Tag: apache

Adding a letencrypt certificate for a server running seafile server

Posted by: Joel G Mathew Posted on: April 20, 2017 , , , ,

The regular letsencrypt certbot procedure fails due to reverse proxying-it essentially means that contrary to regular delivery of webpage content, where you type an address and apache serves the content from a specific folder, seafile runs a service as a reverse proxy. Apache binds to the particular port running seafile, and serves content provided by the seafile daemon (service). So obviously letsencrypt authorization doesnt work regularly. I struggled with a lot of apparent techniques for the reverse proxy, all of which threw up all kinds of errors while letsencrypt was authorizing in apache mode. Finally the solution is very simple-use letsencrypt certbot in manual DNS verification mode. It’s simple-you just add a particular TXT record to your DNS, and Cloudflare instantly verifies it and provides you the certificate, CSR and chain.

certbot -d yourdomain.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cloud.yourdomain.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.cloud.yourdomain.com with the following value:

XNuYmalkADgddffvrcbO7p2Gsscff1nbTPk

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem. Your cert
   will expire on 2017-07-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I found that there was a problem with the path of the chain.
Copying to new location:

mkdir /home/you/domains/cloud.you.com/certs
cp /etc/letsencrypt/live/cloud.you.com/*pem /home/you/domains/cloud.you.com/certs/

Apache config:

<VirtualHost cloud.you.com:443>
ServerName cloud.you.com
DocumentRoot /var/www
ErrorLog /var/log/virtualmin/cloud.you.com_error_log
CustomLog /var/log/virtualmin/cloud.you.com_access_log combined
Alias /media  /home/user/haiwen/seafile-server-latest/seahub/media
RewriteEngine on
<Location /media>
          Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / fcgi://127.0.0.1:8000/
ProxyPass /.well-known !
Alias /.well-known "/var/www/.well-known"
<Directory "/var/www/.well-known">
           Require all granted
           order allow,deny
           allow from all
           AllowOverride All
           AddDefaultCharset Off
</Directory>
SSLEngine on
SSLCertificateFile /home/you/domains/cloud.you.com/certs/cert.pem
SSLCertificateKeyFile /home/you/domains/cloud.you.com/certs/privkey.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/you/domains/cloud.you.com/certs/chain.pem
SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>