Is it possible to reuse certificates for ejabberd

elbullazul · 16 September 2024 23:20

I’d like to reuse the certificates generated by SWAG for ejabberd, but when running the container with user: 9000:9000 (recommended user), it can’t read the .pem files:

[error] Failed to read PEM file /opt/ejabberd/conf/privkey.pem: permission denied

Here’s how the certificates are mounted:

services:
  ejabberd:
    image: ghcr.io/processone/ejabberd:latest
    container_name: ejabberd
    environment:
      UID: 1000
      GID: 1000
    volumes:
      - ejabberd/db:/opt/ejabberd/database
      - ejabberd/config/ejabberd.yml:/opt/ejabberd/conf/ejabberd.yml
      - swag/config/etc/letsencrypt/live/domain.example/fullchain.pem:/opt/ejabberd/conf/fullchain.pem:ro
      - swag/config/etc/letsencrypt/live/domain.example/privkey.pem:/opt/ejabberd/conf/privkey.pem:ro

Does anyone have any idea if it is indeed possible?

j0nnymoe · 16 September 2024 23:23

It’s documented in the readme: GitHub - linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.

You’ll need to make sure the container share permissions.

elbullazul · 17 September 2024 00:05

thanks for the link.

Unfortunately ejabberd must be run with user: "root" or user: 9000:9000, otherwise the service can’t run.

Is there a way to share existing certs with another user, or should i just create copies of the .pem files instead?

j0nnymoe · 17 September 2024 05:52

Don’t know why you keep mentioning user/group 9000 when you’ve not used it in the compose you posted above. Also quick dive into their docs doesn’t show any UID/GID so if you ran it as root, it would see all the certs anyways.

Just try using the example we give in the doc and then edit the conf of the app to use the new locations.