bug: broken certificate renewal

[ilka-schulz]

I am honestly not entirely sure if this is the right repo because I have trouble seeing through the jungle of Seafile components. My bug occurs with the seafileltd/seafilemc image.

My Seafile 11 container recently stopped working. I changed my image from seafileltd/seafile-mc:latest to seafileltd/seafile-mc:11.0-latest as stated in the documentation and started the container on the new image but that did not resolve the issue.

Logs:

seafile  | *** Running /etc/my_init.d/01_create_data_links.sh...
seafile  | *** Booting runit daemon...
seafile  | *** Runit started as PID 24
seafile  | *** Running /scripts/enterpoint.sh...
seafile  | 2024-10-21 16:11:08 Nginx ready 
seafile  | 2024-10-21 16:11:09 This is an idle script (infinite loop) to keep container running. 
seafile  | [2024-10-21 16:11:09] Preparing for letsencrypt ...
seafile  | [2024-10-21 16:11:09] Found existing cert file /shared/ssl/<censored>.crt
seafile  | Certificate will expire
seafile  | [2024-10-21 16:11:09] Starting letsencrypt verification
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _is_idn_d='<censored>'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _idn_temp
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Lets find script dir.
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _script='/root/.acme.sh/acme.sh'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _script_home='/root/.acme.sh'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] LE_WORKING_DIR='/shared/ssl'
seafile  | https://github.com/acmesh-official/acme.sh
seafile  | v3.0.8
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Running cmd: renew
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _renewServer
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] default_acme_server
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_PATH='v2/DV90'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] DOMAIN_PATH='/shared/ssl/<censored>'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Renew: '<censored>'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Le_API
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Renew to Le_API=
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] initpath again.
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] Using config home:/shared/ssl
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] default_acme_server
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_HOST='acme.zerossl.com'
seafile  | [Mon Oct 21 04:11:11 PM CEST 2024] _ACME_SERVER_PATH='v2/DV90'
seafile  | Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc.
seafile  | Traceback (most recent call last):
seafile  |   File "/scripts/start.py", line 94, in <module>
seafile  |     main()
seafile  |   File "/scripts/start.py", line 51, in main
seafile  |     init_letsencrypt()
seafile  |   File "/scripts/bootstrap.py", line 86, in init_letsencrypt
seafile  |     raise RuntimeError('Failed to generate ssl certificate for domain {0}'.format(domain))
seafile  | RuntimeError: Failed to generate ssl certificate for domain <censored>

I added the required option to /scripts/ssl.sh:

-     /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d ${domain} --days 60
+     /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d ${domain} --days 60 --nginx

I verified that this line is actually the line running by adding some debugging echo statement.

When I run /scripts/ssl.sh /shared/ssl <censored> from within my seafile container on a bash I get the same error message as above.

[ilka-schulz]

The bug is upstream.

I would love to open a bug report there but unfortunately, only project members are allowed to report bugs. Does anyone here know these guys?

[freeplant]

In version 12.0, we will redesign the docker based deployment and move HTTPS to a dedicated reverse proxy. See https://manual.seafile.com/12.0/setup/overview/

At that time, acme.sh will not used.

[ilka-schulz]

In version 12.0, we will redesign the docker based deployment and move HTTPS to a dedicated reverse proxy. See https://manual.seafile.com/12.0/setup/overview/

At that time, acme.sh will not used.

That sounds awesome! I already have an nginx reverse proxy setup with Docker images nginxproxy/nginx-proxy and nginxproxy/acme-companion. I am actually really frustrated that Seafile does not work with that so I had to buy an additional IPv4 address after many other users also failed to set up Seafile with a separate nginx reverse proxy.

Are there migration instructions how to migrate a Seafile Docker setup from Seafile 11 to Seafile 12?

[ilka-schulz]

Also thank you very much for moving away from acme.sh, I appreciate that! That project does not look to me like it should be used in a production environment...

[freeplant]

Are there migration instructions how to migrate a Seafile Docker setup from Seafile 11 to Seafile 12?

The migration instruction is at: https://manual.seafile.com/12.0/upgrade/upgrade_docker/

It is still a working in progress.