aptalca
-
Posts
3,064 -
Joined
-
Last visited
-
Days Won
3
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by aptalca
-
-
The LetsEncrypt container is awesome! And thanks a ton for your example configs, they helped a lot.
The only real problem I had was that the docker logs give no indication when nginx doesn't start due to a bad config file. Is there any way this could be detected and flagged in the docker log?
Also, would you consider adding apache2-utils to the container? Then we could use the htpasswd tool to create .htpasswd files. Nginx and Apache use the same file format.
Thanks!
Is that type of error logged in nginx's error.log? Because that file is in the config folder under logs/nginx/ and should be easily accessible.
Apache-utils requires manual creation through command line. I figured if you're already exec'ing into the container (most users don't) you can easily install it with apt-get. Since it's only used once, there is no need to install it into the main image. I thought about automating it, but I didn't want people to put their passwords in the docker run command as a environment variable or anywhere else in plain text to be honest.
There are some online generators, that are javascript based and run in the client browser. Nothing is uploaded (you can test by cutting the internet access while generating)
-
If 443 was not forwarded to the container, it should not have been able to validate. Plus, the script does not run the letsencrypt command unless the existing certs are at least 60 days old.
Also, just so you know, there are two logs, the docker log will tell you what happened when the letsencrypt.sh ran at container start. And then there is the letsencrypt.log file in the config folder under log/nginx/ and that one stores the latest cron output. Make sure you check both.
Yep I know, but Logs were lost, which is why I wont bother to find the reason.
But I am pretty sure 443 was not pointing to the container, I had no proxy setup yet und was using it for another webserver.
And the "old" keys were correctly "archived" so it had to be a renewal, that was started during the upgrade process of unraid.
Well "pretty sure" is what it is. I'll try and test the setup that I think was active at that time. If it does not work, I am just getting old
I think I figured out what happened. I made the change from checking file modified date to checking certificate expiration date in the dev repo while on vacation and completely forgot to merge it master. So in your case, your files must have been modified somehow (chown maybe?) so the script was reading the cert creation date wrong.
I just pushed a new update that fixes that issue among others
-
Morning Aptalca-
Thank you for your great dockers. They really add tremendous value to all things unRAID!
Two questions on your Calibre-Server:
(1) have you considered adding a simple username and password to access the library?
(2) have you considered adding a for your docker to look for new downloads in a particular folder and auto-add the new ebooks?
Thanks again!
Hi dcpdad,
1) If you're asking about password protection for access from the internet, then I would recommend using a reverse proxy like nginx. It allows for authorization through htpasswd, which I trust. Check out the nginx-letsencrypt container I put together, it handles the ssl certs and reverse proxy. I use that for all my container GUIs so I can access them securely
2) Not really, I guess I'm a little OCD and prefer to import the books manually so I can check to make sure the info retrieved from the internet is correct. I'm not sure if calibre has that functionality built-in or not. I know it has terminal commands you can use for importing through command line, which could be put into a cron script, but I honestly don't have time to look into that. If someone else figures it out, feel free to send a pr on github
-
Wanted to thank you for making the changes. Seems to be working well, will need to mess with it a bit more, but so far so good.
Thanks again.
Zoneminder is now fixed, update pushed
Great to hear is working. Let me know if you find any other bugs
-
Zoneminder is now fixed, update pushed
-
Is ffmpeg included in 1.29 ? Is the path the same as 1.28.1 (/usr/bin/avconv) ?
PATH_CAMBOZOLA Web path to (optional) cambozola java streaming client (?) Should I just use the default here ? cambozola.jar ? or /usr/share/zoneminder/www/cambozola.jar ?
Can't seem to be able to get my remote IP CAM to display anything in 1.29, basically using the same settings as 1.28.1.
Thanks.
For all zoneminder fans, version 1.29 is out. But it's a separate container. Due to the extensive changes in the new version, it was near impossible to update a 1.28 version in place. So you'll have to install this separate container and set it up from scratch. Don't try to install it using the same config folder with existing data, it won't work.
To be honest, I wasn't even able to update my existing install to 1.29 no matter how hard I tried (without deleting the existing data), so there was no way I could do it for all the existing users with different configs.
Let me know if the new one has any issues
Instructions are on the docker hub page: https://hub.docker.com/r/aptalca/zoneminder-1.29/
You probably need to change the path_zms that is listed under important
I'm making some progress, in the prior docker 1.28.1, the events were stored in the config path under /appdata/zoneminder/data/zoneminder/events, separate from the container, in this version, I'm not so sure that is the case. I've recorded several events, but the /appdata/zoneminderv129/data/events folder is empty.
So it seemed by default, the old version stored events in the config path, but 1.29 does not. I see that I can change the path for events, I assume /config/data/events may work ?
