[Request/Done] Let's Encrypt Container


rix

Recommended Posts

I am getting a lets encrypt error of "ImportError: Unable to import libaugeas!"

 

Googling this makes me think a library might be missing from this image:

 

https://github.com/letsencrypt/letsencrypt/issues/1770

 

Is the current docker working for others?

 

Thanks!

Can you provide more info such as whether you are installing this on unraid, full log of the error, configuration location?

 

And perhaps post details on the settings you used?

 

The container works for me and others just fine in unraid. It's unlikely that a library is missing if we are all using the same platform.

Link to comment

Of course..my apologies. Perhaps its something on my side that I misconfigured somehow.

 

Thank you for making this

 

I'm running Unraid 6.1.6. The configuration is located on a unassigned disk, in xfs format that is just mounted with the unassigned devices plugin. It is not part of the cache or array.

 

 

Error in the /config/letsencrpt.log:

 

Traceback (most recent call last):

  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>

    sys.exit(main())

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main

    plugins = plugins_disco.PluginsRegistry.find_all()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all

    plugin_ep = PluginEntryPoint(entry_point)

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__

    self.plugin_cls = entry_point.load()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load

    return self.resolve()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=0)

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>

    from letsencrypt_apache import augeas_configurator

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>

    import augeas

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>

    class Augeas(object):

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas

    _libaugeas = _dlopen("augeas")

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen

    raise ImportError("Unable to import lib%s!" % args[0])

ImportError: Unable to import libaugeas!

 

 

Link to comment

Of course..my apologies. Perhaps its something on my side that I misconfigured somehow.

 

Thank you for making this

 

I'm running Unraid 6.1.6. The configuration is located on a unassigned disk, in xfs format that is just mounted with the unassigned devices plugin. It is not part of the cache or array.

 

 

Error in the /config/letsencrpt.log:

 

Traceback (most recent call last):

  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>

    sys.exit(main())

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main

    plugins = plugins_disco.PluginsRegistry.find_all()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all

    plugin_ep = PluginEntryPoint(entry_point)

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__

    self.plugin_cls = entry_point.load()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load

    return self.resolve()

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=0)

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>

    from letsencrypt_apache import augeas_configurator

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>

    import augeas

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>

    class Augeas(object):

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas

    _libaugeas = _dlopen("augeas")

  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen

    raise ImportError("Unable to import lib%s!" % args[0])

ImportError: Unable to import libaugeas!

That's not the docker log.

 

Can you get the log by typing the following in unraid terminal and posting the contents? If it's too long you can post on pastebin and put the link here

 

docker logs Nginx-letsencrypt

 

Thanks

Link to comment

is there a way of using this to generate a certificate that could be used in unRAID to cover various dockers? i.e. every time i launch owncloud it tells or my users if they are sure they want to continue.

 

It would be great to have this work with all of my https traffic.

Sure, leave this docker running with the default landing page. Make sure that port 443 is still forwarding to it from the outside so it can renew the certificates every 60 days.

 

Then you can mount this container's config folder in any other docker and set those to use the certificate in the following folder: "letsencryptconfigfolder"/etc/letsencrypt/live/"your url"/

 

This folder contains symlinks to the latest certificates. Don't forget to set the correct permissions. The certs by default are locked down tight.

 

Link to comment

New update for the letsencrypt container

 

Added support for fail2ban

 

If you are relying on http auth through htpasswd to password protect your web pages or reverse proxied containers, then you must have noticed that someone can technically brute force to gain entry.

 

Well, fail2ban can prevent that by banning IPs. It can also do a lot more like prevent DDOS attacks and such, but you can worry about that later.

 

The updated container will create a jail.local file and a fail2ban-filters folder in your config folder. You can modify the jail.local file to enable or add filters, and drop the filter conf files into the filters folder. Restart the container and done.

 

By default, the container will ban users for 10 min if they provide a wrong password 5 times within a 10 min period. You can change these by modifying the nginx-http-auth.conf file.

 

Important note: If you are updating an existing container, please edit the container settings and put a check mark next to privileged under advanced settings. Otherwise fail2ban won't work because it will not be able to modify iptables.

Link to comment

Never would i have expected this request to be met this perfectly, in such short time. This latest update makes me really confident in my setup and its security! Thank you so much aptalca! Fail2ban is amazing.. Didn't even think about that!

