mattie112

You cannot put a file in a SMB share? Or your paperless has problems accessing a folder? The first one is not a paperless issue so perhaps worth a separate post? In the Unraid Tools menu there is a "(docker safe) new permissions" option that might fix your issue.

Try to renew it via de CLI (see elsewhere in this topic posted it numerous times). There is a --dry-run or a --force-renew flag for certbot. Then see what errors you are getting.

Just needed to reboot my server to do some electrical work and ofc this is still an issue. Dear Unraid staff: please at least acknowledge this issue!

Yeah, some response would be great, at least so that we know this is being worked on / even known by the devs!

And just as a small reminder: a reboot clears this fix (and still no comment from Unraid staff, wow I am starting to regret buying a licence if this is how bug reports are handled)

Ok so just to be sure: # add or remove custom network for NETWORK in $INCLUDE; do if [[ ! $DOCKER_CUSTOM_NETWORKS =~ "$NETWORK " ]]; then # automatic assignment AUTO=${NETWORK/./_} AUTO=DOCKER_AUTO_${AUTO^^} if [[ ${!AUTO} == no ]]; then [[ $NETWORKS =~ "$NETWORK " ]] && docker network rm $NETWORK >/dev/null continue fi # add auto defined networks SUBNET=; GATEWAY=; SERVER=; RANGE=; IPV4=$(ip -br -4 addr show $NETWORK|awk '{print $3;exit}') if [[ -n $IPV4 ]]; then SUBNET=$(ip -4 route show $IPV4 dev $NETWORK|awk '{print $1;exit}') SERVER=${IPV4%/*} DHCP=${NETWORK/./_} DHCP=DOCKER_DHCP_${DHCP^^} RANGE=${!DHCP} GATEWAY=$(ip -4 route show default dev $NETWORK|awk '{print $3;exit}') fi SUBNET6=; GATEWAY6=; SERVER6=; RANGE6=; # IPV6=$(min6 $(max6 $(wipe $(ip -br -6 addr show $NETWORK scope global|awk '{$2="";print;exit}'))|sort|head -1))\ IPV6=$(ip -6 addr show $NETWORK mngtmpaddr|awk '/^ +inet6 /{print $2;exit}') [[ -z $IPV6 ]] && IPV6=$(ip -6 addr show $NETWORK scope global permanent|awk '/^ +inet6 /{print $2;exit}' if [[ -n $IPV6 ]]; then # get IPV6 subnet, preset to /64 if single host address is given [[ ${IPV6#*/} == 128 ]] && SUBNET6=$(echo $IPV6|sed -r 's/^([^:]+):([^:]+):([^:]+):([^:]+).*$/\1:\2:\3:\4::\/64/') || SUBNET6=$(ip -6 route show $IPV6 dev $NETWORK|awk '{print $1;exit}') SERVER6=${IPV6%/*} DHCP6=${NETWORK/./_} DHCP6=DOCKER_DHCP6_${DHCP6^^} RANGE6=${!DHCP6} GATEWAY6=$(ip -6 route show default dev $NETWORK|awk '{print $3;exit}') # replace link local address for first address in subnet [[ ${GATEWAY6:0:4} == fe80 ]] && GATEWAY6=${SUBNET6%/*}1 fi else # add user defined networks IPV4=; IPV6=; I have commented the original line and then added your 2 lines. However when I start docker I get: root@Tower:~# /etc/rc.d/rc.docker start /etc/rc.d/rc.docker: line 364: syntax error near unexpected token `else' /etc/rc.d/rc.docker: line 364: ` else' So that is really strange? edit: Ah I see it now, the 2nd line is missing a `)` at the end. I have added that and will try IPv6 again

Should that be on one line? root@Tower:~# /etc/rc.d/rc.docker start /etc/rc.d/rc.docker: line 366: syntax error near unexpected token `else' /etc/rc.d/rc.docker: line 366: ` else' It goes wrong on a different line. Or should it also contain an if; then?

So, it seems that this does not have a high prio, so I will rolling back this weekend this is taking way to long and is really a show stopper for me.

No problem! That is the main reason I use it. Services don't need to bother with SSL/certificate. It is all handled by NPM.

Internally you can use Http just fine! Perhaps only if your NPM and service are on physically different machines then it is a question of: do you trust your internal network.