Appreciate your help.
Oops, my bad. They changed all the paths between 1.28 and 1.29 and I must have missed this change. That's why I had to create a separate docker. No way to update the old one in place.
Will be fixed in the next update. Thanks for letting me know.
-
Is ffmpeg included in 1.29 ? Is the path the same as 1.28.1 (/usr/bin/avconv) ?
PATH_CAMBOZOLA Web path to (optional) cambozola java streaming client (?) Should I just use the default here ? cambozola.jar ? or /usr/share/zoneminder/www/cambozola.jar ?
Can't seem to be able to get my remote IP CAM to display anything in 1.29, basically using the same settings as 1.28.1.
Thanks.
For all zoneminder fans, version 1.29 is out. But it's a separate container. Due to the extensive changes in the new version, it was near impossible to update a 1.28 version in place. So you'll have to install this separate container and set it up from scratch. Don't try to install it using the same config folder with existing data, it won't work.
To be honest, I wasn't even able to update my existing install to 1.29 no matter how hard I tried (without deleting the existing data), so there was no way I could do it for all the existing users with different configs.
Let me know if the new one has any issues
Instructions are on the docker hub page: https://hub.docker.com/r/aptalca/zoneminder-1.29/
You probably need to change the path_zms that is listed under important
-
As always, first things first. Thanks for the LetsEncrypt container, its almost to easy now
I started using it ~28 days ago, and from what I remember, renewal should be due with around 30 days left.
So I started the container and saw in the logs, that the current certs were only 10 days old and not up to renewal...
The container was mostly offline, but I startet it while updating to 6.2 beta. (10 days ago...)
Port 443 was redirected to another server that is not set up for the validation process, so a new cert could not have been succsessfully requested/validated.
And the cert was only 18 days old, so it should not have been renewed by your cronjob.
I'm not sure what or why that happend (maybe some date/time issues while upgrading) and its not really important.
If 443 was not forwarded to the container, it should not have been able to validate. Plus, the script does not run the letsencrypt command unless the existing certs are at least 60 days old.
Not sure what happened in your case. Maybe the certs weren't successfully created the first time you ran it. Again, without seeing the logs from before, I can't tell. An older version of this container used to calculate the cert age by the file's mtime, which wasn't the best method. Latest version actually checks the cert creation date so it's more reliable.
Also, just so you know, there are two logs, the docker log will tell you what happened when the letsencrypt.sh ran at container start. And then there is the letsencrypt.log file in the config folder under log/nginx/ and that one stores the latest cron output. Make sure you check both.
But it got me curios, so I looked through your code, because the container description is reduced to the necessary stuff.
The code is easy to read, learned a lot about letsencrypt and that earned some bonus points
Some things I would like to request/suggest, if its not to much work. (to make great things even greater
)1) could you add DH and RSA Key length as a variable? 2048 is good and definitly enough, but greedy people like me may want 4096+... should be quite easy from what I see.. I changed DH in firstrun.sh and added --rsa-key-size in letsencrypt.sh and got my 4096-keys. Any container update would probably revert those changes, but the renewal.conf contains the rsa-key option and dh won't be renewed anyway
I'll give it some thought. Although the 4096 dh might take forever to generate.
2) In my case, I did not notice the "accidental" but successfull renewal. Is there a easy way to add some form of notification on successfull/failed creations or renewals?
letsencrypt.log file in the config folder should tell you what happened during the last attempt. I might change it to append so you can see the history as well.
3) I saw, that you are using --renew-by-default. That does mean, the cert will be renewed even if the 60 days are not over, which is probably what happened 10 days ago. You could add a variable for that as well, for those who would like to test the renewal process more frequently, its still beta after all
There are two checkpoints. The first is, letsencrypt.sh that I created will only attempt a renewal if the existing certs are over 60 days old. That's done by comparing the cert creation time and the current time on the server. The other checkpoint is administered by letsencrypt servers. I don't remember their timeline but by default, if the certs aren't close to expiring, the headless command skips the renewal. This parameter bypasses that behavior so only my letsencrypt.sh script controls when the certs are renewed rather than the letsencrypt servers. The reason is that if letsencrypt sets that to 5 days before expiration and the cron script doesn't run during that time, the certs expire. And I don't want to schedule the cron script too frequently because the update method requires that the nginx webserver is taken down during cert renewal.
And I certainly don't want to let the user decide on the frequency, because letsencrypt has a bunch of restrictions on that and they'll block you from further cert creations per domain or per user (this made the testing of this container fairly difficult early on as I kept hitting the limits and now I am getting a ton of e-mails daily about expiring certs that are not being used, and are all duplicates, but were created in the process).
