Issue renewing certificate with seafile

Help
21

OK, created:

/usr/share/nginx/html/well-known/acme-challenge

Modified this file: /etc/nginx/conf.d/seafile.conf

So the bottom looks like this:

    }
    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;

}
}

restarted nginx, and no love:

[root@seafile conf.d]# /opt/letsencrypt/letsencrypt-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: seafile.swamp.xyz
    Domains: seafile.swamp.xyz
    Expiry Date: 2020-04-01 15:10:12+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/seafile.swamp.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/seafile.swamp.xyz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@seafile conf.d]#
1 Like
22

OK that only "fixes" future cert renewals.

Your problem now is that you are NOT using the cert:

Please show the whole config file:
/etc/nginx/conf.d/seafile.conf

[sorry, I may have gotten my threads crossed]

2 Likes
23

No worries man, thanks for the help!

 server {
        listen       80;
        server_name  seafile.swamp.xyz;
        rewrite ^ https://$http_host$request_uri? permanent;
        server_tokens off;
    }
    server {
        listen 443 ssl http2;
        server_name seafile.swamp.xyz;

       #ssl on;
        ssl_certificate /etc/letsencrypt/live/seafile.swamp.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/seafile.swamp.xyz/privkey.pem;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        #SSL Security
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_ecdh_curve secp384r1;
        ssl_prefer_server_ciphers on;
        server_tokens off;
        ssl_session_tickets off;

        proxy_set_header X-Forwarded-For $remote_addr;

        location / {
            proxy_pass         http://127.0.0.1:8000;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_read_timeout  1200s;

            # used for view/edit office file via Office Online Server
            client_max_body_size 0;

            access_log      /var/log/nginx/seahub.access.log;
            error_log       /var/log/nginx/seahub.error.log;
        }

        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
        }
        location /media {
            root /opt/seafile/seafile-server-latest/seahub;
        }
        location /.well-known/acme-challenge/ {
            root /usr/share/nginx/html;
}
    }
1 Like
24

OK, that looks good.
Try to renew.

edit: ANY LUCK ?

2 Likes
25

No, that’s when it kicked back:

[root@seafile conf.d]# /opt/letsencrypt/letsencrypt-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: seafile.swamp.xyz
    Domains: seafile.swamp.xyz
    Expiry Date: 2020-04-01 15:10:12+00:00 (VALID: 17 days)
    Certificate Path: /etc/letsencrypt/live/seafile.swamp.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/seafile.swamp.xyz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@seafile conf.d]#
1 Like
26

Show the log file after:
/opt/letsencrypt/letsencrypt-auto renew -v

2 Likes
27

very odd log:

