Adding a letencrypt certificate for a server running seafile server

The regular letsencrypt certbot procedure fails due to reverse proxying-it essentially means that contrary to regular delivery of webpage content, where you type an address and apache serves the content from a specific folder, seafile runs a service as a reverse proxy. Apache binds to the particular port running seafile, and serves content provided by the seafile daemon (service). So obviously letsencrypt authorization doesnt work regularly. I struggled with a lot of apparent techniques for the reverse proxy, all of which threw up all kinds of errors while letsencrypt was authorizing in apache mode. Finally the solution is very simple-use letsencrypt certbot in manual DNS verification mode. It’s simple-you just add a particular TXT record to your DNS, and Cloudflare instantly verifies it and provides you the certificate, CSR and chain.

certbot -d --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name with the following value:


Once this is deployed,
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2017-07-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

I found that there was a problem with the path of the chain.
Copying to new location:

mkdir /home/you/domains/
cp /etc/letsencrypt/live/*pem /home/you/domains/

Apache config:

DocumentRoot /var/www
ErrorLog /var/log/virtualmin/
CustomLog /var/log/virtualmin/ combined
Alias /media  /home/user/haiwen/seafile-server-latest/seahub/media
RewriteEngine on
<Location /media>
          Require all granted
# seafile fileserver
ProxyPass /seafhttp
ProxyPassReverse /seafhttp
RewriteRule ^/seafhttp - [QSA,L]
# seahub
SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / fcgi://
ProxyPass /.well-known !
Alias /.well-known "/var/www/.well-known"
<Directory "/var/www/.well-known">
           Require all granted
           order allow,deny
           allow from all
           AllowOverride All
           AddDefaultCharset Off
SSLEngine on
SSLCertificateFile /home/you/domains/
SSLCertificateKeyFile /home/you/domains/
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/you/domains/
SSLHonorCipherOrder on

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.