RXWatcher Posted January 10, 2016 Share Posted January 10, 2016 I am getting a lets encrypt error of "ImportError: Unable to import libaugeas!" Googling this makes me think a library might be missing from this image: https://github.com/letsencrypt/letsencrypt/issues/1770 Is the current docker working for others? Thanks! Quote Link to comment
aptalca Posted January 11, 2016 Share Posted January 11, 2016 I am getting a lets encrypt error of "ImportError: Unable to import libaugeas!" Googling this makes me think a library might be missing from this image: https://github.com/letsencrypt/letsencrypt/issues/1770 Is the current docker working for others? Thanks! Can you provide more info such as whether you are installing this on unraid, full log of the error, configuration location? And perhaps post details on the settings you used? The container works for me and others just fine in unraid. It's unlikely that a library is missing if we are all using the same platform. Quote Link to comment
RXWatcher Posted January 11, 2016 Share Posted January 11, 2016 Of course..my apologies. Perhaps its something on my side that I misconfigured somehow. Thank you for making this I'm running Unraid 6.1.6. The configuration is located on a unassigned disk, in xfs format that is just mounted with the unassigned devices plugin. It is not part of the cache or array. Error in the /config/letsencrpt.log: Traceback (most recent call last): File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main plugins = plugins_disco.PluginsRegistry.find_all() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all plugin_ep = PluginEntryPoint(entry_point) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__ self.plugin_cls = entry_point.load() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load return self.resolve() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module> from letsencrypt_apache import augeas_configurator File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module> import augeas File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module> class Augeas(object): File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas _libaugeas = _dlopen("augeas") File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen raise ImportError("Unable to import lib%s!" % args[0]) ImportError: Unable to import libaugeas! Quote Link to comment
RXWatcher Posted January 11, 2016 Share Posted January 11, 2016 Sorry to reply to myself..looking over old comments in this thread..the issue is there.. I'll try recreating the container and config dir per the previous comments. Quote Link to comment
aptalca Posted January 11, 2016 Share Posted January 11, 2016 Of course..my apologies. Perhaps its something on my side that I misconfigured somehow. Thank you for making this I'm running Unraid 6.1.6. The configuration is located on a unassigned disk, in xfs format that is just mounted with the unassigned devices plugin. It is not part of the cache or array. Error in the /config/letsencrpt.log: Traceback (most recent call last): File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main plugins = plugins_disco.PluginsRegistry.find_all() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all plugin_ep = PluginEntryPoint(entry_point) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__ self.plugin_cls = entry_point.load() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load return self.resolve() File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module> from letsencrypt_apache import augeas_configurator File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module> import augeas File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module> class Augeas(object): File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas _libaugeas = _dlopen("augeas") File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen raise ImportError("Unable to import lib%s!" % args[0]) ImportError: Unable to import libaugeas! That's not the docker log. Can you get the log by typing the following in unraid terminal and posting the contents? If it's too long you can post on pastebin and put the link here docker logs Nginx-letsencrypt Thanks Quote Link to comment
lonix Posted January 12, 2016 Share Posted January 12, 2016 Good job there aptalca you should hang out us on irc sometime Quote Link to comment
aptalca Posted January 12, 2016 Share Posted January 12, 2016 Good job there aptalca you should hang out us on irc sometime Thanks Sure, I'll stop by Quote Link to comment
Ockingshay Posted January 12, 2016 Share Posted January 12, 2016 is there a way of using this to generate a certificate that could be used in unRAID to cover various dockers? i.e. every time i launch owncloud it tells or my users if they are sure they want to continue. It would be great to have this work with all of my https traffic. Quote Link to comment
aptalca Posted January 12, 2016 Share Posted January 12, 2016 is there a way of using this to generate a certificate that could be used in unRAID to cover various dockers? i.e. every time i launch owncloud it tells or my users if they are sure they want to continue. It would be great to have this work with all of my https traffic. Sure, leave this docker running with the default landing page. Make sure that port 443 is still forwarding to it from the outside so it can renew the certificates every 60 days. Then you can mount this container's config folder in any other docker and set those to use the certificate in the following folder: "letsencryptconfigfolder"/etc/letsencrypt/live/"your url"/ This folder contains symlinks to the latest certificates. Don't forget to set the correct permissions. The certs by default are locked down tight. Quote Link to comment
aptalca Posted January 15, 2016 Share Posted January 15, 2016 New update for the letsencrypt container Added support for fail2ban If you are relying on http auth through htpasswd to password protect your web pages or reverse proxied containers, then you must have noticed that someone can technically brute force to gain entry. Well, fail2ban can prevent that by banning IPs. It can also do a lot more like prevent DDOS attacks and such, but you can worry about that later. The updated container will create a jail.local file and a fail2ban-filters folder in your config folder. You can modify the jail.local file to enable or add filters, and drop the filter conf files into the filters folder. Restart the container and done. By default, the container will ban users for 10 min if they provide a wrong password 5 times within a 10 min period. You can change these by modifying the nginx-http-auth.conf file. Important note: If you are updating an existing container, please edit the container settings and put a check mark next to privileged under advanced settings. Otherwise fail2ban won't work because it will not be able to modify iptables. Quote Link to comment
rix Posted January 16, 2016 Author Share Posted January 16, 2016 Never would i have expected this request to be met this perfectly, in such short time. This latest update makes me really confident in my setup and its security! Thank you so much aptalca! Fail2ban is amazing.. Didn't even think about that! Quote Link to comment
