Closed undergroundwires closed 1 year ago
Normally there is no need for a hacky solution:
seafile
Docker container like you did:
docker exec -it seafile /bin/bash
(To log out from the seafile
Docker container, use the regular keyboard shortcut Ctrl D
)
(To avoid having to run Docker as root, run sudo usermod -aG docker $USER
)
Inside the container, do the following:
acme.sh
script:
# check version
/scripts/acme.sh/acme.sh --version
/scripts/acme.sh/acme.sh --upgrade
ln -s /root/.acme.sh/acme.sh /scripts/acme.sh/acme.sh
/scripts/acme.sh/acme.sh --version
* 2.2. Replace the `/scripts/ssl.sh` script's content with that of [my fixed version](https://github.com/haiwen/seafile-docker/pull/314):
```sh
curl https://raw.githubusercontent.com/kirisakow/seafile-docker/patch-1/scripts_9.0/ssl.sh | tee /scripts/ssl.sh
/scripts/ssl.sh
to generate and install TLS aka SSL certificate:
/scripts/ssl.sh "/shared/ssl/" "your.seafile.domain.com"
sudo nginx -t && sudo systemctl restart nginx.service
Also, you may need to use this oneliner to monitor all Seafile logs (run from outside the container):
sudo tail -f $(find /opt/seafile-data/ -type f -name *.log 2>/dev/null)
Normally there is no need for a hacky solution:
- Log in to the
seafile
Docker container like you did:docker exec -it seafile /bin/bash
(To log out from the
seafile
Docker container, use the regular keyboard shortcutCtrl D
)(To avoid having to run Docker as root, run
sudo usermod -aG docker $USER
)
- Inside the container, do the following:
- 2.1. Get the latest
acme.sh
script:# check version /scripts/acme.sh/acme.sh --version /scripts/acme.sh/acme.sh --upgrade ln -s /root/.acme.sh/acme.sh /scripts/acme.sh/acme.sh # check version again /scripts/acme.sh/acme.sh --version
- 2.2. Replace the
/scripts/ssl.sh
script's content with that of my fixed version:curl https://raw.githubusercontent.com/kirisakow/seafile-docker/patch-1/scripts_9.0/ssl.sh | tee /scripts/ssl.sh
- 2.3. Run
/scripts/ssl.sh
to generate and install TLS aka SSL certificate:/scripts/ssl.sh "/shared/ssl/" "your.seafile.domain.com"
- Log out of the container BASH session
- Test Nginx config and, if no error is found, restart Nginx:
sudo nginx -t && sudo systemctl restart nginx.service
Thank you Kirisakow, What I did is use your ssl.sh Commit the new seafile docker container.
I ran the docker-compose up -d then noticed atlast I have a cert in shared/ssl directory.
I then added the following to my seafile.nginx.conf file ( Just place your real domain in my.domain.tld )
location / {
rewrite ^ https://my.domain.tld$request_uri? permanent;
}
}
server {
listen 443 ssl;
ssl_certificate /shared/ssl/my.domain.tld.crt;
ssl_certificate_key /shared/ssl/my.domain.tld.key;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
Saved everything down and up the docker-compose and I had SSL installed and working. What a 3 week mission this was.
Here is mine:
server {
listen 80;
listen [::]:80 http2 ipv6only=on;
server_name seafile.mydomain.com;
client_max_body_size 0;
location / {
proxy_pass http://localhost:81;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name seafile.mydomain.com;
client_max_body_size 0;
location / {
proxy_pass https://localhost:442;
}
ssl_certificate /opt/seafile-data/ssl/seafile.mydomain.com.crt;
ssl_certificate_key /opt/seafile-data/ssl/seafile.mydomain.com.key;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
- 2.3. Run
/scripts/ssl.sh
to generate and install TLS aka SSL certificate:/scripts/ssl.sh "/shared/ssl/" "seafile.your-domain.com"
In case the aforementioned technique fails, you can instead generate a certificate outside of the Seafile container, by the host (ie without the Seafile built-in mechanics):
sudo certbot \
--nginx \
--agree-tos \
--email "your.email@gmail.com" \
-d seafile.your-domain.com
/opt/seafile-data/ssl/
) so that the certificate is accessible to the Seafile container:
# symlink the certificate:
sudo ln -sf /etc/letsencrypt/archive/seafile.your-domain.com/fullchain1.pem /opt/seafile-data/ssl/seafile.your-domain.com.crt
# symlink the private key:
sudo ln -sf /etc/letsencrypt/archive/seafile.your-domain.com/privkey1.pem /opt/seafile-data/ssl/seafile.your-domain.com.key
Then proceed with the regular aforementioned steps:
- Log out of the container BASH session
- Test Nginx config and, if no error is found, restart Nginx:
sudo nginx -t && sudo systemctl restart nginx.service
Finally,
docker-compose.yml
features SEAFILE_SERVER_LETSENCRYPT=false
before you fire up Docker Compose. Hope this helps!
Summary
Certification location at nginx configuration does not match certification location received.
This could be fixed by pointing to right location in nginx file.
/shared/ssl/example.com/fullchain.cer
/shared/ssl/example.com.crt
/shared/ssl/example.com/example.com.key
/shared/ssl/example.com.key
Detailed explanation of problem
On fresh installation, certification is created at
/shared/ssl/domain.com/
folder. See logs:It then starts failing when it loads nginx, the web UI becomes inaccessible. The logs look as following:
My temporary workaround
I share this for others that are looking for a solution before a patch is released.
sudo docker exec -it seafile /bin/bash