bug: broken certificate renewal
ilka-schulz opened this issue · 5 comments
I am honestly not entirely sure if this is the right repo because I have trouble seeing through the jungle of Seafile components. My bug occurs with the seafileltd/seafilemc image.
My Seafile 11 container recently stopped working. I changed my image from seafileltd/seafile-mc:latest to seafileltd/seafile-mc:11.0-latest as stated in the documentation and started the container on the new image but that did not resolve the issue.
Logs:
seafile | *** Running /etc/my_init.d/01_create_data_links.sh...
seafile | *** Booting runit daemon...
seafile | *** Runit started as PID 24
seafile | *** Running /scripts/enterpoint.sh...
seafile | 2024-10-21 16:11:08 Nginx ready
seafile | 2024-10-21 16:11:09 This is an idle script (infinite loop) to keep container running.
seafile | [2024-10-21 16:11:09] Preparing for letsencrypt ...
seafile | [2024-10-21 16:11:09] Found existing cert file /shared/ssl/<censored>.crt
seafile | Certificate will expire
seafile | [2024-10-21 16:11:09] Starting letsencrypt verification
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _is_idn_d='<censored>'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _idn_temp
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Lets find script dir.
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _script='/root/.acme.sh/acme.sh'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _script_home='/root/.acme.sh'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] LE_WORKING_DIR='/shared/ssl'
seafile | https://github.com/acmesh-official/acme.sh
seafile | v3.0.8
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Running cmd: renew
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _renewServer
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] default_acme_server
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_PATH='v2/DV90'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] DOMAIN_PATH='/shared/ssl/<censored>'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Renew: '<censored>'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Le_API
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Renew to Le_API=
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] initpath again.
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] default_acme_server
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_PATH='v2/DV90'
seafile | Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc.
seafile | Traceback (most recent call last):
seafile | File "/scripts/start.py", line 94, in <module>
seafile | main()
seafile | File "/scripts/start.py", line 51, in main
seafile | init_letsencrypt()
seafile | File "/scripts/bootstrap.py", line 86, in init_letsencrypt
seafile | raise RuntimeError('Failed to generate ssl certificate for domain {0}'.format(domain))
seafile | RuntimeError: Failed to generate ssl certificate for domain <censored>
I added the required option to /scripts/ssl.sh:
- /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d ${domain} --days 60
+ /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d ${domain} --days 60 --nginxI verified that this line is actually the line running by adding some debugging echo statement.
When I run /scripts/ssl.sh /shared/ssl <censored> from within my seafile container on a bash I get the same error message as above.
The bug is upstream.
I would love to open a bug report there but unfortunately, only project members are allowed to report bugs. Does anyone here know these guys?
In version 12.0, we will redesign the docker based deployment and move HTTPS to a dedicated reverse proxy. See https://manual.seafile.com/12.0/setup/overview/
At that time, acme.sh will not used.
In version 12.0, we will redesign the docker based deployment and move HTTPS to a dedicated reverse proxy. See https://manual.seafile.com/12.0/setup/overview/
At that time, acme.sh will not used.
That sounds awesome! I already have an nginx reverse proxy setup with Docker images nginxproxy/nginx-proxy and nginxproxy/acme-companion. I am actually really frustrated that Seafile does not work with that so I had to buy an additional IPv4 address after many other users also failed to set up Seafile with a separate nginx reverse proxy.
Are there migration instructions how to migrate a Seafile Docker setup from Seafile 11 to Seafile 12?
Also thank you very much for moving away from acme.sh, I appreciate that! That project does not look to me like it should be used in a production environment...
Are there migration instructions how to migrate a Seafile Docker setup from Seafile 11 to Seafile 12?
The migration instruction is at: https://manual.seafile.com/12.0/upgrade/upgrade_docker/
It is still a working in progress.