUGABINGA_NET=/opt/ejabberd/ssl/labor.bugabinga.net.pem
- TZ=Europe/Berlin
The idea was to provide ejabberd with the SSL certs ready for consumption, so that the volume can stay read-only.
Basic letsencrypt setup
Initial setup for domain labor.bugabinga.net
root@labor:~/ejabberd-compose# letsencrypt certonly --standalone
Crontab script for renewal:
root@labor:~/ejabberd-compose# cat cron/renew_ssl.sh
#!/usr/bin/env sh
/usr/bin/letsencrypt renew >> /var/log/letsencrypt_renew_labor_bugabinga_net.log
cat /etc/letsencrypt/live/labor.bugabinga.net/fullchain.pem /etc/letsencrypt/live/labor.bugabinga.net/privkey.pem > /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
ln -f -s /root/ejabberd-compose/ssl/labor.bugabinga.net.pem /root/ejabberd-compose/ssl/host.pem
The goal of this script is to renew the letsencrypt cert and concatenate the private key and the certificate into one .pem file as stated in the Readme.
Running the container
Here I get stuck:
root@labor:~/ejabberd-compose# docker-compose up
Starting ejabberdcompose_ejabberd_1
Starting ejabberdcompose_ejabberd-data_1
Attaching to ejabberdcompose_ejabberd-data_1, ejabberdcompose_ejabberd_1
ejabberdcompose_ejabberd-data_1 exited with code 0
ejabberd_1 | Writing EJABBERD_SSLCERT_HOST to /opt/ejabberd/ssl/host.pem
ejabberd_1 | /opt/ejabberd/scripts/pre/01_write_certifiates_from_env.sh: line 17: /opt/ejabberd/ssl/host.pem: Permission denied
ejabberdcompose_ejabberd_1 exited with code 1
Why does it try to overwrite the exisiting host.pem? Is it malformed?
Hi
root@labor:~/ejabberd-compose# tree
.
├── cron
│ └── renew_ssl.sh
├── docker-compose.yml
└── ssl
├── host.pem -> /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
└── labor.bugabinga.net.pem
Your 'host.pem ' is a symlink only available on the host not inside the container
I hope this help
FYI. Google Summer of Code with ejabberd projects, one of them is support for “let’s encrypt” ACME protocol.
I think you'll need at least ejabberd 17.12 or even 18.01 for 'native' Let's Encrypt support:
https://github.com/processone/ejabberd/pull/1959
https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L684
ejabberd docker image runs with non root user (with ejabberd user) so you have to chown (or chmod to others) your cert files.
