Certificate Erros

[skl283]

At first thank you for all your efforts and this great project @ggogel! I like to use this container very much! :-)

I'm not sure if i'm right here for my ssl verify problem using this project with the following docker-compose.yaml and another reverse-proxy in Front of caddy:

services:
  seafile-server:
    image: ggogel/seafile-server:11.0.12
    volumes:
      - /mnt/tank-ssd/apps/seafile/data/seafile-data:/shared
    environment:
      - DB_HOST=db
      - DB_ROOT_PASSWD=123456
      - TIME_ZONE=Europe/Berlin
      - HTTPS=true
      - SEAFILE_URL=cloud.xyz.de # Mandatory on first deployment!
    networks:
      - seafile-net
    depends_on:
      db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "8082"]
      interval: 10s
      timeout: 10s
      retries: 3
    restart: unless-stopped

  seahub:
    image: ggogel/seahub:11.0.12
    volumes:
      - /mnt/tank-ssd/apps/seafile/data/seafile-data:/shared
      - /mnt/tank-ssd/apps/seafile/data/seahub-avatars:/shared/seafile/seahub-data/avatars
      - /mnt/tank-ssd/apps/seafile/data/seahub-custom:/shared/seafile/seahub-data/custom
    environment:
      - SEAFILE_ADMIN_EMAIL=abc@xyz.de
      - SEAFILE_ADMIN_PASSWORD=123456
    networks:
      - seafile-net
    depends_on:
      db:
        condition: service_healthy
      seafile-server:
        condition: service_healthy
    restart: unless-stopped

  seahub-media:
    image: ggogel/seahub-media:11.0.12
    volumes:
      - /mnt/tank-ssd/apps/seafile/data/seahub-avatars:/usr/share/caddy/media/avatars
      - /mnt/tank-ssd/apps/seafile/data/seahub-custom:/usr/share/caddy/media/custom
    networks:
      - seafile-net
    restart: unless-stopped

  db:
    image: mariadb:10.11
    environment:
      - MYSQL_ROOT_PASSWORD=123456
      - MYSQL_LOG_CONSOLE=true
      - MARIADB_AUTO_UPGRADE=true
    volumes:
      - /mnt/tank-ssd/apps/seafile/db:/var/lib/mysql
    networks:
      - seafile-net
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized"]
      interval: 10s
      timeout: 10s
      retries: 3
    restart: unless-stopped

  memcached:
    image: memcached:1.6.31
    entrypoint: memcached -m 1024
    networks:
      - seafile-net
    restart: unless-stopped

  seafile-caddy:
    image: ggogel/seafile-caddy:2.8.4
    ports:
      - "30080:80" # Point your reverse proxy to port 80 of this service
    networks:
      - seafile-net
      - default
    restart: unless-stopped

networks:
  seafile-net:
    internal: true

I've configured another caddy to reverse proxy to terminate the ssl certificate on my opnsense router - without any issues i can connect via my opnsense-router caddy to the reverseproxy on port 30080 - no issues!

here is the caddyfile at my router:

	@60ce14cd-7731-41a4-aa88-7c008df06f39 {
		host cloud.mydomain.de
	}
	handle @60ce14cd-7731-41a4-aa88-7c008df06f39 {
		@ca90f8a8-587b-4253-bc11-92951cbe842c {
			not client_ip 10.10.10.0/24 10.0.0.0/8
		}
		handle @ca90f8a8-587b-4253-bc11-92951cbe842c {
			abort
		}

		handle {
			reverse_proxy nas.mydomain.de:30080 {
				header_down Server
				header_up Strict-Transport-Security "max-age=31536000"
				header_up X-Frame-Options "DENY"
				header_up X-Real-IP "remote_host"
				header_up X-Robots-Tag "none"
				header_up X-XSS-Protection "1; mode=block"
			}
		}
	}

But if i want to connect with the Seafile-Client from a client inside of my network by the same dns-name - i get ssl certificate error. even if want to connect from my server which runs the containers via rclone and the first proxy (on my router) i get ssl errors. I've seen, that the trusted_proxies option is already set to "private_ranges".

I don't know how to get more information about finding the issue - is anyone else having these issues? Or anyone having any hints to find the issue?!

[ggogel]

Hi @skl283, thank you. Your problem is not related to this project. This project does not include any HTTPS functionality. Implementing HTTPS is the responsibility of the user. I'll convert this into a discussion.

If I understand correctly, HTTPS works if you access Seafile from the Internet but not locally in your network.

I can see two reasons for that. First, internally your domain does not point to that opensense router but directly to your server. Second, it might be DNS rebind protection.

[skl283]

Thank you for your Reply @ggogel!

I've found the issue - i didn't had used the fullchain.cer from acme.sh - with the fullchain.cer everything is working! Sorry, i didn't checked that this don't have to do with the Image/caddy from your great work!