How to set up a Seafile Server with a valid and free SSL-Certificate

DanyelAndre · April 6, 2017, 12:22pm

My little tutorial may not work for everybody but for me its the perfect solution. What you need:

Seafile server with local IP-Adress
Self-signed certificate
Any DynDSN-Service (if you don’t have a fixed public IP-address)
DNS-Access to your domain name
Free Cloudflare-Account

Step 1
Set up the seafile server with a self-signed SSL-certificate. The server has an internal IP-address, lets say 192.168.0.5 and is listening to SSL-Port 8001

So, if you open the web interface with https://192.168.0.5:8001 you will get a message that the certificate is unsecure.

Next step is to open the ports in your router to grant access from outside. Redirect port 443 to internal IP 192.168.0.5 and port 8001

Its very important that you forward external Port 443 because the free Cloudflare service (description below) only supports the ports 80 and 443.

Step 2
This step is only needed if you don’t have a fixed public IP-address:

One of your devices in your local network should run a DynDNS-Client. It’s not important for which service you decide. This tutorial should work with any DynDSN-provider.

Lets say, that your DynDNS-name is seafile.dyndns.org

Step 3
Now you need a free Cloudflare-account. Add your Domain name to this account and follow the instructions of the Cloudflare website. They will generate a free SSL-certificate for your domain (including wildcard-names).

When your domain name is activated in your cloudflare account add a DNS-entry for your Seafile-server. It has to be a CNAME entry pointing to your DynDNS-name. The cloud icon on the right side has to be active (orange) for this entry.

Example:
CNAME seafile.yourdomain.xyz --> seafile.dyndns.org

If you have a fixed public IP-address you can make an A-record pointing to your IP instead.

Make sure that your Seafile-server is responding on seafile.yourdomain.xyz

Check the Cloudflare “Crypt” settings tab. The SSL-mode has to be set to Full. This setting will encrypt the connection between your website visitors and Cloudflare, and from Cloudflare to your server. The difference between Full and Full (Strict) is that Full (Strict) checks for a valid certificate on your origin server, whereas Full checks for any certificate. You will need to have an SSL certificate on your server. However, Cloudflare will not attempt to validate the certificate (certificates may be self-signed).

Thats it! Your Seafile server should now be accessible with https://seafile.yourdomain.xyz without any warning messages. The same domain name can be used with the Seafile clients.

szijo · April 7, 2017, 11:02am

If you don’t need other features from Cloudflare, a cleaner solution would be to just use a free SSL certificate from Let’s Encrypt.

Also, instead of using a CNAME record, you could use a DDNS service that supports custom domains (these can be free as well).

(Just providing some alternatives, your suggestions are useful.)

DanyelAndre · April 7, 2017, 11:26am

I agree. But implementing a LetsEncrypt certificate is a bit more complicated and on top comes that you have to open Port 80 for renewal. My solution doesn’t need that so it’s a bit easier to handle (for me).

francesco · October 3, 2019, 1:43pm

I’was considering this option: but when you use a free dynamic dns you don’t own the domain, I’m not sure you are supposed to/can get a certificate for a host in a domain you don’t own.

Edit: I verified and this violates the agreement with Let’s encrypt that requires:
“You warrant to ISRG and the public-at-large that You are the legitimate registrant of the Internet domain name that is, or is going to be, the subject of Your Certificate, or that You are the duly authorized agent of such registrant.”

Also the suggested solution based on Cloudflare does not work (any more): Cloudflare asks for a domain and refuses names like seafile.dyndns.org as a subdomain of dyndns.org. And of course one is not supposed to use the host of the dyndns in use as associated to oneself.

szijo · October 3, 2019, 11:47pm

It may well violate the Lets Encrypt agreement, but there’s nothing stopping you doing it in practice.

Alternatively, grab a cheap domain and use that for your DDNS. e.g. .security is $2 per year: https://www.domcomp.com/tld/security

Then you can legitimately use that with a free DDNS provider - however, there are fewer options for free DDNS services that let you use your own domain.

Personally, I use my own domain on Amazon Route 53, with a server-side script to update the IP when it changes.

francesco · October 4, 2019, 7:24am

I understand I can in practice, using fake emails on both fronts, still they can easely spot you and block you.
Thanks for the reference, $2 is really cheap, and as you said I don’t know DDNS provide that let you use your domain unless you share it with other users.
I’m now considering to use a VPS with a static IP to use a proxy, but for the cheapest I’ve fount is 40€/y on aruba. And with a similar amount you get storage hosting.