-
-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: Restore ability to generate SSL certs with LetsEncrypt. #391
base: main
Are you sure you want to change the base?
Conversation
6e82240
to
36974e2
Compare
Zulip Server 4.9+ regressed Docker setups by always creating a /etc/letsencrypt directory in the top layer of the Docker container, meaning it couldn't be symlinked over from the volume mount. Since that volume mount has useful properties (providing and/or overriding LetsEncrypt setting), restore it and copy the in-image configs into the volume as defaults if and only if those files don't already exist in the volume. Fixes zulip#381.
36974e2
to
6dcd95b
Compare
This didn’t work for me. On the first After
and it was still serving a self-signed certificate. After
|
🤔 I'll take another look. I haven't seen either of those error messages so far, but maybe I need more up-stop-up-stop cycles to trigger it. |
I reproed at least the lack of nginx restarting issue on a DO droplet. I'm now playing with #142 and a potential revert of the underlying zulip/zulip changes (I think there's a path to |
Further discussion: https://chat.zulip.org/#narrow/stream/3-backend/topic/certbot/near/1516306 |
This should really be merged. Currently, if you rebuild the docker image you lose your certs and its a whole mess to get them back |
The certbot brokenness is a high importance bug that needs to be solved, but this PR does not solve it. See above comments and the linked discussion. |
Zulip Server 4.9+ regressed Docker setups by always creating a /etc/letsencrypt directory in the top layer of the Docker container, meaning it couldn't be symlinked over from the volume mount. Since that volume mount has useful properties (providing and/or overriding LetsEncrypt setting), restore it and copy the in-image configs into the volume as defaults if and only if those files don't already exist in the volume.
Fixes #381.
Testing Plan
I applied the following diff:
... and then built a
zulip:local
image from this repo (with no build args). It appears to work:/var/lib/docker/volumes/docker-zulip_zulip/_data/letsencrypt/
contains thecli.ini
that originates from a Zulip Server install, and I see the following log output:docker-compose log output