Did you had any issues downgrading? I also want to get IPv6 back but never downgraded Unraid before so not to sure if that will go without problems.

I also posted about this on: https://forums.unraid.net/topic/110395-docker-host-network-access-not-working-after-hard-reboot/?do=findComment&comment=1302630 edit: for my only using an ipv4 address for the container does not seem to work edit2: it does work after making some change to the container (e.g. re-creating it) Will wait for a day then rollback as only ipv4 is not an option for me (to much stuff to change)

So: This is still an issue for me. Had a very long uptime, recently restarted due to an upgrade -> no problem. Now I had a "crash" (again due to filling-up the cache dir). Could not recover, removed the docker image and had it recreate. Then re-added all my containers and behold the same problem again It is exactly the same as in the first screenshot, however disabeling and then re-enableing docker does not fix the issue right now. docker run -d --name='NginxProxyManager' --net='br0' --ip='192.168.100.201' --ip6='xx:xx:xx:xx::xx' --privileged=true -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e HOST_HOSTNAME="Tower" -e HOST_CONTAINERNAME="NginxProxyManager" -e 'TCP_PORT_8181'='8181' -e 'TCP_PORT_8080'='80' -e 'TCP_PORT_4443'='443' -e 'USER_ID'='99' -e 'GROUP_ID'='100' -e 'UMASK'='000' -e 'APP_NICENESS'='' -e 'DISABLE_IPV6'='0' -l net.unraid.docker.managed=dockerman -l net.unraid.docker.webui='http://192.168.100.201:8181' -l net.unraid.docker.icon='https://raw.githubusercontent.com/jlesage/docker-templates/master/jlesage/images/nginx-proxy-manager-icon.png' -v '/mnt/user/appdata/NginxProxyManager/matthijs-custom-ssl-ciphers.conf':'/etc/nginx/conf.d/include/ssl-ciphers.conf':'rw' -v '/mnt/user/appdata/NginxProxyManager':'/config':'rw' 'mattie112/docker-nginx-proxy-manager' And then the reply is: ``` Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets Error: failed to start containers: NginxProxyManager ``` I tried removing br0 and manually creating it: `docker network create --driver=macvlan --subnet=192.168.100.0/24 --subnet=xx:xx:xx:xx::0/64 br0` That allows me to start the container but no network traffic possible. So yes: any help is appreciated again I could also open a new topic but this is exactly the same problem so yeah.... (or at least to me it looks like the same problem) edit: Tried changing to eth0 as listed in changelog (https://docs.unraid.net/unraid-os/release-notes/6.12.4/) no luck!

Those header are really application headers. Yes your web server can send out headers but is more for your application to define them. Your webserver does not know what your application wants. But yes: you can "override" them in nginx.

Random one from me get's an A, headers are usually sent by your application so I would check there first.

It is not clear to me (also in the original post). Is this the Nginx from NPM logging this? Or unraid? if you stop the NPM docker container does the log continue? If it does than it has to be reported to the Unread team.

I have my NPM container running in network "br0" so I can use an IP from my routers 'range'. Then I can use that IP to forward traffic to whatever port (including 80/443)

Good luck, let us know

I don't use CF so please check their forums. Either they cache it incorrectly (as it will create a new file to verify each time) or they block http/port 80.

This exactly the error as the previous 10 posts Make sure your website works for the .well-known folder on unsecured http port 80. If you have cloudflare see the post above. This really says it all: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: nextcloud.myserver.com Type: unauthorized Detail: 2606:4700:3034::6815:31d8: Invalid response from http://nextcloud.myserver.com/.well-known/acme-challenge/B2MWRSrn1NaJZaqWPpd4YVrWrBoqB1U11L4iIWluKFw: 403 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Or use DNS authantication for letsencrypt Or possible: https://community.letsencrypt.org/t/cloudflare-blocking/180172/5

I don't use CF myself. But you need to be sure that the .well-known directory can be reached over unsecured http port 80

Try running certbot manually with some debug flags (-v) and see what it does.

I was talking about viewing the certificate (details) with your web browser. But good that it is working now

Yes for example, just to pull the certificate and to make sure it is what you expect. If you see that it is expired for example you know to start with the renewal process. If it is valid then start at CF.