provide a working example for HTTPS (Docker)

[Staubgeborener]

Can someone provide a working example for the https connection?

I build the docker container with this docker-compose.yml:

version: "3.8"
services:
  server:
    build: .
    image: ottomated/crewlink-server:build
    container_name: crewlinkserver
    ports:
        - 9736:9736
    expose:
        - 9736
    environment:
        ADDRESS: "https://sub.domain.com"
        NAME: sub
        HTTPS: #Enables https. You must place privkey.pem and fullchain.pem in your CWD.
        # SSLPATH: Specifies an alternate path to SSL certificates.
    restart: unless-stopped

Exact steps:

git clone https://github.com/ottomated/crewlink-server.git
cd crewlink-server
#create docker-compose.yaml with the content above
sudo docker-compose up -d

Basically this works. I (and everyone else) can connect to http://sub.domain.com:9736. Also this websites shows up:

CrewLink Server

This is a CrewLink Server running on https://sub.domain.com.

There are currently 0 connected users.

To launch your own server, click here.

Please notice the https!

Now i want to use https. But right now i can only access the voice relay chat over http. Many questions here, because the Readme.md didn't provide a good example for this:

1. Is HTTPS: enough? Or is this a boolean like HTTPS: true?
2. What is the CWD in this case? The crewlink-server directory?
3. Please provide a working example of how to create privkey.pem and fullchain.pem

My domain https://sub.domain.com has actually a lets encrypt certificate, created with a service of my domain provider. So https://sub.domain.com is reachable with the browser.

So, short: Please provide a working example for creating privkey.pem and fullchain.pem and for the https connection (docker-compose).

[mhvis]

I got it working as follows:

1. Put privkey.pem and fullchain.pem somewhere inside the container, e.g. using a volume.
2. Fill SSLPATH with the path where you put privkey.pem and fullchain.pem.
3. Expose port 443 instead of 9736, that's used for HTTPS.

For the server address, use https://sub.domain.com without a port number.

If you created the Let's Encrypt certificate with a service from your domain provider you might be able to download privkey.pem and fullchain.pem from them somewhere. You could also generate them yourself using Certbot with the command certbot certonly, however you'll need to search for more detailed instructions on that. Also note that the Let's Encrypt certificates are only valid for 3 months so you'll have to renew them in time or make it automatic.

Edit: my service looks like this:

crewlink:
    image: crewlink
        environment:
            ADDRESS: mydomain.com
            HTTPS: "true"
            SSLPATH: /letsencrypt/
        ports:
            - 9736:9736
            - 443:443
        volumes:
            - ./letsencrypt/:/letsencrypt/

[Staubgeborener]

@mhvis i give it a try and get back to you in the next days

[Maikel1990]

I was struggling a couple of days with it, because my knowledge in reverse proxy etc is very bad. What i did now is install nginx proxy manager and setup an reverse proxy to the crewlink server link.

Only what i did is -e address=subdomain.mydomain.tld i can connect with the application but only need to test it with others.

[danfeldmann]

that one has worked for me

version: "3"
services:
  server:
    build: .
    image: ottomated/crewlink-server:build
    container_name: crewlinkserver
    volumes:
            - /etc/letsencrypt/:/letsencrypt/
    ports:
        - 9736:9736
        - 443:443
    expose:
        - 9736
        - 443
    environment:
        ADDRESS: "https://crewlink.domain.tld"
        NAME: crewlink
        HTTPS: "true" #Enables https. You must place privkey.pem and fullchain.pem in your CWD.
        SSLPATH: /letsencrypt/live/crewlink.domain.tld/ #Specifies an alternate path to SSL certificates.
    restart: unless-stopped

but I had to change the folders rights for /etc/lentsecrypt/live and archive to 705. Archive because in the live folder are only symlinks :(

chmod -R 705 /etc/letsencrypt/{archive,live}