From f7a914e2127706af3f51f4e4e75eaa839fc63d51 Mon Sep 17 00:00:00 2001 From: Kliachin Aleksei Date: Thu, 2 Apr 2026 07:08:56 +0300 Subject: [PATCH 1/2] Add automated Let's Encrypt support via certbot --- docker-compose.nginx.yml | 43 ++++++++++++++++++++++++++++++++++++++++ env.example | 14 ++++++++++++- 2 files changed, 56 insertions(+), 1 deletion(-) diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index b2527da..8ece330 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -30,6 +30,49 @@ services: - ${CALLS_PORT}:${CALLS_PORT}/udp - ${CALLS_PORT}:${CALLS_PORT}/tcp + certbot-renew: + image: certbot/certbot + profiles: ["acme"] + depends_on: + - nginx + ## Required to reload nginx via kill -HUP 1 + pid: "service:nginx" + volumes: + - ./certs/etc/letsencrypt:/etc/letsencrypt + - ./certs/var/lib/letsencrypt:/var/lib/letsencrypt + - ./certs/var/log/letsencrypt:/var/log/letsencrypt + - shared-webroot:/webroot + environment: + - DOMAIN=${DOMAIN} + entrypoint: | + sh -c " + while true; do + certbot renew --cert-name $DOMAIN --webroot-path /webroot --deploy-hook 'kill -HUP 1'; + echo 'Sleeping 24h...'; + sleep 24h; + done + " + + certbot-init: + image: certbot/certbot + profiles: ["acme-init"] + volumes: + - ./certs/etc/letsencrypt:/etc/letsencrypt + - ./certs/var/lib/letsencrypt:/var/lib/letsencrypt + - ./certs/var/log/letsencrypt:/var/log/letsencrypt + environment: + - DOMAIN=${DOMAIN} + ports: + - ${HTTP_PORT}:${HTTP_PORT} + entrypoint: | + sh -c " + if [ -d /etc/letsencrypt/live/$DOMAIN ]; then + echo 'Certificate already exists for $DOMAIN'; + exit 0; + fi; + certbot certonly --standalone --http-01-port $HTTP_PORT -d $DOMAIN --agree-tos --non-interactive; + " + # Shared volume for Let's Encrypt certificate renewal with a webroot volumes: shared-webroot: diff --git a/env.example b/env.example index 4e93682..bb64f55 100644 --- a/env.example +++ b/env.example @@ -38,10 +38,22 @@ NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem CERT_PATH=./volumes/web/cert/cert.pem KEY_PATH=./volumes/web/cert/key-no-password.pem -#GITLAB_PKI_CHAIN_PATH=/pki_chain.pem +## To use Let's Encrypt certificates, first run: +## `docker compose -f docker-compose.yml -f docker-compose.nginx.yml --profile acme-init up certbot-init` +## (nginx must not be running during the initial certificate request) +## This generates the initial certificate required by nginx. +## Then start the full stack (including automatic certificate renewal): +## `docker compose -f docker-compose.yml -f docker-compose.nginx.yml --profile acme up -d` #CERT_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/fullchain.pem #KEY_PATH=./certs/etc/letsencrypt/live/${DOMAIN}/privkey.pem +## GitLab SSO (optional) +## Provide GitLab PKI chain to avoid "certificate signed by unknown authority" errors +## See: +## https://github.com/mattermost/mattermost-server/issues/13059 +## https://github.com/mattermost/docker/issues/34 +#GITLAB_PKI_CHAIN_PATH=/pki_chain.pem + ## Exposed ports to the host. Inside the container 80, 443 and 8443 will be used HTTPS_PORT=443 HTTP_PORT=80 From 22b63f1569d3b60ca962b0f64583af29ee16aae9 Mon Sep 17 00:00:00 2001 From: Kliachin Aleksei Date: Thu, 2 Apr 2026 07:27:18 +0300 Subject: [PATCH 2/2] Fixed: email and port --- docker-compose.nginx.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index 8ece330..763266a 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -62,6 +62,7 @@ services: - ./certs/var/log/letsencrypt:/var/log/letsencrypt environment: - DOMAIN=${DOMAIN} + - HTTP_PORT=${HTTP_PORT} ports: - ${HTTP_PORT}:${HTTP_PORT} entrypoint: | @@ -70,7 +71,7 @@ services: echo 'Certificate already exists for $DOMAIN'; exit 0; fi; - certbot certonly --standalone --http-01-port $HTTP_PORT -d $DOMAIN --agree-tos --non-interactive; + certbot certonly --standalone --http-01-port $HTTP_PORT -d $DOMAIN --register-unsafely-without-email --agree-tos --non-interactive; " # Shared volume for Let's Encrypt certificate renewal with a webroot