Letsencrypt verification fails and avort start of seafile because certificate renew time isn’t due
pilere opened this issue · 4 comments
pilere commented
Short :
the docker-compose up fail because the certificate is valid and the letsencrypt call return 2 and not 0
Long : (confidentials and domain have been redacted)
with the normal docker-compose file :
version: '2.0'
services:
db:
image: mariadb:10.6
container_name: seafile-mysql
environment:
- MYSQL_ROOT_PASSWORD=<redacted> # Requested, set the root's password of MySQL service.
- MYSQL_LOG_CONSOLE=true
volumes:
- /opt/seafile-mysql/db:/var/lib/mysql # Requested, specifies the path to MySQL data persistent store.
- /opt/seafile-backup/databases:/home # for migration
networks:
- seafile-net
restart: always
memcached:
image: memcached:1.6.18
container_name: seafile-memcached
entrypoint: memcached -m 256
networks:
- seafile-net
restart: always
seafile:
# https://github.com/haiwen/seafile-docker
image: seafileltd/seafile-mc:latest
container_name: seafile
ports:
- "80:80"
- "443:443"
volumes:
- /opt/seafile-data:/shared # Requested, specifies the path to Seafile data persistent store.
environment:
- DB_HOST=db
- DB_ROOT_PASSWD=<redacted> # Requested, the value shuold be root's password of MySQL service.
- TIME_ZONE=Europe/Paris # Optional, default is UTC. Should be uncomment and set to your local time zone.
- SEAFILE_ADMIN_EMAIL=<redacted> # Specifies Seafile admin user, default is 'me@example.com'.
- SEAFILE_ADMIN_PASSWORD=<redacted> # Specifies Seafile admin password, default is 'asecret'.
- SEAFILE_SERVER_LETSENCRYPT=true # Whether to use https or not.
- SEAFILE_SERVER_HOSTNAME=sf.exampledomain.com # Specifies your host name if https is enabled.
- SEAFILE_DOCKER_VERBOSE=true #add debug
depends_on:
- db
- memcached
networks:
- seafile-net
restart: always
networks:
seafile-net:
the starting / restarting (after reboot for example) of the docker-compose fail with :
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Lets find script dir.
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] _SCRIPT_='/root/.acme.sh/acme.sh'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] _script='/root/.acme.sh/acme.sh'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] _script_home='/root/.acme.sh'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile | https://github.com/acmesh-official/acme.sh
seafile | v3.0.2
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Running cmd: renew
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] default_acme_server
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] DOMAIN_PATH='/shared/ssl//sf.exampledomain.com'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Renew: 'sf.exampledomain.com'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile | [Sat 14 Oct 2023 08:04:32 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
seafile | [Sat 14 Oct 2023 08:04:33 AM CEST] Skip, Next renewal time is: Fri 03 Nov 2023 04:41:03 PM UTC
seafile | [Sat 14 Oct 2023 08:04:33 AM CEST] Add '--force' to force to renew.
seafile | [2023-10-14 08:04:29] Preparing for letsencrypt ...
seafile | [2023-10-14 08:04:29] [debug] waiting for nginx server to be ready
seafile | [2023-10-14 08:04:29] [debug] Active Internet connections (only servers)
seafile | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
seafile | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 29/nginx: master pr
seafile | tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 29/nginx: master pr
seafile | tcp 0 0 127.0.0.11:33127 0.0.0.0:* LISTEN -
seafile |
seafile | [2023-10-14 08:04:29] [debug] nginx is ready
seafile | [2023-10-14 08:04:30] Starting letsencrypt verification
seafile | Traceback (most recent call last):
seafile | File "/scripts/start.py", line 95, in <module>
seafile | main()
seafile | File "/scripts/start.py", line 51, in main
seafile | init_letsencrypt()
seafile | File "/scripts/bootstrap.py", line 83, in init_letsencrypt
seafile | call('/scripts/ssl.sh {0} {1}'.format(ssl_dir, domain))
seafile | File "/scripts/utils.py", line 70, in call
seafile | return subprocess.check_call(*a, **kw)
seafile | File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
seafile | raise CalledProcessError(retcode, cmd)
seafile | subprocess.CalledProcessError: Command '/scripts/ssl.sh /shared/ssl sf.exampledomain.com' returned non-zero exit status 2.
and if I launch it manually within the container with bash debug :
/scripts/ssl.sh /shared/ssl sf.exampledomain.com
+ ssldir=/shared/ssl
+ domain=sf.exampledomain.com
+ mkdir -p /var/www/.well-known/acme-challenge/
+ chmod 755 /var/www/.well-known/acme-challenge/
+ ln -sf /var/www/.well-known/acme-challenge/ /var/www/challenges
++ /root/.acme.sh/acme.sh --home /shared/ssl/ --list
++ grep sf.exampledomain.com
++ grep -v grep
++ wc -l
+ domain_num=1
+ '[' 1 -eq 0 ']'
+ /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d sf.exampledomain.com --days 60
[Sat 14 Oct 2023 08:24:04 AM CEST] Lets find script dir.
[Sat 14 Oct 2023 08:24:04 AM CEST] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] _script='/root/.acme.sh/acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] _script_home='/root/.acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
https://github.com/acmesh-official/acme.sh
v3.0.2
[Sat 14 Oct 2023 08:24:04 AM CEST] Running cmd: renew
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
[Sat 14 Oct 2023 08:24:04 AM CEST] default_acme_server
[Sat 14 Oct 2023 08:24:04 AM CEST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sat 14 Oct 2023 08:24:04 AM CEST] DOMAIN_PATH='/shared/ssl//sf.exampledomain.com'
[Sat 14 Oct 2023 08:24:04 AM CEST] Renew: 'sf.exampledomain.com'
[Sat 14 Oct 2023 08:24:04 AM CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
[Sat 14 Oct 2023 08:24:04 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat 14 Oct 2023 08:24:04 AM CEST] Skip, Next renewal time is: Fri 03 Nov 2023 04:41:03 PM UTC
[Sat 14 Oct 2023 08:24:04 AM CEST] Add '--force' to force to renew.
root@2f7e117f1fe2:/scripts# echo $?
2
yhere a need to update the caller of this script to accept returncode 2 or make it non breakable, I don't really get the current calls to this script, it seems to be cron too.
and in boostrap there should be a check to the expiration of the certificate before sending the call so I am not sure were to correct it.
any guidance is welcome as I don't know how to help here.
Stéphane
SkywalkerSpace commented
Thanks for your feedback.
We will fix the start.py as soon as possible.
pilere commented
Hi, Any improvement on this ?
SkywalkerSpace commented
Hi, we fixed this issue in version 11.0, bootstrap.py