4) while its great to generate certs and learn about letsencrypt, some sort of reverseproxy-support out-of-the-box would be a perfect addition. While its definetly more work, a simple proxy-conf could be generated through some variables in the container template (source url, destination url) I guess?
I considered that but then realized that it would never be a turn key solution. The user will always have to figure out how to set it up on their systems. I'd rather have them go and research it so they know what they are doing before attempting it, rather than me providing a partial solution and end up with a ton of support requests because they don't know what they are doing and it is just not working.
I did post copies of my conf files in the letsencrypt thread, though: https://lime-technology.com/forum/index.php?topic=43696.msg437353#msg437353
5) maybe a NTP option to make sure date/time is correct for renewal?
Maybe you could add some info about the renewal to your readme/description?
- Default Renewal after 60 days
- Renewal does not re-validate the domain, as long as the correct cert is found on port 443 (correct me if I am wrong). So after cert creation, you could move the containter to another port if you want? For example, if another server needs to run on 443 and reverse proxy is not working/wanted.
But as I said, its already a really usefull container, even without any additional features, so thanks again
The container fixes the time so that it matches the host system's local time (even for cron, which is by default UTC)
I don't advertise the 60 day thing because honestly, the user does not even need to know that. The container will take care of it all. As long as it's running, the certs will be kept up-to-date. If it was down for a while, it will renew upon container start.
Renewal does require revalidation. That's part of their core mission: provide short term certs that are often validated, automatically.
I originally wanted to make this a separate container just for cert management. The idea was that this container would keep the certs up-to-date and put them somewhere other containers could access. But there are some serious (and annoying) restrictions with how acme is set up. You have to use either port 80 or 443 for validation. No other port works. In other words, you have to run letsencrypt on the same machine/container your webserver is running. Also, if you want to do it through port 443, you have to use letsencrypt's built-in webserver for validation, which means you have to stop your main webserver while you're validating. That's why I had to integrate it into a full nginx container so the script can do automatic renewals.
So basically, this isn't really a letsencrypt container. It's actually an nginx container with letsencrypt and fail2ban built-in.
On my company webserver that is hosted on a vps, I have a custom letsencrypt solution that is very similar to the one built-in here (almost the same cron script but modified for multiple certs with different domain names).
-
Aptalca,
I am attempting to install your DuckDNS docker, when I click the create button nothing happens. I have the config folder defined. I am not having any issues installing other dockers.
Any help would be greatly appreciated.
Thanks,
Dan
Hit the advanced view button at the top right and it will reveal new settings and likely an error message. It won't let you install without entering that info under advanced view.
And make sure you read the description at the top [emoji14]
Aptalca, you may want to update the instructions given at https://hub.docker.com/r/aptalca/docker-duckdns/ - I had to resort to searching this forum for 'duckdns' to discover that I needed to click the greyed out 'Advanced' button in the top right of the container setup page.
You should always read the description on the container install page in the unraid gui [emoji14]
The docker hub description is really for non unraid users but I leave the unraid info just to promote it.
-
Nginx-letsencrypt questions... and forgive my noobness.
1. I noticed in its setup config page it chooses port 80. im a little bit concerned it will take over the default unraid config running on port 80... it won't, will it? will it work if i just choose another port like 81 instead?
2. do i need to use a domain i own , or can i use a duckdns subdomain for letsencrypt?
Thanks!
I hope im in the right place, the support page brought me here, tho in the 36 pages i can't seem to find any mention of the letsencrypt app.
I admit Im a fan of a couple of Aptala's other docker apps, specifically duckdns and zoneminder... huge thanks!
No problem. I'm glad you like the containers.
Port 80 for that container is optional. The letsencrypt validation occurs through 443 and you're supposed to connect to www through 443 as well in order to use ssl by default. Plus, you have to map 80 to a different port anyway because it's already being used by the unraid gui.
You can use duckdns, just make sure to put yoursubdomain.duckdns.org in the url field and leave the subdomain as www
-
Any update on the PHP situation? [emoji14]
Not yet, I tried a few things but couldn't isolate the issue yet. Didn't have to much time lately
-
Hi Aptalca, I was wondering if you know how I might run multiple Calibre Content Server instances from you RDP-Calibre docker? The reason that I want to do this is that I have multiple libraries and I would like to serve all of them (since it doesn't seem that there is a way for server clients to switch between libraries). I've read a bit about it and seems like it's possible, but I'm not sure how to implement this via the docker. See the forum post here for more information -> http://www.mobileread.com/forums/showthread.php?t=150814
Thanks!
I think you can run multiple containers at the same time. You just have to give the second one a different container name during install and pick different ports.
