Use automatic location for certificates

README: SSL certificates
Port 5223 for legacy ssl c2s

Dockerfile

@@ -50,7 +50,7 @@ RUN buildDeps='gcc git libc6-dev libidn11-dev liblua5.2-dev libsqlite3-dev libss
  \
  && apt-get purge -y --auto-remove $buildDeps
 
-EXPOSE 5000 5222 5269 5347 5280 5281
+EXPOSE 5000 5222 5223 5269 5347 5280 5281
 
 RUN groupadd -r prosody \
  && useradd -r -g prosody prosody \

conf.d/05-vhost.cfg.lua

@@ -3,11 +3,17 @@ local domain_http_upload = os.getenv("DOMAIN_HTTP_UPLOAD")
 local domain_muc = os.getenv("DOMAIN_MUC")
 local domain_proxy = os.getenv("DOMAIN_PROXY")
 
+-- This is a fallback just for http_upload because service certificates are searched differently
+-- https://prosody.im/doc/certificates#service_certificates
 ssl = {
-	key = "/usr/local/etc/prosody/certs/prosody.key";
-	certificate = "/usr/local/etc/prosody/certs/prosody.crt";
+	certificate = "certs/" .. domain .. "/fullchain.pem";
+	key = "certs/" .. domain .. "/privkey.pem";
 }
 
+-- XEP-0368: SRV records for XMPP over TLS
+-- https://compliance.conversations.im/test/xep0368/
+legacy_ssl_ports = { 5223 }
+
 VirtualHost (domain)
 
 -- Set up a http file upload because proxy65 is not working in muc

readme.md

@@ -19,12 +19,19 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th
   - [Image Details](#image-details)
     - [Ports](#ports)
     - [Directories](#directories)
+      - [Data](#data)
+      - [Bundled modules](#bundled-modules)
+      - [Additionally installed prosody modules](#additionally-installed-prosody-modules)
+      - [Config](#config)
+      - [SSL certificates](#ssl-certificates)
+        - [Folder structure](#folder-structure)
+        - [Symlinks](#symlinks)
+        - [Permissions](#permissions)
     - [Run](#run)
     - [Configuration](#configuration)
       - [Environment variables](#environment-variables)
       - [DNS](#dns)
       - [server_contact_info](#server_contact_info)
-    - [Debugging](#debugging)
     - [Extend](#extend)
     - [Upgrade](#upgrade)
   - [Test your server](#test-your-server)
@@ -53,6 +60,7 @@ The following ports are exposed:
 
 * 5000: proxy65 port used for file sharing
 * 5222: c2s port (client to server)
+* 5223: c2s legacy ssl port (client to server)
 * 5269: s2s port (server to server)
 * 5347: XMPP component port
 * 5280: BOSH / websocket port
@@ -60,17 +68,60 @@ The following ports are exposed:
 
 ### Directories
 
-* Data: ```/usr/local/var/lib/prosody/```
+#### Data
+
+Path: ```/usr/local/var/lib/prosody/```.
+
 * used for SQLite file
 * used for HTTP uploads
 * this is exposed as docker volume
-* Bundled modules: ```/usr/local/lib/prosody/modules/```
-* Additionally installed prosody modules: ```/usr/local/lib/prosody/custom-modules/```
-* Config: ```/usr/local/etc/prosody/```
+  
+#### Bundled modules
+
+Path: ```/usr/local/lib/prosody/modules/```.
+
+#### Additionally installed prosody modules
+
+Path: ```/usr/local/lib/prosody/custom-modules/```.
+
+#### Config
+
+Path: ```/usr/local/etc/prosody/```.
+
 * containing the main config file called ```prosody.cfg.lua```
 * containing additional config files within ```conf.d/```
-* SSL certificates: ```/usr/local/etc/prosody/certs/```
-  * expects private key to be named ```prosody.key``` and certificate (fullchain) to be ```prosody.crt```
+
+#### SSL certificates
+
+Path: ```/usr/local/etc/prosody/certs/```.
+
+Uses [automatic location](https://prosody.im/doc/certificates#automatic_location) to find your certs.
+
+The http_upload module does not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates).
+
+The setting ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures certificates globally as a fallback.
+
+Which defaults to ```cert/domain.tld/fullchain.pem``` and ```cert/domain.tld/privkey.pem```.
+
+##### Folder structure
+
+An example certificate folder structure could look like this:
+
+TODO
+
+Thats how Let's encrypt certbot does it out of the box.
+
+##### Symlinks
+
+certbot creates the structure and uses symlinks to the actual certificates.
+If you mount them like that prosody somehow does not find them.
+I copied them to a folder named ```certs``` next to my ```docker-compose.yml``` and made sure to use the ```-L``` flag of ```cp```.
+This makes cp follow symbolic links when copying from them.
+For example ```cp -L src dest```.
+
+##### Permissions
+
+TODO
 
 ### Run
 
@@ -90,15 +141,14 @@ services:
     environment:
       DOMAIN: domain.tld
     volumes:
-      - ./privkey.pem:/usr/local/etc/prosody/certs/prosody.key
-      - ./fullchain.pem:/usr/local/etc/prosody/certs/prosody.crt
+      - ./certs:/usr/local/etc/prosody/certs
       - ./data:/usr/local/var/lib/prosody
     restart: unless-stopped
 ```
 
-Boot it via: ```docker-compose up -d```
+Boot it via: ```docker-compose up -d```.
 
-Inspect logs: ```docker-compose logs -f```
+Inspect logs: ```docker-compose logs -f```.
 
 ### Configuration
 
@@ -141,24 +191,6 @@ It is configured for the following contacts:
 
 You can change them in [05-server_contact_info.cfg.lua](./conf.d/04-server_contact_info.cfg.lua).
 
-### Debugging
-
-Change to verbose logging by replacing the following config lines within ```prosody.cfg.lua```:
-
-```lua
-log = {
-    {levels = {min = "info"}, to = "console"};
-};
-```
-
-with:
-
-```lua
-log = {
-    {levels = {min = "debug"}, to = "console"};
-};
-```
-
 ### Extend
 
 There is a helper script that eases installing additional prosody modules: ```docker-prosody-module-install```