mattermost-docker/docs/issuing-letsencrypt-certificate.md

54 lines
2.4 KiB
Markdown
Raw Permalink Normal View History

## Issuing a Let's Encrypt certificate
**NOTE:** Commands with a **$** prefix denote those are executed as user, **#** as root and commands without a prefix are database commands.
For issuing a Let's Encrypt certificate one can use Docker as well which will save you from messing around with
installing on the host system.
This guide assumes you're inside the mattermost-docker directory but if using absolute paths in the volume bind mounts
(e.g. /home/admin/mattermost-docker instead of `${PWD}`) it doesn't matter because the paths are unique. These commands
requires that DNS records (A or CNAME) have been set and resolve to your server's external IP.
2021-04-22 14:14:14 +00:00
### 1. Issuing the certificate using the standalone authenticator (because there is no nginx yet)
```
$ sudo docker run -it --rm --name certbot -p 80:80 \
-v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
-v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --standalone -d mm.example.com
```
2021-04-22 14:14:14 +00:00
### 2. Changing the authenticator to webroot for later renewals
```
$ sudo docker run -it --rm --name certbot \
-v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
-v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
-v shared-webroot:/usr/share/nginx/html \
certbot/certbot certonly -a webroot -w /usr/share/nginx/html -d mm.example.com
```
This will ask you to abort or renew the certificate. When choosing to renew `certbot` will alter the renewal
configuration to *webroot*.
As an alternative (which will save you one certificate creation request https://letsencrypt.org/docs/rate-limits/) this can be done by yourself with the following commands
```
$ sudo sed -i 's/standalone/webroot/' ${PWD}/certs/etc/letsencrypt/renewal/mm.example.com.conf
$ sudo tee -a ${PWD}/certs/etc/letsencrypt/renewal/mm.example.com.conf > /dev/null << EOF
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
EOF
```
2021-04-22 14:14:14 +00:00
### 3. Command for requesting renewal (Let's Encrypt certificates do have a 3 month lifetime)
```
sudo docker run --rm --name certbot \
--network mattermost \
-v "${PWD}/certs/etc/letsencrypt:/etc/letsencrypt" \
-v "${PWD}/certs/lib/letsencrypt:/var/lib/letsencrypt" \
-v shared-webroot:/usr/share/nginx/html \
certbot/certbot renew --webroot-path /usr/share/nginx/html
```
This command can be called with a systemd timer on a regulary basis (e.g. once a day). Please take a look at the
*contrib/systemd* folder.