-
|
I'm trying to access the LetsEncrypt certificates, where the user guide for certbot advises to keep them for renewal purposes; I mounted the directory into the container and it looks promising, when I inspect it. "Mounts": [
{
"Type": "volume",
"Name": "foundryvtt_data",
"Source": "/var/lib/docker/volumes/foundryvtt_data/_data",
"Destination": "/data",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
},
{
"Type": "bind",
"Source": "/etc/letsencrypt",
"Destination": "/etc/letsencrypt",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],My "sslCert": "/etc/letsencrypt/live/my.domain/fullchain.pem",
"sslKey": "/etc/letsencrypt/live/my.domain/privkey.pem",But as the log shows, Foundry looks under FoundryVTT | 2021-04-12 22:56:29 | [error] The configured sslKey path /data/Config/etc/letsencrypt/live/my.domain/privkey.pem does not exist or is not accessible.
FoundryVTT | 2021-04-12 22:56:29 | [error] The configured sslCert path /data/Config/etc/letsencrypt/live/my.domain/cert.pem does not exist or is not accessible.How do I persuade Foundry to do what I have in mind? When running without container, Foundry is able to look outside of the Config directory. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
@F1D3LL1O, I was able to make this work using the following version: "3.8"
secrets:
credentials:
file: credentials-mine.json
services:
foundry:
image: felddy/foundryvtt:release
hostname: felddy_foundryvtt
init: true
restart: "no"
volumes:
- type: bind
source: ./data
target: /data
- type: bind
source: /etc/letsencrypt
target: /etc/letsencrypt
environment:
- CONTAINER_CACHE=/data/container_cache
- CONTAINER_VERBOSE=true
- TIMEZONE=US/Eastern
- FOUNDRY_UID=501
- FOUNDRY_GID=20
- FOUNDRY_SSL_CERT=/etc/letsencrypt/live/test/fullchain.pem
- FOUNDRY_SSL_KEY=/etc/letsencrypt/live/test/privkey.pem
- FOUNDRY_UPNP=false
secrets:
- source: credentials
target: config.json
ports:
- target: 30000
published: 30000
protocol: tcpI would suggest not mapping the entire letsencrypt directory into the container. This would limit any collateral damage done by a successful exploit on the FoundryVTT server. Also, if you target the volume into the The following example shows how that could be achieved: ---
version: "3.8"
secrets:
credentials:
file: credentials-mine.json
services:
foundry:
image: felddy/foundryvtt:release
hostname: felddy_foundryvtt
init: true
restart: "no"
volumes:
- type: bind
source: ./data
target: /data
- type: bind
source: /etc/letsencrypt/live/test
target: /data/certs
environment:
- CONTAINER_CACHE=/data/container_cache
- CONTAINER_VERBOSE=true
- TIMEZONE=US/Eastern
- FOUNDRY_UID=501
- FOUNDRY_GID=20
- FOUNDRY_SSL_CERT=/data/certs/fullchain.pem
- FOUNDRY_SSL_KEY=/data/certs/privkey.pem
- FOUNDRY_UPNP=false
secrets:
- source: credentials
target: config.json
ports:
- target: 30000
published: 30000
protocol: tcpI hope this helps. Let me know if it does. |
Beta Was this translation helpful? Give feedback.
-
|
I still can't get it to look outside of it's Config directory. Nonetheless I got it to work by mounting the files directly into the directory:
To be honest, after some tries with your first example, I didn't even try the second one. I just wanted it to work. And if that's how Foundry wants it, that's what it gets. It's really a pain, to get docker-compose examples to work, if you're starting out with your little Raspberry Pi and Docker doesn't really care enough for arm processors. I had to set up Docker on my main computer and control the Pi remotely via docker-compose. I'm sorry it took me so long to reply. |
Beta Was this translation helpful? Give feedback.
@F1D3LL1O,
I think I understand your use case, and it should be doable. I would double-check the permissions on the certificate files. I think that they are usually accessible by
rootonly, which could prevent FoundryVTT from reading them.I was able to make this work using the following
docker-compose.ymlfile: