Allow acme challenge through NGINX configuration #348
Conversation
|
Thanks @jfbrazeau for the pull request! Per the CONTRIBUTING.md file displayed when you created this pull request, we need to add you to the list of approved contributors for the Mattermost project. Please help complete the Mattermost contribution license agreement? This is a standard procedure for many open source projects. Your form should be processed within 24 hours and reviewers for your pull request will be able to proceed. Please let us know if you have any questions. We are very happy to have you join our growing community! If you're not yet a member, please consider joining our Contributors community channel to meet other contributors and discuss new opportunities with the core team. |
|
Hi :) Thanks, this is a good idea. In fact we will deprecate the Web image one day, but, as you can see, this subject is open for a while now (and it's my fault). So I'll accept this PR after few tests, but I just want you to know that we might stop support for the Web image sooner or later ^^ |
|
I didn't understand what component request Let's Encrypt for the certificate here ? Is this supposed to work if we enable Let's Encrypt on the Mattermost application ? Because I don't see how it can works since the web container and the app container are not sharing volumes together. |
|
As far as I can see, there are 2 ways to configuring TLS on mattermost server (as we can see here : https://docs.mattermost.com/install/config-tls-mattermost.html ). The first is to setup TLS directly on Mattermost Server as you mention. The second is to configure it through NGINX proxy. In mattermost-docker, as far as I can see the second solution has been chosen (as you can see here : https://github.com/mattermost/mattermost-docker#install-with-ssl-certificate , the SSL certificate must be registered in NGINX, not mattermost). As a consequence, I came to the conclusion that it was more relevant to add the acme challenge capacity to the NGINX docker image. But maybe it wasn't a good conclusion ! 😊 You say that you may stop the support for the web image : may I ask you why you plan to remove it ? |
|
This issue has been automatically labelled "stale" because it hasn't had recent activity. /cc @jasonblais @hanzei |
|
Hey @pichouk, What are the next steps on this PR? |
|
We will deprecate and remove the |
In docker production, the SSL certificate is enabled through NGINX configuration. It would be convenient to ease the integration of let's encrypt certificates by allowing to expise acme challenge files through HTTP (
http://host:port/.well-known/acme-challenge/<challenge file>).This merge request is a proposal to enable this through an additional docker volume for the web component (
./volumes/web/acme-challenge).