Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Request/Done] Let's Encrypt Container

Featured Replies

@aptalca, Thank you for your message. You hit the nail on the head. I've got the green lock now. Thanks for your efforts on this docker.

 

 

  • Replies 576
  • Views 112.7k
  • Created
  • Last Reply

Hi, loving the docker. I run a small website on it atm and was doing some speed checks and came across this https://developers.google.com/speed/pagespeed/module/ was wondering if there was anyway you could use that with the docker? Doubt it would be worth your time but might be a nice extra. Or it might be impossible, just thought I'd ask.

Hi, loving the docker. I run a small website on it atm and was doing some speed checks and came across this https://developers.google.com/speed/pagespeed/module/ was wondering if there was anyway you could use that with the docker? Doubt it would be worth your time but might be a nice extra. Or it might be impossible, just thought I'd ask.

 

I looked into it, and it seems you have to build nginx with support for pagespeed. I'm afraid it would be too much work to maintain it, as I would have to rebuild it every time nginx is updated. Currently, nginx is updated with a simple push to the docker hub (literally a single click)

Ah, thought it might be something like that, np, thanks for the reply.

Hi,

 

First off thanks to aptalca for the container, I installed yesterday and it's working a treat. I replaced the apache reverse proxy I was using, having it auto handle SSL is great.

 

I have it doing reverse proxy for a few things, I had a bit of a mission getting it to talk to binhex's rutorrnetvpn docker, so thought I would add my config here to save anyone else the time doing it later.

 

I used aptalca's config examples as my starting point, and I also had to disable php for rutorrent (like aptalca mentioned for plexwatch).

 

I didn't want to modify the rutorrent config, so I have this docker doing a url rewrite.

I am also using a different username in rutorrent, so I added a auth setting to authenticate between this docker and rutorrent, so I only need to authenticate with this docker using it's username and password.

 

This is the entry in the site-confs/default

        location /rutorrent {
                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                proxy_set_header Authorization "Basic ####INSERT BASE64 HASH####";
                rewrite ^/rutorrent(/.*)$ $1 break;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.0.250:9080/;
        }

 

Oh, to generate your BASE64 Hash you can use an online encoders such as (https://www.base64encode.org/)

 

So take username:passoword (using your username and password as defined in rutorrent) and encore and you will get something like "dXNlcm5hbWU6cGFzc3dvcmQ=" and that line will look like;

proxy_set_header Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";

 

Personally I would ensure the password is unique, if someone gets your hash they can decode it.

 

Hope that helps someone.

 

Wob

Every time I start up the docker container the nginx server seems to fail.

I only have a free dns from no-ip.

 

Using existing nginx.conf
Using existing nginx-fpm.conf
Using existing site config
Using existing landing page
Using existing jail.local
Using existing fail2ban filters
No subdomains defined
Using existing DH parameters
<------------------------------------------------->

<------------------------------------------------->
cronjob running at Thu Jul 14 08:01:32 CEST 2016
Updating certbot script. It will display help info, which you can ignore

certbot-auto [sUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
--webroot Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

--authenticator standalone --installer apache

More detailed help:

-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:

all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, register, nginx, apache, standalone, webroot,
etc.)

URL is ***.ddns.net
Subdomains are
deciding whether to renew the cert(s)
Preparing to generate server certificate for the first time
Temporarily stopping Nginx
* Stopping nginx nginx
...done.
Generating/Renewing certificate
Restarting web server
* Starting nginx nginx
...fail!
* Starting nginx nginx
...fail!
* Starting authentication failure monitor fail2ban
...fail!
Jul 14 08:01:41 b7459a9ee1c4 syslog-ng[171]: syslog-ng starting up; version='3.5.3'

 

Any solutions?

After further investigation it seems like the nginx server cannot access /config/keys.

Letsencrypt seems to be the problem here...

After further investigation it seems like the nginx server cannot access /config/keys.

Letsencrypt seems to be the problem here...

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings

 

 

Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah

 

If that wasn't the issue, post a screenshot of your container settings

Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings

 

Writing to /mnt/disk does not break parity. It just specifies which disk unraid writes the information to.

 

Doing a move operation between a user share and a disk share can create issues where data can disappear (but still not break parity)

 

Unraid won't let you break parity under normal circumstances. I believe that only if there's a write error to a disk, parity may get broken (or if you mount a disk in a different os or machine and write to it outside of unraid)

So I've managed to get the container working initially, as in it generates a cert and I can reach the default nginx index page via https://my.url.com however when I go to add a location entry for Seafile, nginx fails to start upon restarting the container.. am I doing something wrong?

