pacohope
/
mattermost-docker
mirror of https://github.com/mattermost/docker.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity
mattermost-docker/docs/issuing-letsencrypt-certifi...

2.4 KiB
Raw Blame History

Issuing a Let's Encrypt certificate

NOTE: Commands with a $ prefix denote those are executed as user, # as root and commands without a prefix are database commands.

For issuing a Let's Encrypt certificate one can use Docker as well which will save you from messing around with installing on the host system. This guide assumes you're inside the mattermost-docker directory but if using absolute paths in the volume bind mounts (e.g. /home/admin/mattermost-docker instead of ${PWD}) it doesn't matter because the paths are unique. These commands requires that DNS records (A or CNAME) have been set and resolve to your server's external IP.

1. Issuing the certificate using the standalone authenticator (because there is no nginx yet)

$ sudo docker run -it --rm --name certbot -p 80:80 \
    -v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
    -v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
    certbot/certbot certonly --standalone -d mm.example.com

2. Changing the authenticator to webroot for later renewals

$ sudo docker run -it --rm --name certbot \
    -v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
    -v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
    -v shared-webroot:/usr/share/nginx/html \
    certbot/certbot certonly -a webroot -w /usr/share/nginx/html -d mm.example.com

This will ask you to abort or renew the certificate. When choosing to renew certbot will alter the renewal configuration to webroot. As an alternative (which will save you one certificate creation request https://letsencrypt.org/docs/rate-limits/) this can be done by yourself with the following commands

$ sudo sed -i 's/standalone/webroot/' ${PWD}/certs/etc/letsencrypt/renewal/mm.example.com.conf
$ sudo tee -a ${PWD}/certs/etc/letsencrypt/renewal/mm.example.com.conf > /dev/null << EOF
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
EOF

3. Command for requesting renewal (Let's Encrypt certificates do have a 3 month lifetime)

sudo docker run --rm --name certbot \
    --network mattermost \
    -v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
    -v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
    -v shared-webroot:/usr/share/nginx/html \
    certbot/certbot renew --webroot-path /usr/share/nginx/html

This command can be called with a systemd timer on a regulary basis (e.g. once a day). Please take a look at the contrib/systemd folder.