calibre server root folder

[josh.p.23]

where can I locate the root folder for the content server? I need to verify ownership so that I can get a custom SSL certificate.

thanks!

[kovidgoyal]

There is no root folder, the server is dynamic. I'm guessing you are using lets encrypt? In which case you need to either modify the code (for example in server/content.py or simpler, just turn off the server temporarily and run nginx/apacche/simplehttpserver while you are verifying your domain ownership.

[josh.p.23]

Quote:

Originally Posted by kovidgoyal

I'm guessing you are using lets encrypt?

Good guess!

Well, I have it set up using apache proxy, so apache is already running, accepting connections on port 80 and forwarding them locally to 8080.

So, would I have to manipulate my vhost file for that? That sounds like what you are saying. I like the webroot method of verification, it's awfully good for automating my set up.

Where is the file to alter? I just went looking for content.py and haven't seen it...

[kovidgoyal]

If it is already behind apache, then you dont need to do anything in calibre, simply add the webroot rules in the apache conf file.

[josh.p.23]

I got it to work by making a universal vhost alias for ./well-known like this

Code:

Alias /.well-known /var/www/LEwebroot/.well-known
<Directory /var/www/LEwebroot/.well-known>
    Options FollowSymlinks
    AllowOverride All
    Order allow,deny
    Require all granted
</Directory>

while having calibre-server running like so in apache

Code:

<VirtualHost *:80>
	ServerName my.vhost.com
	RewriteEngine on
### For letsencrypt ###
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule ^/(.*) http://another.path.to.the.alias.com/$1 [P]
### Letsencrypt fin ###
	RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
	RewriteRule ^ http://localhost:8080 [proxy]
	SetEnv force-proxy-request-1.0 1
	SetEnv proxy-nokeepalive 1
</VirtualHost>

I hit my rate limit testing so I cannot verify this, but the script made it past the url auth step, huzzah.


EDIT: Nevermind. That breaks the server

[josh.p.23]

So, with that breaking the server, how do I get the calibre redirect to happen while ignoring that one particular url without breaking the server? Or is that... only a dream... a dream...a dream.........

[kovidgoyal]

It's been years since I've used apache, but surely it has some form of rule precedence. Give the rule for .well-known a higher precedence.

[josh.p.23]

Hey, so I did finally get this to work. I actually shouted with joy and woke up my kids when it finally did!

For clarity's sake:

• I am running calibre-server, installed from binary as described here, and daemonized into an upstart job using the instructions here.
• I am running calibre-server on a headless Ubuntu 14.04 VPS.
• I'm accessing calibre-server via Apache using a reverse proxy setup, as described here.
• My goal was to install the official letsencrypt ACME client, and get it to play nicely with my setup, as to take advantage of totally hands-free, automated SSL certificate renewals.

To share the solution:

• First, as mentioned above, I had to create a static alias for doing the update, since Calibre is served up dynamically and the ACME client calls for a static webroot folder for this. There's great instruction for setting up the LetsEncrypt webroot folder here. There are many advantages to this particular setup.
• Next I had to alter the virtual host conf file for Calibre. It's quite simple, just add
  Code:

  RewriteCond %{REQUEST_URI} !/\.well-known/.*

  to the virtual host file just above the Rewrite Rules as shown below.
  
  Code:

  <VirtualHost *:80>
  		ServerName example.com
  	RewriteEngine on
   ---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
  	RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
   ---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
  	RewriteRule ^ http://localhost:8080 [proxy]
  	SetEnv force-proxy-request-1.0 1
  	SetEnv proxy-nokeepalive 1
  </VirtualHost>

  Of course, don't keep those arrows... This works some Mod_Rewrite regex exclusion magic to allow the ACME client to access the "/.well-known" alias path internally and externally for verification purposes without interfering with the calibre-server rewrite proxy. This was where the head was banging against the wall for hours.
• Assuming a standard letsencrypt client installation: Run the client as root like so:
  
  Code:

  /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/LEwebroot -d example.com

  And assuming no errors...
• Perhaps automate future updates by looking here, and here for inspiration. Plenty of info out there if this isn't enough.
• Now that the certs are in place, and automation is set up moving forward, it's time to alter the virtual host conf file again. This time I added a new virtual host as a redirect to the SSL protected connection like so:
  
  Code:

  <VirtualHost *:80>
  	ServerName example.com
  	Redirect permanent / https://example.com/
  </VirtualHost>

  and below that, this:
  
  Code:

  <VirtualHost *:443>
  		SSLEngine on                                                                
  	SSLProtocol all -SSLv2 -SSLv3                                       
          SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    	SSLHonorCipherOrder     on
  	SSLCompression          off
  	ServerSignature Off
  	AcceptPathInfo Off
  	AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
  	AddDefaultCharset UTF-8
  	SSLOptions +StrictRequire  
   
  	SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  	SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  	SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
  
  	ServerName example.com
  	RewriteEngine on
  	RewriteCond %{REQUEST_URI} !/\.well-known/.*
  	RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
  	RewriteCond %{REQUEST_URI} !/\.well-known/.*
  	RewriteRule ^ http://localhost:8080 [proxy]
  	SetEnv force-proxy-request-1.0 1
  	SetEnv proxy-nokeepalive 1
  </VirtualHost>

• Finally restart Apache and PRESTO.

Following that simple process Calibre-Server is set up with (forced) SSL encryption from LetsEncrypt with hands free, automated certificate renewals (that optionally email you alerting you of your success).

I wanted to share that solution here because it was such a hassle for me, and hopefully someone can lean on this work.

Happy Day.