Bug on renewing Letsencrypt certificate in Seafle 11.0.9 in docker

kokoloris1 · June 11, 2024, 8:14pm

Hi,

I am using docker image seafileltd/seafile-mc:11.0.9 and since a few days I have the following issue on container start, which hinders seafile from starting:

[2024-06-11 20:05:24] Found existing cert file /shared/ssl/cloud.something.de.crt
seafile      | Certificate will expire
seafile      | [2024-06-11 20:05:24] Starting letsencrypt verification
seafile-mysql | 2024-06-11 20:05:24 0 [Note] InnoDB: Buffer pool(s) load completed at 240611 20:05:24
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _is_idn_d='cloud.something.de'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _idn_temp
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Lets find script dir.
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _script='/root/.acme.sh/acme.sh'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _script_home='/root/.acme.sh'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Using config home:/shared/ssl
seafile      | https://github.com/acmesh-official/acme.sh
seafile      | v3.0.8
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] LE_WORKING_DIR='/shared/ssl'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Running cmd: renew
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _renewServer
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Using config home:/shared/ssl
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] default_acme_server
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _ACME_SERVER_PATH='v2/DV90'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] DOMAIN_PATH='/shared/ssl/cloud.something.de'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Renew: 'cloud.something.de'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Le_API
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Renew to Le_API=
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] initpath again.
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] Using config home:/shared/ssl
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] default_acme_server
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile      | [Tue Jun 11 08:05:26 PM UTC 2024] _ACME_SERVER_PATH='v2/DV90'
seafile      | Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc.
seafile      | Traceback (most recent call last):
seafile      |   File "/scripts/start.py", line 94, in <module>
seafile      |     main()
seafile      |   File "/scripts/start.py", line 51, in main
seafile      |     init_letsencrypt()
seafile      |   File "/scripts/bootstrap.py", line 86, in init_letsencrypt
seafile      |     raise RuntimeError('Failed to generate ssl certificate for domain {0}'.format(domain))
seafile      | RuntimeError: Failed to generate ssl certificate for domain cloud.something.de

This seems to be an incompatibility of the scripts inside the container and the letsencrypt api. Does anyone have an idea how to fix it?

Thanks
kokoloris1

tomservo · June 11, 2024, 11:32pm

It looks like it is trying to ask for a certificate for cloud.something.de. That name seems a little unusual. Do you actually own that domain name and have the DNS records all set up to point the letsencrypt servers to this docker?

kokoloris1 · June 12, 2024, 3:55am

The url was modified for privacy reasons.
Same settings let to successful certificate generation in the past. The certificate is expiring soon, as the log correctly states. The domains dns and nat is setup to reach the docker container on ports 80 and 443. Entering the domain in the browser shows an nginx error page since seahub is not running.

The error is a missing switch in letsencrypt call. This is implemented inside the container. Therefore, I belive, ita bug inside the container.

kokoloris1 · June 14, 2024, 8:51pm

I found out this error depends on the file “/ssl/cloud.something.de/cloud.something.de.conf”. This file looks like this:

Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/shared/ssl/cloud.something.de.key'
Le_ReloadCmd=''
Le_RealFullChainPath='/shared/ssl/cloud.something.de.crt'
Le_RenewalDays='60'
Le_RenewalDays='60'
Le_RenewalDays='60'
Le_Webroot=''
Le_Domain='cloud.something.de'
Le_Alt=''
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme.zerossl.com/v2/DV90'

Does anyone see a problem here?