Link to comment

Never would i have expected this request to be met this perfectly, in such short time. This latest update makes me really confident in my setup and its security! Thank you so much aptalca! Fail2ban is amazing.. Didn't even think about that!

It's been a good learning experience for me. Glad it's working well for everyone

Link to comment

Does this particular docker implementation support php and perl scripts out of the box?

 

php yes, perl no

 

I don't know the first thing about perl. If you let me know what you need pre-installed (fcgiwrap? spawn-fcgi?) I can put those in and you can figure out the nginx config.

 

I found the following tutorial for nginx-perl, is that what you need? https://www.linode.com/docs/websites/nginx/nginx-and-perlfastcgi-on-ubuntu-12-04-lts-precise-pangolin

Link to comment

Does this particular docker implementation support php and perl scripts out of the box?

 

php yes, perl no

 

I don't know the first thing about perl. If you let me know what you need pre-installed (fcgiwrap? spawn-fcgi?) I can put those in and you can figure out the nginx config.

 

I found the following tutorial for nginx-perl, is that what you need? https://www.linode.com/docs/websites/nginx/nginx-and-perlfastcgi-on-ubuntu-12-04-lts-precise-pangolin

I think this may be a case of the blind leading the blind. I have been trying to get a perl script to run on ls.io's apache docker with limited success. Perl runs ok if it's a self contained script, but fails if it tries to create or edit files. It seems to be a permissions issue where the apache user calling the perl script doesn't have write permissions but my googling hasn't been productive in correcting the issue.

 

To directly answer your question, it looks like that tutorial has the directions to enable perl in nginx, but you may need to install perl in the container as well if it's a stripped base version. perl -v at the containers bash prompt will tell you that part.

 

Thanks for looking at it!

Link to comment

So I got to the temporary webpage from outside my network.

 

However, upon trying to set up the server part of the nginx config, that breaks and nothing works. Cany anyone spot what's wrong with my config? This isn't the only thing I've tried, but it's where I stand now:

 

server {
listen 443 ssl;
server_name xyz.duckdns.org;

### Set Certificates ###
ssl_certificate /config/etc/letsencrypt/live/xyz.duckdns.org/fullchain.pem;
ssl_certificate_key /config/etc/letsencrypt/live/xyz.duckdns.org/privkey.pem;

### Add Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

### Disable SSL by enforcing TLS ###
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

### Add some ciphers and reject weaker ones ###
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Front-End-Https on;

ssl_trusted_certificate /config/etc/letsencrypt/live/xyz.duckdns.org/chain.pem;

### Other Settings ###
client_max_body_size 0m;
  
location /owncloud/ {
### Proxy Pass Info ###
proxy_pass http://192.168.1.130:8000/;

### Set headers ###
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

### Set timeouts ###
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_connect_timeout 600s;
  }
}

 

Do I need to do something with OwnCloud? I have a VPN set up, so OwnCloud was the only one i was planning to use with the reverse proxy. I might add Plexrequests, but that's low priority. All my other dockers are only for me to access, so VPN works better

 

Link to comment

Okay, i got this working with OwnCloud, more or less. One thing that bothers me though is that now when i access it from my internal network (192.168.1.130:8000) the CSS doesn't load and it's impossible to log in. IDK if that's working as intended or not. But anyway, at my DDNS address, everything is peachy.

You probably need to use a url prefix

Link to comment

For reference, below are my config files for reverse proxy with this container (all personal info X'ed out)

 

/config/nginx/site-confs/default

server {

listen 443 ssl default_server;


ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

    location / {
root /config/www;
index index.html index.htm index.php;
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
}

    location /sabnzbd {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sabnzbd;
}

    location /cp {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/cp;
}

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sonarr;
}

    location /plexwatch {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/plexWatch;
}

    location /htpc {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/htpc;
}

}

 

 

/config/nginx/nginx.conf

user nobody users;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

client_max_body_size 0;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

}

 

 

/config/nginx/proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies.

 

Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether.

 

Hope this helps

Link to comment
  • 1 month later...

I am finding some weird behaviors when trying to mimic your configuration.

 

Sab is working fine but sonarr is just displaying 'Sonarr Ver' and couchpotato give a 404 not found because it is trying to load the login page apparently.

 

Any ideas? I'd like to get this working but it is consuming a ton of time.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.