Seafile on Docker-Lets encrypt auto renew failed

seadrive
docker

#1

Hi,

I have set up letsencrypt on my website via docker Seafile version 6.3.3, i just noticed today that our certificates just expired, so theres is and error prompt from the browser that the connection is not secured.

When i did the installation I recalled that i have set the SEAFILE_SERVER_LETSENCRYPT=true so it would auto renew the certificates, but not quite sure why it didnt auto renew, perhaps i missed something.

Anyone can give a tip on how to renew this?trying to find a solution myself i tried to enter the docker container via “docker container exec -it seafile bash” and tried to do some checking on the ssl certs and scripts.

I managed to find this script called “acme_tiny.py” followed the guide from its README.md (steps 3 and 6) and created a “renew_cert.sh”.

But i got this error when running the script.

    xxxx.csr --acme-dir /var/www/challenges/ > /shared/ssl/signed.crt
    Parsing account key...
    Parsing CSR...
    Found domains: xxxx.net
    Getting directory...
    Directory found!
    Registering account...
    Already registered!
    Creating new order...
    Order created!
    Verifying xxxx.net...
    Traceback (most recent call last):
      File "/shared/ssl/letsencrypt/acme_tiny.py", line 198, in <module>
        main(sys.argv[1:])
      File "/shared/ssl/letsencrypt/acme_tiny.py", line 194, in main
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
      File "/shared/ssl/letsencrypt/acme_tiny.py", line 144, in get_crt
        raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
    ValueError: Wrote file to /var/www/challenges/hPWFWg4YzfofDXJ3yvqts985PRVPFIUj2qhFIxDwqCQ, but couldn't download http://xxxx.net/.well-known/acme-challenge/hPWFWg4YzfofDXJ3yvqts985PRVPFIUj2qhFIxDwqCQ: Error:
    Url: http:/xxxx.net/.well-known/acme-challenge/hPWFWg4YzfofDXJ3yvqts985PRVPFIUj2qhFIxDwqCQ
    Data: None
    Response Code: None
    Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

(i replaced our domain with xxx)

What might be going on here?


#2

Hi all,

Managed to solve this issue by installing certbot inside the seafile docker container. I just followed the guide from their website certbot.eff.org/lets-encrypt/ubuntubionic-nginx. And everything went smooth.

But need to take note that restarting the running docker seafile container from the base OS is required inorder for it to take effect.

I have tried a “service nginx reload” inside the seafile docker container but it doesnt happen to refresh the new cert.

Apart from the downtime by needing to restart the seafile docker container, everything now is in order.

I suggest to include some info regarding lets encrypt renewals inside docker in the official seafile documentation, this might help people that might stumble on this error in the future.

Cheers!
JC