[root@seafile conf.d]# /opt/letsencrypt/letsencrypt-auto renew -v


Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/seafile.swamp.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f23f6bec690> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f23f6bec690>
Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
OCSP response for certificate /etc/letsencrypt/archive/seafile.swamp.xyz/cert3.pem is signed by the certificate's issuer.
OCSP certificate status for /etc/letsencrypt/archive/seafile.swamp.xyz/cert3.pem is: OCSPCertStatus.GOOD
Should renew, less than 30 days before certificate expiry 2020-04-01 15:10:12 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f23f6c16050>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f23f6c16050> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acm                e-v02.api.letsencrypt.org/acme/acct/74783491', new_authzr_uri=None, terms_of_service=None), 94db95cce3fbf9302b330026072a727a, Meta(creation_host=u'seafile.swamp.xyz', creation_dt=datetime.datetime(2019, 12, 30, 0, 43, 25,                 tzinfo=<UTC>)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Sun, 15 Mar 2020 02:25:07 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "pBaiMYi2b-U": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 15 Mar 2020 02:25:07 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002YMWR0IEVlAlhASHBck6WpejjNxGlKd_LY_NFM_H2gjo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0002YMWR0IEVlAlhASHBck6WpejjNxGlKd_LY_NFM_H2gjo
JWS payload:
{
  "identifiers": [
    {
      "type": "dns",
      "value": "seafile.swamp.xyz"
    }
  ]
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICIwMDAyWU1XUjBJRVZsQWxoQVNIQmNrNldwZWpqTnhHbEtkX0xZX05GTV9IMmdqbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ                XRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzc0NzgzNDkxIiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJzZWFmaWxlLnN3YW1wLnh5eiIKICAgIH0KICBdCn0",
  "signature": "jdC6aGUZYSevv-vKvo-jB4Mja3jVP615GDNW13B5YMGwZh2uSmzgQxZrxQURPtyntKDMF_GFLKoKBtLVbFRN8KkyLTFtJUA6ASgZe3ydGq5FUOcLTHO9tt5UxxWIL-f7A4_UeEXT842818nyac8CW40l4OgSecf2cwmUPZNzJJhEMwum03zEtRuxWZoyq0HnwLDLc883Fyjdp                oe70J34d8t_PJ9chnOB7OUVVfH0B_0KhHHLk8c19Lo1Z0jZFauV7_CIYMIqfi0L4-wGc-YF22MZfxwPruLss_wWRkyw7ZXg8HdqtJpMIQMj6valBTwXujYKmTn9v6CEN-8XPb7uPQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 347
Received response:
HTTP 201
Server: nginx
Date: Sun, 15 Mar 2020 02:25:07 GMT
Content-Type: application/json
Content-Length: 347
Connection: keep-alive
Boulder-Requester: 74783491
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/74783491/2659347282
Replay-Nonce: 0002hQPzw2XtrWF7HgBidsT_vzXZ7xy74Pcad4mdnF9E3hA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-03-22T02:25:07.914301285Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "seafile.swamp.xyz"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3364863675"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/74783491/2659347282"
}
Storing nonce: 0002hQPzw2XtrWF7HgBidsT_vzXZ7xy74Pcad4mdnF9E3hA
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3364863675:
{
  "protected": "eyJub25jZSI6ICIwMDAyaFFQencyWHRyV0Y3SGdCaWRzVF92elhaN3h5NzRQY2FkNG1kbkY5RTNoQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzM2NDg2MzY3NSIsICJraWQiOiAiaHR0cHM6Ly9hY21lL                XYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83NDc4MzQ5MSIsICJhbGciOiAiUlMyNTYifQ",
  "payload": "",
  "signature": "rzgUXn95neXyeegYAO15vOZFbRngv5XB9AvTFSQeu1pn_KbfW64NfxZUjEEPvWF2F8zwWB8to_LHnhOijv3sk-0Fyin7Z6kNsjRfuceocdGD19BUjxRuYFKyI5e_kBaTw2NVZ5xSrk7bY11d6cRysJfTB6s9bwbhhMmGKbFiuP6nsTJqWJq0c4Z07kCer2jg3gAYQ3s2icnQe                _NMUpcAtMiAE4-UYKYIE7gAf7YNw-JHxhXf8i2fzuVzh3iNC5JTt1XMygD_j35tYN5lypzXTbiVr5MaIRiFWyaloPNVcNChx5AtBYHppeEYCTuRXO_YLZVkvfaCdzMgC8SARrBnsw"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3364863675 HTTP/1.1" 200 795
Received response:
HTTP 200
Server: nginx
Date: Sun, 15 Mar 2020 02:25:08 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 74783491
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002bOHZMSB0fyTyqFqOQeQ2udVtF-X6Nru0_WfdAZmx_Io
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "seafile.swamp.xyz"
  },
  "status": "pending",
  "expires": "2020-03-22T02:25:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3364863675/SJlgwQ",
      "token": "Kw4bryZFH2DiQD4_A6eN4dlxOz-Ol9frj0RfNBugv4s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3364863675/GFDt4Q",
      "token": "Kw4bryZFH2DiQD4_A6eN4dlxOz-Ol9frj0RfNBugv4s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3364863675/4k7nEg",
      "token": "Kw4bryZFH2DiQD4_A6eN4dlxOz-Ol9frj0RfNBugv4s"
    }
  ]
}
Storing nonce: 0002bOHZMSB0fyTyqFqOQeQ2udVtF-X6Nru0_WfdAZmx_Io
Performing the following challenges:
http-01 challenge for seafile.swamp.xyz
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Creating root challenges validation dir at /usr/share/nginx/html/.well-known/acme-challenge
Attempting to save validation to /usr/share/nginx/html/.well-known/acme-challenge/Kw4bryZFH2DiQD4_A6eN4dlxOz-Ol9frj0RfNBugv4s
Waiting for verification...
JWS payload:
{
  "type": "http-01",
  "resource": "challenge"
}
1 Like
28

Did this file get created?

Attempting to save validation to /usr/share/nginx/html/.well-known/acme-challenge/Kw4bryZFH2DiQD4_A6eN4dlxOz-Ol9frj0RfNBugv4s

Did you get a cert?

If not, try creating/saving a test file at:
/usr/share/nginx/html/.well-known/acme-challenge/test1234
see if you can access it via:
http://seafile.swamp.xyz/.well-known/acme-challenge/test1234

2 Likes
29

There is a "." missing before the well-known.
Please check that it was created correctly.
/usr/share/nginx/html/.well-known/acme-challenge

2 Likes
30

huzzah, that worked. thank you very much, so for my cron job, it should now be:

/opt/letsencrypt/letsencrypt-auto renew >> /var/log/seafile.swamp.xyz-renew.log 2>&1

I am not sure which post to mark as solution, took a few things to get me there!

3 Likes
31

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.