-
I fixed the xml templates so if you're having the issue, install from scratch from the community applications and it should install fine
-
Not at my server to check, but I don't think that the trailing / after the port should be there.I'm having an issue setting up Zoneminder, Seems to fail everytime it starts & I end up with a partial Child container on my docker page
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Zoneminder" --net="host" --privileged="true" -e TZ="America/Denver" -e HOST_OS="unRAID" -p 8181:80/ -v "/mnt/cache/Apps/zoneminder/":"/config":rw aptalca/docker-zoneminder docker: Invalid proto: . See '/usr/bin/docker run --help'. The command failed.
Hmm. That's strange because someone else is having the same exact issue with the letsencrypt container. It seems like an unraid issue. Which unraid version are you on?
Good eye, that's the problem. My xmls leave the protocol field blank and the dockerman fills it with tcp. It seems that the new unraid (I'm assuming folks updated to the latest beta) leaves it blank and it causes the issue
-
I'm having an issue setting up Zoneminder, Seems to fail everytime it starts & I end up with a partial Child container on my docker page
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Zoneminder" --net="host" --privileged="true" -e TZ="America/Denver" -e HOST_OS="unRAID" -p 8181:80/ -v "/mnt/cache/Apps/zoneminder/":"/config":rw aptalca/docker-zoneminder docker: Invalid proto: . See '/usr/bin/docker run --help'. The command failed.
Hmm. That's strange because someone else is having the same exact issue with the letsencrypt container. It seems like an unraid issue. Which unraid version are you on?
-
Could you elaborate on this? What's the current behavior and what is the desired?
The script is used to externally trigger an event on zoneminder (e.g. security alarm going off). The script needs to be always running for this to occur. The default behaviour is that it's not running. As a temporary fix I've just added it to the zoneminder init.d script which seems to do the job.
Cheers.
Zoneminder wiki says that the script is called when you turn on opt_triggers in the settings. Does that not work for you?
https://wiki.zoneminder.com/How_to_use_your_external_camera's_motion_detection_with_ZM
Thanks
-
For all zoneminder fans, version 1.29 is out
Awesome thanks! Would it be possible to have the option of zmtrigger.pl (/usr/bin/zmtrigger.pl) always running?
Could you elaborate on this? What's the current behavior and what is the desired?
Thanks
-
Also one other thing zoneminder appears to be looking for cambozola at /usr/share/zoneminder/www/cambozola.jar but the docker has it stored at /usr/share/zoneminder/cambozola.jar
Thanks for the heads up. Fixed in the new update.
-
For all zoneminder fans, version 1.29 is out. But it's a separate container. Due to the extensive changes in the new version, it was near impossible to update a 1.28 version in place. So you'll have to install this separate container and set it up from scratch. Don't try to install it using the same config folder with existing data, it won't work.
To be honest, I wasn't even able to update my existing install to 1.29 no matter how hard I tried (without deleting the existing data), so there was no way I could do it for all the existing users with different configs.
Let me know if the new one has any issues
-
Running it as it set up in unraid, i am assuming since I didn't have a place to put in a login or Pass during install probably just as a nobody. I am attempting to move multiple folders via the smb shares, there is an error it states 'could not rename file smb://server_a/movies/.....'
assuming this is a permissions thing. I have all permissions through windows smb and I know that is different but how do I assign permissions for dolphin?
I can copy and paste but then I have to remember what to delete.
I also cannot find how to change the res on it to 1920x1080 vs 1280x720?
Probably a permissions issue with smb
I actually mount the whole unraid drive in dolphin as /mnt:/mnt so I can move things natively and not through smb
open the advanced view in container settings and you'll see the resolution variables as well as the uid and guid if you want to run it with root permissions
-
Looking for dolphin support, it will let me copy but not move files
I just tested it again and it lets me cut and paste as well as move by dragging in split screen.
Are you getting an error? Do you have write permission in the folders or on the file? Are you running it as nobody or root?
-
Any love on zoneminder 1.29 yet? Very keen to give it a go
Still working on it
-
johnodon, I wish you didn't delete the github repo for this. I was gonna send a patch to externalize the zap2xml perl script as unevent suggested: have the user download it and place into the the config folder. Then there would be no issue with the author and the docker would simply be a distinct wrapper.
Anyway to undelete?
-
well guacamole came with handbrake,removed it but still this conflict
also when i change port for sab it still doesnt com up with webgui
Post a screenshot of your Docker Container Page. Just Click "Docker" Tab and take a screenshot.
Will do asap i am back at the server.
Atm on the road for some stuff
Under the docker tab, click on the container's logo and select webui. It will open the gui using the correct port
[Plug-In] Community Applications
in Plugin Support
Posted
I click on it every time I make a change to one of my repo xmls to see if it looks fine. It only takes about 30 seconds for me