Docker with custom SSL certs

(the forum is telling me I can’t have links, so you’ll have to manually tweak the github links below when pasting them, sorry)

The documentation (manual-seafile-com/docker/deploy_seafile_with_docker/#lets-encrypt-ssl-certificate) talks about using custom certs:

If you want to use your own SSL certificate and the volume directory of Seafile data is /opt/seafile-data:

The issue with this is:

  1. seafile.nginx.conf will only be generated to listen on port 443 if https is true (github-dot-com/haiwen/seafile-docker/blob/d20a40767de91c20adbe576e79ee8586428051a6/image/arm_pro_seafile_9.0/templates/seafile.nginx.conf.template#L23-L26)
  2. https will only be true if the python is_https returns true and is_https is true if SEAFILE_SERVER_LETSENCRYPT is true (github-dot-com/haiwen/seafile-docker/blob/df2628d4cd4fce711285b70182fe9d1ea49fd09c/cluster/scripts/bootstrap.py#L88-L89)

This means that you can only have your Docker server listen on 443 if you set SEAFILE_SERVER_LETSENCRYPT = true, but if you do that, even if you provide your own ssl certs, a cron job will be created to try and renew your certs.

We need a way to enable https without enabling SEAFILE_SERVER_LETSENCRYPT . There needs to be a SEAFILE_SERVER_USE_CUSTOM_SSL_CERT environment variable or something that can be set to true independently of having the automatic Let’s Encrypt cron job. Or something.

@altano: Hi, but that’s definitely wrong. You only have to set the option SEAFILE_SERVER_LETSENCRYPT = true if you want to use a letsencrypt certificate. If you want to use your own certificate, place it in /opt/seafile-data/ssl and then reference it in nginx/conf/seafile.nginx.conf:

 ssl_certificate /shared/ssl/mycert.pem;
 ssl_certificate_key /shared/ssl/mycert.key;

nginx will still be listening on port 443 with your own certificate.

Dirk

Hey Dirk, I think you missed “Docker” in the title?

If I could just edit the nginx conf file however I wanted I wouldn’t have made the post. When using the Docker image the conf file is generated for you. The problems I mentioned are about how it’s getting generated.

Does it make sense now? If not I can try to elaborate further.

No, I’m running seafile pro 8.0.17 on docker and I’m using my own certificate. You just have to edit the seafile.nginx.conf file, like I wrote.

How are you editing nginx/conf/seafile.nginx.conf? Are you shelling into the container and manually modifying it? Won’t those changes be lost if you recreate the container?

No, it’s under /opt/seafile-data on the machine where docker is running. This is described in the seafile manual:
[Seafile Professional Installation - Seafile Admin Manual]