[Request/Done] Let's Encrypt Container


rix

Recommended Posts

Hi, loving the docker. I run a small website on it atm and was doing some speed checks and came across this https://developers.google.com/speed/pagespeed/module/ was wondering if there was anyway you could use that with the docker? Doubt it would be worth your time but might be a nice extra. Or it might be impossible, just thought I'd ask.

 

I looked into it, and it seems you have to build nginx with support for pagespeed. I'm afraid it would be too much work to maintain it, as I would have to rebuild it every time nginx is updated. Currently, nginx is updated with a simple push to the docker hub (literally a single click)

Link to comment

Hi,

 

First off thanks to aptalca for the container, I installed yesterday and it's working a treat. I replaced the apache reverse proxy I was using, having it auto handle SSL is great.

 

I have it doing reverse proxy for a few things, I had a bit of a mission getting it to talk to binhex's rutorrnetvpn docker, so thought I would add my config here to save anyone else the time doing it later.

 

I used aptalca's config examples as my starting point, and I also had to disable php for rutorrent (like aptalca mentioned for plexwatch).

 

I didn't want to modify the rutorrent config, so I have this docker doing a url rewrite.

I am also using a different username in rutorrent, so I added a auth setting to authenticate between this docker and rutorrent, so I only need to authenticate with this docker using it's username and password.

 

This is the entry in the site-confs/default

        location /rutorrent {
                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                proxy_set_header Authorization "Basic ####INSERT BASE64 HASH####";
                rewrite ^/rutorrent(/.*)$ $1 break;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.0.250:9080/;
        }

 

Oh, to generate your BASE64 Hash you can use an online encoders such as (https://www.base64encode.org/)

 

So take username:passoword (using your username and password as defined in rutorrent) and encore and you will get something like "dXNlcm5hbWU6cGFzc3dvcmQ=" and that line will look like;

proxy_set_header Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";

 

Personally I would ensure the password is unique, if someone gets your hash they can decode it.

 

Hope that helps someone.

 

Wob

Link to comment

Every time I start up the docker container the nginx server seems to fail.

I only have a free dns from no-ip.

 

Using existing nginx.conf
Using existing nginx-fpm.conf
Using existing site config
Using existing landing page
Using existing jail.local
Using existing fail2ban filters
No subdomains defined
Using existing DH parameters
<------------------------------------------------->

<------------------------------------------------->
cronjob running at Thu Jul 14 08:01:32 CEST 2016
Updating certbot script. It will display help info, which you can ignore

certbot-auto [sUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
--webroot Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

--authenticator standalone --installer apache

More detailed help:

-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:

all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, register, nginx, apache, standalone, webroot,
etc.)

URL is ***.ddns.net
Subdomains are
deciding whether to renew the cert(s)
Preparing to generate server certificate for the first time
Temporarily stopping Nginx
* Stopping nginx nginx
...done.
Generating/Renewing certificate
Restarting web server
* Starting nginx nginx
...fail!
* Starting nginx nginx
...fail!
* Starting authentication failure monitor fail2ban
...fail!
Jul 14 08:01:41 b7459a9ee1c4 syslog-ng[171]: syslog-ng starting up; version='3.5.3'

 

Any solutions?

Link to comment

After further investigation it seems like the nginx server cannot access /config/keys.

Letsencrypt seems to be the problem here...

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Link to comment

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings

Link to comment

 

 

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings

 

Writing to /mnt/disk does not break parity. It just specifies which disk unraid writes the information to.

 

Doing a move operation between a user share and a disk share can create issues where data can disappear (but still not break parity)

 

Unraid won't let you break parity under normal circumstances. I believe that only if there's a write error to a disk, parity may get broken (or if you mount a disk in a different os or machine and write to it outside of unraid)

Link to comment

So I've managed to get the container working initially, as in it generates a cert and I can reach the default nginx index page via https://my.url.com however when I go to add a location entry for Seafile, nginx fails to start upon restarting the container.. am I doing something wrong?

 

The problem is that I can't seem to replicate somebody's config entirely because I have the Nginx container running on Unraid @ 192.168.1.200 and Seafile is running in a VM @ 192.168.1.201:8000

 

Below is my current /config/nginx/sites-conf/default file

server {
listen 80;

listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name _;

ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'xxxxxx';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
}

location /seafile {
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.201:8000;
}
}

 

Any ideas what the problem could be? It's probably something stupidly simple however I've been struggling to just get Seafile working all day and I think my brain is fried at this point.Thanks!

