Please let me know if anyone has a working solution for this problem.
Letsencrypt certs are installed and renewed on the docker hosts’s filesystem /etc/letsencrypt
The InfluxDB2 docker container references these volumes as:
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
However, the influxdb user within the container cannot read the private key (defined in config.toml as tls-key:):
docker exec -it influxdb2 bash
root@a837ae487f03:/# id
uid=0(root) gid=0(root) groups=0(root)
root@a837ae487f03:/# id influxdb
uid=1000(influxdb) gid=1000(influxdb) groups=1000(influxdb)
root@a837ae487f03:/# su -c "cat /etc/letsencrypt/live/sfio.win/privkey.pem" influxdb
cat: /etc/letsencrypt/live/sfio.win/privkey.pem: Permission denied
root@a837ae487f03:/# ls -ld /etc/letsencrypt/live/sfio.win/privkey.pem
lrwxrwxrwx 1 root root 46 Feb 12 18:52 /etc/letsencrypt/live/sfio.win/privkey.pem -> /etc/letsencrypt/archive/sfio.win/privkey9.pem
root@a837ae487f03:/# su -c "cat /etc/letsencrypt/archive/sfio.win/privkey9.pem" influxdb
cat: /etc/letsencrypt/archive/sfio.win/privkey9.pem: Permission denied
root@602b8eec7daa:/# ls -ld /etc/letsencrypt/archive/sfio.win/privkey9.pem
-rw-r----- 1 root 113 1704 Feb 2 11:35 /etc/letsencrypt/archive/sfio.win/privkey9.pem
As a result, influxdb exits with an error:
ts=2024-04-06T02:58:41.139901Z lvl=error msg="Failed to load x509 key pair" log_id=0oOLLfZW000 service=tcp-listener cert-path=/etc/letsencrypt/live/sfio.win/fullchain.pem key-path=/etc/letsencrypt/live/sfio.win/privkey.pem
It seems the only alternative to this would be copying the cert and key to a volume that influxdb could read. Yet that defeats the purpose of auto renewal and introduces potential for expiring certs.
