search

haiwen / seafile-docker

A Docker image for Seafile server
Other
536 stars 180 forks source link

Letsencrypt verification fails and avort start of seafile because certificate renew time isn’t due #354

Closed pilere closed 3 months ago

pilere commented 8 months ago

Short : the docker-compose up fail because the certificate is valid and the letsencrypt call return 2 and not 0

Long : (confidentials and domain have been redacted)

with the normal docker-compose file : 

version: '2.0'
services:
  db:
    image: mariadb:10.6
    container_name: seafile-mysql
    environment:
      - MYSQL_ROOT_PASSWORD=<redacted>  # Requested, set the root's password of MySQL service.
      - MYSQL_LOG_CONSOLE=true
    volumes:
      - /opt/seafile-mysql/db:/var/lib/mysql  # Requested, specifies the path to MySQL data persistent store.
      - /opt/seafile-backup/databases:/home # for migration
    networks:
      - seafile-net
    restart: always 

  memcached:
    image: memcached:1.6.18
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net
    restart: always 

  seafile:
    # https://github.com/haiwen/seafile-docker
    image: seafileltd/seafile-mc:latest
    container_name: seafile
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /opt/seafile-data:/shared   # Requested, specifies the path to Seafile data persistent store.
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=<redacted>   # Requested, the value shuold be root's password of MySQL service.
      - TIME_ZONE=Europe/Paris  # Optional, default is UTC. Should be uncomment and set to your local time zone.
      - SEAFILE_ADMIN_EMAIL=<redacted> # Specifies Seafile admin user, default is 'me@example.com'.
      - SEAFILE_ADMIN_PASSWORD=<redacted>     # Specifies Seafile admin password, default is 'asecret'.
      - SEAFILE_SERVER_LETSENCRYPT=true   # Whether to use https or not.
      - SEAFILE_SERVER_HOSTNAME=sf.exampledomain.com # Specifies your host name if https is enabled.
      - SEAFILE_DOCKER_VERBOSE=true #add debug
    depends_on:
      - db
      - memcached
    networks:
      - seafile-net
    restart: always 

networks:
  seafile-net:

the starting / restarting (after reboot for example) of the docker-compose fail with : 


seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Lets find script dir.
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] _SCRIPT_='/root/.acme.sh/acme.sh'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] _script='/root/.acme.sh/acme.sh'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] _script_home='/root/.acme.sh'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile      | https://github.com/acmesh-official/acme.sh
seafile      | v3.0.2
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Running cmd: renew
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] default_acme_server
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] DOMAIN_PATH='/shared/ssl//sf.exampledomain.com'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Renew: 'sf.exampledomain.com'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] Using config home:/shared/ssl/
seafile      | [Sat 14 Oct 2023 08:04:32 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
seafile      | [Sat 14 Oct 2023 08:04:33 AM CEST] Skip, Next renewal time is: Fri 03 Nov 2023 04:41:03 PM UTC
seafile      | [Sat 14 Oct 2023 08:04:33 AM CEST] Add '--force' to force to renew.
seafile      | [2023-10-14 08:04:29] Preparing for letsencrypt ...
seafile      | [2023-10-14 08:04:29] [debug] waiting for nginx server to be ready
seafile      | [2023-10-14 08:04:29] [debug] Active Internet connections (only servers)
seafile      | Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
seafile      | tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      29/nginx: master pr
seafile      | tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      29/nginx: master pr
seafile      | tcp        0      0 127.0.0.11:33127        0.0.0.0:*               LISTEN      -
seafile      |
seafile      | [2023-10-14 08:04:29] [debug] nginx is ready
seafile      | [2023-10-14 08:04:30] Starting letsencrypt verification
seafile      | Traceback (most recent call last):
seafile      |   File "/scripts/start.py", line 95, in <module>
seafile      |     main()
seafile      |   File "/scripts/start.py", line 51, in main
seafile      |     init_letsencrypt()
seafile      |   File "/scripts/bootstrap.py", line 83, in init_letsencrypt
seafile      |     call('/scripts/ssl.sh {0} {1}'.format(ssl_dir, domain))
seafile      |   File "/scripts/utils.py", line 70, in call
seafile      |     return subprocess.check_call(*a, **kw)
seafile      |   File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
seafile      |     raise CalledProcessError(retcode, cmd)
seafile      | subprocess.CalledProcessError: Command '/scripts/ssl.sh /shared/ssl sf.exampledomain.com' returned non-zero exit status 2.

and if I launch it manually within the container with bash debug : 

/scripts/ssl.sh /shared/ssl sf.exampledomain.com
+ ssldir=/shared/ssl
+ domain=sf.exampledomain.com
+ mkdir -p /var/www/.well-known/acme-challenge/
+ chmod 755 /var/www/.well-known/acme-challenge/
+ ln -sf /var/www/.well-known/acme-challenge/ /var/www/challenges
++ /root/.acme.sh/acme.sh --home /shared/ssl/ --list
++ grep sf.exampledomain.com
++ grep -v grep
++ wc -l
+ domain_num=1
+ '[' 1 -eq 0 ']'
+ /root/.acme.sh/acme.sh --debug --home /shared/ssl/ --renew -d sf.exampledomain.com --days 60
[Sat 14 Oct 2023 08:24:04 AM CEST] Lets find script dir.
[Sat 14 Oct 2023 08:24:04 AM CEST] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] _script='/root/.acme.sh/acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] _script_home='/root/.acme.sh'
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
https://github.com/acmesh-official/acme.sh
v3.0.2
[Sat 14 Oct 2023 08:24:04 AM CEST] Running cmd: renew
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
[Sat 14 Oct 2023 08:24:04 AM CEST] default_acme_server
[Sat 14 Oct 2023 08:24:04 AM CEST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sat 14 Oct 2023 08:24:04 AM CEST] DOMAIN_PATH='/shared/ssl//sf.exampledomain.com'
[Sat 14 Oct 2023 08:24:04 AM CEST] Renew: 'sf.exampledomain.com'
[Sat 14 Oct 2023 08:24:04 AM CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Sat 14 Oct 2023 08:24:04 AM CEST] Using config home:/shared/ssl/
[Sat 14 Oct 2023 08:24:04 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat 14 Oct 2023 08:24:04 AM CEST] Skip, Next renewal time is: Fri 03 Nov 2023 04:41:03 PM UTC
[Sat 14 Oct 2023 08:24:04 AM CEST] Add '--force' to force to renew.
root@2f7e117f1fe2:/scripts# echo $?
2

yhere a need to update the caller of this script to accept returncode 2 or make it non breakable, I don't really get the current calls to this script, it seems to be cron too. and in boostrap there should be a check to the expiration of the certificate before sending the call so I am not sure were to correct it.

any guidance is welcome as I don't know how to help here.

Stéphane

SkywalkerSpace commented 6 months ago

Thanks for your feedback. We will fix the start.py as soon as possible.

pilere commented 3 months ago

Hi, Any improvement on this ?

SkywalkerSpace commented 3 months ago

Hi, we fixed this issue in version 11.0, bootstrap.py

pilere commented 1 month ago

hi @SkywalkerSpace I am sorry to dig this issue, but I am using the Latest docker version and it seems that the /scripts are not coming from version 11.0 ... what make it use the correct folder ?

image: seafileltd/seafile-mc:latest