 

The problem is that I can't seem to replicate somebody's config entirely because I have the Nginx container running on Unraid @ 192.168.1.200 and Seafile is running in a VM @ 192.168.1.201:8000

 

Below is my current /config/nginx/sites-conf/default file

server {
listen 80;

listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name _;

ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'xxxxxx';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
}

location /seafile {
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.201:8000;
}
}

 

Any ideas what the problem could be? It's probably something stupidly simple however I've been struggling to just get Seafile working all day and I think my brain is fried at this point.Thanks!

  • 2 weeks later...

Hi Everyone,

 

So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about.

 

1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)?

2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines.

 

Thanks!

 

 

Hi Everyone,

 

So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about.

 

1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)?

2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines.

 

Thanks!

 

For emby server it should be relatively easy. Since you just enter the path of the certs, you can map the location of the le certs in the emby container and point to them (I'm assuming it uses the certs in place rather than importing them). When the certs are renewed, the path should still be valid and should keep pointing to the active certs.

 

For openvpn, I believe you have to upload them. So you would have to upload the new certs every 60 days following renewal.

 

In le, you can find the certs in the following location:

 

Configfolder/etc/letsencrypt/live/your.domain/fullchain.pem

Awesome, thanks!

Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do?

 

Emby is also looking for a .pfx file, instead of a .pem file.

emby.png.45affcd5db6130c3f18660e3d979de75.png

Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do?

 

Emby is also looking for a .pfx file, instead of a .pem file.

 

Not sure about the permissions to be honest. What happens if you directly map the folder the keys are in? So in container settings, you would map /keys to /mnt/cache/appdata/Nginx-letsencrypt/etc/letsencrypt/live/your.domain/ (fix the path for your case), so within emby you would just browse to /keys and the certs would be there.

 

In terms of pfx vs pem, I found this through google: http://emby.media/community/index.php?/topic/34004-server-access/

oh, nice link. that worked. I guess i'll just have to manually do this every 3 months. not the end of the world. I'll have to do it for my VPN anyway, so no big loss.

 

Thanks! this is awesome!

First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either.  Although it is definitely working, I've tested the functionality

 

First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either.  Although it is definitely working, I've tested the functionality

 

I did not separate out and save the fail2ban logs to the config folder. Mainly because there is a better way to check its status. Fail2ban-client is the way to go.

 

In the unraid console, running the following will show you the active jails:

docker exec -it Nginx-letsencrypt fail2ban-client status

 

And the following will show you the details of a specific jail activity, including the IPs that are currently banned:

docker exec -it Nginx-letsencrypt fail2ban-client status nginx-http-auth

 

The main config file for fail2ban is inside the container at /etc/fail2ban and its logs are at /var/logs

Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one.

 

 

Edit: I did get the status command working though, thanks!

Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one.

 

 

Edit: I did get the status command working though, thanks!

I meant under root /etc not the one under the config folder.

 

If you do

docker exec -it Nginx-letsencrypt bash

to exec into the container, go into /etc/fail2ban and you'll see the rest of the files

 

Ah ok thanks for all your help! I really appreciate it

This is great! It let me get rid of my nginx/LE VM I was using, and it saved me trying to learn to do it with haproxy on my pfSense router ;). Here's my config, which is shamelessly stolen and modified from posts here in addition to what I was already running, and which might be of some help to people trying to piece one together.

 

default

server {
listen 80;
listen 443 ssl http2;
server_name mysecretdomain.com www.mysecretdomain.com;
include /config/nginx/proxy.conf;
include /config/nginx/auth.conf;
ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
location / {
	proxy_pass http://192.168.100.50/;
	proxy_buffering off;
	}
location /nzbget {
	proxy_pass http://192.168.100.50:6789;
	}
location /couchpotato {
	proxy_pass http://192.168.100.50:5050/couchpotato;
	}
location /sonarr {
	proxy_pass http://192.168.100.50:8989/sonarr;
	}
location /plexpy {
	proxy_pass http://192.168.100.50:8181/plexpy;	
	}
}

 

auth.conf

satisfy any;
allow 192.168.100.0/24;
deny all;
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

 

proxy.conf

client_max_body_size 0;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

I've read through all the pages of this post.

 

I can't get the cert to generate. I'm trying to use duckdns.org for DDNS

 

The log shows it failed connecting to 443 on the duckdns.org domain. I of course don't own that :)

 

URL is duckdns.org
Subdomains are xxx
deciding whether to renew the cert(s)
Preparing to generate server certificate for the first time
Temporarily stopping Nginx
* Stopping nginx nginx
...done.
Generating/Renewing certificate
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Failed to connect to 54.187.92.222:443 for TLS-SNI-01
challenge

 

I have the router forwarding 443 to 443 of the host to 443 of the container.

 

thanks,jb

I am using this with duckdns.org and it works.

From memory you need to put your subdomain into the domain field and leave subdomain blank.

(exactly because you don't own duckdns.org)

 

xxxxx.duckdns.org

 

I am at work at the moment but I can check my config when I get home tonight.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.