Hi after not using Seafile for a longer time, I decided to use it again.
I directly tried out 12.0.6 Docker and the setup went well.
Access to the server works perfectly via Browser, with Letsencrypt signed SSL certs.
However, with the Clients on Linux and Android, I cannot use it correctly.
On Linux (AppImage 9.0.11), I can perfectly log in to my account. However, when I try to sync a library, I receive the message “seafile client failed to establish secure connection”.
If I set “do no verify server certificate in HTTPS syncing” on the client, syncing works well.
On Android (from PlayStore or F-Droid v 3.0.6), I can also log in to my account but then it takes FOREVER to load the list of libraries. Sometimes, it even does not finish. Also if it has loaded the libraries, loading file lists, is again the same.
Downloading or uploading files with the app does not work at all.
On the server, I could not find any suspicious entries in the logs (seafile-data/logs/var-log/nginx/error.log, seafhttp.error.log seahug.error.log seafdav.error.log)
In your seahub_settings.py file do you have FILE_SERVER_ROOT = set up correctly? It should look like ‘https://test-seafile.your.domain.com/seafhttp’. I think if that is wrong (for example if it points to an IP instead of name) that it can cause the sorts of problems you are describing.
I believe the agent logs are in ~/.ccnet/logs, but I’ve not tried the appimage agent so it might be different. SeaDrive agent logs are in ~/.seadrive/logs.
It’s also stored there for the appimage.
When trying to sync a library, I receive an issue that the SSL CA Cert could not be downloaded:
Summary
[12/28/24 12:39:11] http-tx-mgr.c(800): libcurl failed to GET https://seafile.mydomain.de/seafhttp/protocol-version: Problem with the SSL CA cert (path? access rights?).
[12/28/24 12:39:11] clone-mgr.c(716): Transition clone state for <someHash> from [check server] to [error]: Failed to establish secure connection. Please check server SSL certificate
Is it correct that the
seafile-caddy/certificates/acme-v02.api.letsencrypt.org-directory/seafile.mydomain.de
folder and all of the files are owned by root?
Summary
3 -rw------- 1 root root 2844 Dec 9 15:56 seafile.mydomain.de.crt
1 -rw------- 1 root root 512 Dec 28 09:50 seafile.mydomain.de.json
1 -rw-rw---- 1 root myUser 227 Dec 9 15:56 seafile.mydomain.de.key
I haven’t used caddy, but I believe that is correct. The default seafile docker setup seems to use root for everything (part of why I have been so active on the forums recently has been my efforts to fix this). Also I suspect that if that weren’t right, you would get the same certificate errors when going to seafile in your browser.
It might be worth verifying by going to https://seafile.mydomain.de/seafhttp/protocol-version in your browser in private or incognito most to verify it doesn’t complain about the certificate. Some browsers don’t use the system’s root CA cert list to verify (they have their own copy), so it might also be a good idea to check with the openssl command, which would look like this:
Basically if other programs on your machine accept your cert and the seafile agent doesn’t, I would strongly suspect a bug in the agent. There’s a set of trusted CA certs installed on your machine that most or all programs should share (some browser’s don’t trust you to maintain this properly and so they use their own set instead). They are used to verify that your certificate was signed by a trusted cert (or signed by cert that was signed by a trusted cert). If the AppImage isn’t using them right, or is just using its own outdated set, I would call that a bug.
What I’m wondering about: How can it be that no one else encountered this so far?
Makes me a little bit skeptical whether it is really a problem with the client and not with my setup.
That is a good question, especially if your quoted output is correct. My seafile also has a Let’s Encrypt cert, and I installed the AppImage agent in a VM to test it, and it worked for me there. Maybe the AppImage version only has a problem on certain distributions? It worked fine in my VM on Debian 12.
Ok, I have fixed it and I am very sorry!
In the server firewall, I had a number flip with the 443 rule.
I saw it before my last post, but it seems that the client needed to clear some cache before it worked again (also a restart didn’t help).
What’s surprises me is that it had worked with the missing rule in the browser and on the windows client… well
I’m gad you got it fixed, even if I wasn’t much help. I had concluded that there couldn’t be anything at the server end. I guess it’s true that computers express their creativity in the ways they choose cause problems.