InfluxDB2 Docker with letsencrypt tls-cert, tls-key

Please let me know if anyone has a working solution for this problem.

Letsencrypt certs are installed and renewed on the docker hosts’s filesystem /etc/letsencrypt

The InfluxDB2 docker container references these volumes as:

- /etc/letsencrypt:/etc/letsencrypt:ro

However, the influxdb user within the container cannot read the private key (defined in config.toml as tls-key:):

docker exec -it influxdb2 bash

root@a837ae487f03:/# id
uid=0(root) gid=0(root) groups=0(root)

root@a837ae487f03:/# id influxdb
uid=1000(influxdb) gid=1000(influxdb) groups=1000(influxdb)

root@a837ae487f03:/# su -c "cat /etc/letsencrypt/live/" influxdb
cat: /etc/letsencrypt/live/ Permission denied

root@a837ae487f03:/# ls -ld /etc/letsencrypt/live/
lrwxrwxrwx 1 root root 46 Feb 12 18:52 /etc/letsencrypt/live/ -> /etc/letsencrypt/archive/

root@a837ae487f03:/# su -c "cat /etc/letsencrypt/archive/" influxdb
cat: /etc/letsencrypt/archive/ Permission denied

root@602b8eec7daa:/# ls -ld /etc/letsencrypt/archive/
-rw-r----- 1 root 113 1704 Feb  2 11:35 /etc/letsencrypt/archive/

As a result, influxdb exits with an error:

ts=2024-04-06T02:58:41.139901Z lvl=error msg="Failed to load x509 key pair" log_id=0oOLLfZW000 service=tcp-listener cert-path=/etc/letsencrypt/live/ key-path=/etc/letsencrypt/live/

It seems the only alternative to this would be copying the cert and key to a volume that influxdb could read. Yet that defeats the purpose of auto renewal and introduces potential for expiring certs.