InfluxDB2 Docker with letsencrypt tls-cert, tls-key

Please let me know if anyone has a working solution for this problem.

Letsencrypt certs are installed and renewed on the docker hosts’s filesystem /etc/letsencrypt

The InfluxDB2 docker container references these volumes as:

volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro

However, the influxdb user within the container cannot read the private key (defined in config.toml as tls-key:):

docker exec -it influxdb2 bash

root@a837ae487f03:/# id
uid=0(root) gid=0(root) groups=0(root)

root@a837ae487f03:/# id influxdb
uid=1000(influxdb) gid=1000(influxdb) groups=1000(influxdb)

root@a837ae487f03:/# su -c "cat /etc/letsencrypt/live/sfio.win/privkey.pem" influxdb
cat: /etc/letsencrypt/live/sfio.win/privkey.pem: Permission denied

root@a837ae487f03:/# ls -ld /etc/letsencrypt/live/sfio.win/privkey.pem
lrwxrwxrwx 1 root root 46 Feb 12 18:52 /etc/letsencrypt/live/sfio.win/privkey.pem -> /etc/letsencrypt/archive/sfio.win/privkey9.pem

root@a837ae487f03:/# su -c "cat /etc/letsencrypt/archive/sfio.win/privkey9.pem" influxdb
cat: /etc/letsencrypt/archive/sfio.win/privkey9.pem: Permission denied

root@602b8eec7daa:/# ls -ld /etc/letsencrypt/archive/sfio.win/privkey9.pem
-rw-r----- 1 root 113 1704 Feb  2 11:35 /etc/letsencrypt/archive/sfio.win/privkey9.pem

As a result, influxdb exits with an error:

ts=2024-04-06T02:58:41.139901Z lvl=error msg="Failed to load x509 key pair" log_id=0oOLLfZW000 service=tcp-listener cert-path=/etc/letsencrypt/live/sfio.win/fullchain.pem key-path=/etc/letsencrypt/live/sfio.win/privkey.pem

It seems the only alternative to this would be copying the cert and key to a volume that influxdb could read. Yet that defeats the purpose of auto renewal and introduces potential for expiring certs.

I encountered the same issue and resolved it by configuring Nginx reverse proxy in front of InfluxDB to handle SSL.