aptalca Posted January 16, 2016 Share Posted January 16, 2016 Never would i have expected this request to be met this perfectly, in such short time. This latest update makes me really confident in my setup and its security! Thank you so much aptalca! Fail2ban is amazing.. Didn't even think about that! It's been a good learning experience for me. Glad it's working well for everyone Quote Link to comment
jrdnlc Posted January 17, 2016 Share Posted January 17, 2016 So when can we get an Apache version if this? Quote Link to comment
aptalca Posted January 17, 2016 Share Posted January 17, 2016 So when can we get an Apache version if this? Not from me but anyone can feel free to fork this Quote Link to comment
rix Posted January 17, 2016 Author Share Posted January 17, 2016 For a HTPC nginx is the perfect webserver btw. Its lightweight and really good at reverse proxying.. try it out if you can! Quote Link to comment
JonathanM Posted January 17, 2016 Share Posted January 17, 2016 Does this particular docker implementation support php and perl scripts out of the box? Quote Link to comment
aptalca Posted January 17, 2016 Share Posted January 17, 2016 Does this particular docker implementation support php and perl scripts out of the box? php yes, perl no I don't know the first thing about perl. If you let me know what you need pre-installed (fcgiwrap? spawn-fcgi?) I can put those in and you can figure out the nginx config. I found the following tutorial for nginx-perl, is that what you need? https://www.linode.com/docs/websites/nginx/nginx-and-perlfastcgi-on-ubuntu-12-04-lts-precise-pangolin Quote Link to comment
JonathanM Posted January 17, 2016 Share Posted January 17, 2016 Does this particular docker implementation support php and perl scripts out of the box? php yes, perl no I don't know the first thing about perl. If you let me know what you need pre-installed (fcgiwrap? spawn-fcgi?) I can put those in and you can figure out the nginx config. I found the following tutorial for nginx-perl, is that what you need? https://www.linode.com/docs/websites/nginx/nginx-and-perlfastcgi-on-ubuntu-12-04-lts-precise-pangolin I think this may be a case of the blind leading the blind. I have been trying to get a perl script to run on ls.io's apache docker with limited success. Perl runs ok if it's a self contained script, but fails if it tries to create or edit files. It seems to be a permissions issue where the apache user calling the perl script doesn't have write permissions but my googling hasn't been productive in correcting the issue. To directly answer your question, it looks like that tutorial has the directions to enable perl in nginx, but you may need to install perl in the container as well if it's a stripped base version. perl -v at the containers bash prompt will tell you that part. Thanks for looking at it! Quote Link to comment
smashingtool Posted January 19, 2016 Share Posted January 19, 2016 So I got to the temporary webpage from outside my network. However, upon trying to set up the server part of the nginx config, that breaks and nothing works. Cany anyone spot what's wrong with my config? This isn't the only thing I've tried, but it's where I stand now: server { listen 443 ssl; server_name xyz.duckdns.org; ### Set Certificates ### ssl_certificate /config/etc/letsencrypt/live/xyz.duckdns.org/fullchain.pem; ssl_certificate_key /config/etc/letsencrypt/live/xyz.duckdns.org/privkey.pem; ### Add Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ### Disable SSL by enforcing TLS ### ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ### Add some ciphers and reject weaker ones ### ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Front-End-Https on; ssl_trusted_certificate /config/etc/letsencrypt/live/xyz.duckdns.org/chain.pem; ### Other Settings ### client_max_body_size 0m; location /owncloud/ { ### Proxy Pass Info ### proxy_pass http://192.168.1.130:8000/; ### Set headers ### proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ### Set timeouts ### proxy_read_timeout 600s; proxy_send_timeout 600s; proxy_connect_timeout 600s; } } Do I need to do something with OwnCloud? I have a VPN set up, so OwnCloud was the only one i was planning to use with the reverse proxy. I might add Plexrequests, but that's low priority. All my other dockers are only for me to access, so VPN works better Quote Link to comment
smashingtool Posted January 20, 2016 Share Posted January 20, 2016 Okay, i got this working with OwnCloud, more or less. One thing that bothers me though is that now when i access it from my internal network (192.168.1.130:8000) the CSS doesn't load and it's impossible to log in. IDK if that's working as intended or not. But anyway, at my DDNS address, everything is peachy. Quote Link to comment
aptalca Posted January 20, 2016 Share Posted January 20, 2016 Okay, i got this working with OwnCloud, more or less. One thing that bothers me though is that now when i access it from my internal network (192.168.1.130:8000) the CSS doesn't load and it's impossible to log in. IDK if that's working as intended or not. But anyway, at my DDNS address, everything is peachy. You probably need to use a url prefix Quote Link to comment
aptalca Posted January 20, 2016 Share Posted January 20, 2016 For reference, below are my config files for reverse proxy with this container (all personal info X'ed out) /config/nginx/site-confs/default server { listen 443 ssl default_server; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { root /config/www; index index.html index.htm index.php; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; } location /sabnzbd { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sabnzbd; } location /cp { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/cp; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sonarr; } location /plexwatch { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/plexWatch; } location /htpc { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/htpc; } } /config/nginx/nginx.conf user nobody users; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 } /config/nginx/proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies. Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether. Hope this helps Quote Link to comment
smashingtool Posted January 21, 2016 Share Posted January 21, 2016 Thank you Aptalca! That should help considerably. Quote Link to comment
kal Posted January 21, 2016 Share Posted January 21, 2016 great to see the fail2ban addition! have been investigating it myself, so imagine my delight at reading the patch notes many thanks Quote Link to comment
wreave Posted February 21, 2016 Share Posted February 21, 2016 I am finding some weird behaviors when trying to mimic your configuration. Sab is working fine but sonarr is just displaying 'Sonarr Ver' and couchpotato give a 404 not found because it is trying to load the login page apparently. Any ideas? I'd like to get this working but it is consuming a ton of time. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.