Link to comment
  • 2 weeks later...

Hi Everyone,

 

So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about.

 

1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)?

2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines.

 

Thanks!

Link to comment

 

 

Hi Everyone,

 

So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about.

 

1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)?

2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines.

 

Thanks!

 

For emby server it should be relatively easy. Since you just enter the path of the certs, you can map the location of the le certs in the emby container and point to them (I'm assuming it uses the certs in place rather than importing them). When the certs are renewed, the path should still be valid and should keep pointing to the active certs.

 

For openvpn, I believe you have to upload them. So you would have to upload the new certs every 60 days following renewal.

 

In le, you can find the certs in the following location:

 

Configfolder/etc/letsencrypt/live/your.domain/fullchain.pem

Link to comment

Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do?

 

Emby is also looking for a .pfx file, instead of a .pem file.

emby.png.45affcd5db6130c3f18660e3d979de75.png

Link to comment

Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do?

 

Emby is also looking for a .pfx file, instead of a .pem file.

 

Not sure about the permissions to be honest. What happens if you directly map the folder the keys are in? So in container settings, you would map /keys to /mnt/cache/appdata/Nginx-letsencrypt/etc/letsencrypt/live/your.domain/ (fix the path for your case), so within emby you would just browse to /keys and the certs would be there.

 

In terms of pfx vs pem, I found this through google: http://emby.media/community/index.php?/topic/34004-server-access/

Link to comment

First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either.  Although it is definitely working, I've tested the functionality

 

Link to comment

First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either.  Although it is definitely working, I've tested the functionality

 

I did not separate out and save the fail2ban logs to the config folder. Mainly because there is a better way to check its status. Fail2ban-client is the way to go.

 

In the unraid console, running the following will show you the active jails:

docker exec -it Nginx-letsencrypt fail2ban-client status

 

And the following will show you the details of a specific jail activity, including the IPs that are currently banned:

docker exec -it Nginx-letsencrypt fail2ban-client status nginx-http-auth

 

The main config file for fail2ban is inside the container at /etc/fail2ban and its logs are at /var/logs

Link to comment

Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one.

 

 

Edit: I did get the status command working though, thanks!

Link to comment

Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one.

 

 

Edit: I did get the status command working though, thanks!

I meant under root /etc not the one under the config folder.

 

If you do

docker exec -it Nginx-letsencrypt bash

to exec into the container, go into /etc/fail2ban and you'll see the rest of the files

 

Link to comment

This is great! It let me get rid of my nginx/LE VM I was using, and it saved me trying to learn to do it with haproxy on my pfSense router ;). Here's my config, which is shamelessly stolen and modified from posts here in addition to what I was already running, and which might be of some help to people trying to piece one together.

 

default

server {
listen 80;
listen 443 ssl http2;
server_name mysecretdomain.com www.mysecretdomain.com;
include /config/nginx/proxy.conf;
include /config/nginx/auth.conf;
ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
location / {
	proxy_pass http://192.168.100.50/;
	proxy_buffering off;
	}
location /nzbget {
	proxy_pass http://192.168.100.50:6789;
	}
location /couchpotato {
	proxy_pass http://192.168.100.50:5050/couchpotato;
	}
location /sonarr {
	proxy_pass http://192.168.100.50:8989/sonarr;
	}
location /plexpy {
	proxy_pass http://192.168.100.50:8181/plexpy;	
	}
}

 

auth.conf

satisfy any;
allow 192.168.100.0/24;
deny all;
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

 

proxy.conf

client_max_body_size 0;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

Link to comment

I've read through all the pages of this post.

 

I can't get the cert to generate. I'm trying to use duckdns.org for DDNS

 

The log shows it failed connecting to 443 on the duckdns.org domain. I of course don't own that :)

 

URL is duckdns.org
Subdomains are xxx
deciding whether to renew the cert(s)
Preparing to generate server certificate for the first time
Temporarily stopping Nginx
* Stopping nginx nginx
...done.
Generating/Renewing certificate
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Failed to connect to 54.187.92.222:443 for TLS-SNI-01
challenge

 

I have the router forwarding 443 to 443 of the host to 443 of the container.

 

thanks,jb

Link to comment

I am using this with duckdns.org and it works.

From memory you need to put your subdomain into the domain field and leave subdomain blank.

(exactly because you don't own duckdns.org)

 

xxxxx.duckdns.org

 

I am at work at the moment but I can check my config when I get home tonight.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.