The regular letsencrypt certbot procedure fails due to reverse proxying-it essentially means that contrary to regular delivery of webpage content, where you type an address and apache serves the content from a specific folder, seafile runs a service as a reverse proxy. Apache binds to the particular port running seafile, and serves content provided by the seafile daemon (service). So obviously letsencrypt authorization doesnt work regularly. I struggled with a lot of apparent techniques for the reverse proxy, all of which threw up all kinds of errors while letsencrypt was authorizing in apache mode. Finally the solution is very simple-use letsencrypt certbot in manual DNS verification mode. It’s simple-you just add a particular TXT record to your DNS, and Cloudflare instantly verifies it and provides you the certificate, CSR and chain.
certbot -d yourdomain.com --manual --preferred-challenges dns certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: dns-01 challenge for cloud.yourdomain.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.cloud.yourdomain.com with the following value: XNuYmalkADgddffvrcbO7p2Gsscff1nbTPk Once this is deployed, ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem. Your cert will expire on 2017-07-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
I found that there was a problem with the path of the chain.
Copying to new location:
mkdir /home/you/domains/cloud.you.com/certs cp /etc/letsencrypt/live/cloud.you.com/*pem /home/you/domains/cloud.you.com/certs/
Apache config:
<VirtualHost cloud.you.com:443>
ServerName cloud.you.com
DocumentRoot /var/www
ErrorLog /var/log/virtualmin/cloud.you.com_error_log
CustomLog /var/log/virtualmin/cloud.you.com_access_log combined
Alias /media /home/user/haiwen/seafile-server-latest/seahub/media
RewriteEngine on
<Location /media>
Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / fcgi://127.0.0.1:8000/
ProxyPass /.well-known !
Alias /.well-known "/var/www/.well-known"
<Directory "/var/www/.well-known">
Require all granted
order allow,deny
allow from all
AllowOverride All
AddDefaultCharset Off
</Directory>
SSLEngine on
SSLCertificateFile /home/you/domains/cloud.you.com/certs/cert.pem
SSLCertificateKeyFile /home/you/domains/cloud.you.com/certs/privkey.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/you/domains/cloud.you.com/certs/chain.pem
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>