quastion, how do I create the crontab with root?
Sudo crontab -e or should I just write crontab -e in the terminal?
And how do I know if it works?
sudo -i
crontab -e
You can save output to log file, so you can check if itās working.
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I want to install letās encrypt on Ubuntu, I did like the same on this post but not successfully 
, iām using Free Tier at Amazon EC2, OS Ubuntu 16.4
i would use https://github.com/Neilpang/acme.sh
3 Likes
Have been looking for this for a while. Thanks very much!
The community manual actually contains instructions on how to use acme.sh
2 Likes
Hello !
Iām sorry to bother you, but iām trying to get the Letās encrypt certificate for more than one month nowā¦ and it doesnāt work and i donāt understand whyā¦
I search a lot on google and tried many things found on some forum, but iām getting this error again and again:
[quote]Failed authorization procedure. mydomain.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.fr/.well-known/acme-challenge/xW5e-ssGxezDEPUIE2UJZRoLU08n_1sOzad6jTLc4N0 [2001:1600:4:1::b]: 404
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: mydomain.fr
Type: unauthorized
Detail: Invalid response from
http://mydomain.fr/.well-known/acme-challenge/xW5e-ssGxezDEPUIE2UJZRoLU08n_1sOzad6jTLc4N0
[2001:1600:4:1::b]: 404To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.[/quote]
Here is my seafile.conf on nginx:
[quote]server {
listen 80;
listen [::]:80;
server_name mydomain.fr;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect ht$
# Enables or disables emitting nginx version on error pages and in the "Ser$
server_tokens off;
location /.well-known/acme-challenge {
default_type ātext/plainā;
allow all;
root /home/pi/certbot-webroot;
}
}
server {
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;
location / {
fastcgi_pass 127.0.0.1:8000 ;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
fastcgi_param REMOTE_ADDR $remote_addr;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
}
location /media {
root /home/pi/seafile/seafile-server-latest/seahub;
}
location /.well-known/acme-challenge {
default_type ātext/plainā;
allow all;
root /home/pi/certbot-webroot;
}
}[/quote]
I tried a lot of different nginx differents configurationsā¦ but still get this errorā¦ what am i doing wrong?
Seafile is working normally if i go to the adress, and the port forward on my internet seems to be good (80, 443 and seafile port are going on my raspberry).
I think iām not understanding some easy things on the nginx configuration of the .well-know directory?
Thanks in advance for your help 
, and sorry for my poor englishā¦ iām from France 
I had the same problem a couple of weeks ago. The manual has older instructions and it no longer works. Back last January, there was a security issue that came up with ACME authentication to grab a certificate, and the error you are getting is the error I got. The ACME client could not answer the challenge. The reason is due to that security issue, and now the ACME clients have been updated to new versions, but that isnāt detailed in the Seafile manual.
In my case, I was trying to use Certbot on Debian. However, it would not answer the challenge from Letās Encrypt. I had to manually download certbot-auto, copy it to an appropriate location, run it, and then it grabbed my certificate. I also had to change it in NGinx and also my init.d files. Then, I had to change it for the automatic updates to the certificate, not to mention, tweak some settings in NGinx.
I just noticed you are trying to use Certbot. So, I need some details so that I can come up with a solution for you. What version and flavor of Linux are you using? What version of NGinx are you using? I can help you resolve this.
Wowā¦ i was far from expecting that ! Thanks a lot for your answer !
Iām using Raspbian 4.9.59-v7+ and NGinx is 1.10.3.
Certbot-auto is downloaded in /home/pi/certbot-auto.
My seafile.conf is described above
I hope we can resolve this ! Because it got me mad 
Donāt hesitate if you need to know the content of some filesā¦ and iāll try to answer as fast as i can
Thanks again
Can you tell me the procedure you used to do your configuration? certbot-auto handled everything for me. All I had to do after getting the certificate was setup a few things in NGinx. So, I started with my standard NGinx file. Then, I downloaded certbot-auto using wget. Then, I opened port 80 on my router since Iām using an alternate external port for Seafile. Then I ran certbot-auto. After it gave me the success message, it downloaded the files for me and automatically edited my NGinx file with the proper things. Then, I went in and added the remaining stuff for Seafile. One section to ignore is the dhparams part in the manual. Certbot does that for you.
Once I did all that, it worked like a charm.
Iām on Debian, so I didnāt need to use webroot. You shouldnāt have to either. Let me do some research on your OS and see if itās similar to how I had to do it on Debian.
1 Like
Okā¦ Your version of Raspbian is Debian Stretch based, which means you should be able to use the same method I did. First thing you need to do is change your Nginx config file back to the way it was prior to trying this and also your Seafile configuration. Get rid of all the SSL and https stuff and verify that Seafile is working.
Once you have that done, let me know and we can step through this.
Thanks for your answer.
So, if i understand, i need to edit my seafile.conf to go back to my previous config, which was:
server {
listen 8080;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;
location / {
fastcgi_pass 127.0.0.1:8000 ;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
fastcgi_param REMOTE_ADDR $remote_addr;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
}
location /media {
root /home/pi/seafile/seafile-server-latest/seahub;
}}
And then, i run certbot-auto --nginx?
Because the tutorial i followed for the seafile installation make me delete the default nginx config file in /sites-availaible, so i donāt know how is the default nginx config file.
Sorry if iām asking some begginer questionsā¦
Okā¦ So, if that was your original config, were you are already set up for https? It looks like you already had a key and certificate. So, that leads me to ask you why you are trying to do another one?
You donāt have to delete the default config file. I still have mine, and itās the one that monitors port 80. Youāll need your Nginx config to be listening on port 80 in order to pull this off. We can configure that, no problem.
Yes i already have https, but with a self-signed certificateā¦ and i would like to get something more āclean and secureāā¦
The self-signed certificate lead to some secure error in browser and some mobile app (like Keepass2Android)ā¦
I also noticed that you are still using Fastcgiā¦ What version of Seafile are you on? Fastcgi is deprecated now.
6.2.5 for Raspbian.
I think so the tutorial i followed was a little bit oldā¦
Okā¦ Itās really not a big deal and shouldnāt affect us, but keep in mind that since fastcgi is no longer used by Seafile, at some point in the future, theyāll probably remove the usage of it from the code, and youāll be stuck with a non-working server until you change it. I just wanted you to be aware of itā¦
Ok, so, we can try this like it sits with your current SSL in place to see if it works. Since you deleted your default config file and you also are using an alternate port, we need to set up a listening port in your NGinx file.
Here is a sample of my listen port, with my server name changed, of course. Youāll need to change it to yoursā¦ Note that itās different than most configs. Since I now have port 80 open to the world for certbot use, I have it return a 408 error rather than the default NGinx welcome page.
server {
listen 80;
server_name localhost;
server_name your.domain.com;
return 408;
server_tokens off;
So, go ahead and add that listen port to your config file, restart NGinx, and then try to hit it from the webā¦ such as http://your.domain.com. If you get ERR_EMPTY_RESPONSE in Chrome, or THE CONNECTION WAS RESET in Firefox, then it worked.
Oh, and donāt forget the } at the end of it.
It should look like this when you finish.
server {
listen 80;
server_name your.domain.com;
return 408;
server_tokens off;
}
server {
listen 8080;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;
location / {
blah blah blah
}
}