[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

After starting my letsencrypt I get the report that I included. Does the line in yellow about the kill signal affect anything? I am also working on trying to connect to my Nextcloud. I was able to connect to my nextcloud and then made the changes to be able to access it from the web and now I can't get into it. Keeps telling me error 522: connection timed out. I am guessing it has something to do with the reverse proxy or maybe port forwarding but I have no idea where to begin to troubleshoot. Tried to check and see and make sure that I had both ports 80 and 443 open. On one page it says that they are both open and on the next it shows that only port 80 is open. getting frustrated with taking one step forward and then seems like 3 steps back. Also If I can provide any additional information to try and help, please let me know.

lelog.jpg

Link to comment
6 hours ago, cdkauffmann said:

After starting my letsencrypt I get the report that I included. Does the line in yellow about the kill signal affect anything? I am also working on trying to connect to my Nextcloud. I was able to connect to my nextcloud and then made the changes to be able to access it from the web and now I can't get into it. Keeps telling me error 522: connection timed out. I am guessing it has something to do with the reverse proxy or maybe port forwarding but I have no idea where to begin to troubleshoot. Tried to check and see and make sure that I had both ports 80 and 443 open. On one page it says that they are both open and on the next it shows that only port 80 is open. getting frustrated with taking one step forward and then seems like 3 steps back. Also If I can provide any additional information to try and help, please let me know.

lelog.jpg

It means it's stopping the services to restart the container. Nothing wrong. 

 

I don't understand what you mean about nextcloud and its ports. If you follow the directions in the readme, you shouldn't need to worry about ports. 

 

Post exactly what you did to get it to work, post copies of any file you modified. Otherwise we're shooting in the dark. 

Link to comment

Hey it's me again, heh.

 

I thought I might try to post here, in case someone has already figured this out.  I'm trying to proxy the OnlyOfficeDocumentServer docker container so that I can connect it to NextCloud and edit documents.  The issue I'm having is that I am trying to follow the other examples inside the LetsEncrypt container, but there isn't a .sample for the Doc Server (or community server for that matter).  This current configuration gives me a 502 error when attempting to access it via the proxy:

 

# only office doc server

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name docs.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_docs onlyofficedocumentserver;
        proxy_pass https://$upstream_docs;
    }
}

I get the feeling it'll probably be more complicated than this, but thought I'd check here before embarking on a lot of trial and error.  Has anyone done this already?

Edited by Coolsaber57
Link to comment
On 12/3/2018 at 9:04 AM, mweis said:

yep i already figured this out, but also the onlyoffice docker can only be runned in host mode so i actually have no solution for this

Hey do you have a source for that? The instructions I see on the docker page show that they create a bridge network if integrating with their Community Server and Mail Server, which, if you are using the LetsEncrypt docker, is already done.

Link to comment
7 hours ago, Coolsaber57 said:

Hey it's me again, heh.

 

I thought I might try to post here, in case someone has already figured this out.  I'm trying to proxy the OnlyOfficeDocumentServer docker container so that I can connect it to NextCloud and edit documents.  The issue I'm having is that I am trying to follow the other examples inside the LetsEncrypt container, but there isn't a .sample for the Doc Server (or community server for that matter).  This current configuration gives me a 502 error when attempting to access it via the proxy:

 


# only office doc server

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name docs.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_docs onlyofficedocumentserver;
        proxy_pass https://$upstream_docs;
    }
}

I get the feeling it'll probably be more complicated than this, but thought I'd check here before embarking on a lot of trial and error.  Has anyone done this already?

Make sure the other container is named onlyofficedocumentserver with all lowercase and if it's listening on port 80, use http, not https in the proxy pass directive

Link to comment
51 minutes ago, aptalca said:

Make sure the other container is named onlyofficedocumentserver with all lowercase and if it's listening on port 80, use http, not https in the proxy pass directive

Hey man, I saw your tip about the lowercase, and I thought I understood what you meant, but then it clicked: the actual name of the docker container has to be changed to lowercase, not just what's in the .conf file.  🤦‍♂️

 

Anyway, I finally got it to work with the below config, then just updated the settings in the OnlyOffice plugin in NextCloud with the https address:

 

server {
    listen 443 ssl;

    server_name docs.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {
				include /config/nginx/proxy.conf;
				resolver 127.0.0.11 valid=30s;
                set $upstream_docs onlyofficedocumentserver;
				proxy_pass https://$upstream_docs:443;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

Thanks for the help once again.

 

Link to comment
5 hours ago, Coolsaber57 said:

Hey man, I saw your tip about the lowercase, and I thought I understood what you meant, but then it clicked: the actual name of the docker container has to be changed to lowercase, not just what's in the .conf file.  🤦‍♂️

 

Anyway, I finally got it to work with the below config, then just updated the settings in the OnlyOffice plugin in NextCloud with the https address:

 


server {
    listen 443 ssl;

    server_name docs.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {
				include /config/nginx/proxy.conf;
				resolver 127.0.0.11 valid=30s;
                set $upstream_docs onlyofficedocumentserver;
				proxy_pass https://$upstream_docs:443;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

Thanks for the help once again.

 

Glad it worked

Link to comment

 

 

having an issue updating an expired cert..... not sure why....

 

running certbot renew shows:

 

 

root@aa9ae2ae9c79:/$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.-redacted-.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (cloud.-redacted-.org) from /etc/letsencrypt/renewal/cloud.-redacted-.org.conf produced anunexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x150dae5a02d0>: Failed to establish anew connection: [Errno -3] Try again',)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.-redacted-.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.-redacted-.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
root@aa9ae2ae9c79:/$

 

 

and the docker log upon booting shows:

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=-redacted-.org
SUBDOMAINS=cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=-redacted-
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cloud.-redacted-.org
E-mail address entered: -redacted-
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"

 

 

note: -redacted- is mine, not in the actual logs/process responses.

 

This was a working config, nothing changed, just the cert expired. It expired and auto-renewed once previously but this time its not working. Any help would be much appreciated!!

 

—-edit——

i think this was ultimately a few things. I tried creating a new install and it would work, verified firewall settings, nothing. Eventually docket crapped out and locked up the server. So I removed my Nat settings not my firewall, nuked the docket image, started with fresh settings, fresh docket image, and fresh letsenceypt install and its back to working. I tried using the previous app data on a reinstall but it still wouldn’t work after all that.

 

so, this post isn’t going to help anyone unless they just want to start over...

Edited by 1812
Link to comment
11 hours ago, 1812 said:

 

 

having an issue updating an expired cert..... not sure why....

 

running certbot renew shows:

 

 


root@aa9ae2ae9c79:/$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.-redacted-.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (cloud.-redacted-.org) from /etc/letsencrypt/renewal/cloud.-redacted-.org.conf produced anunexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x150dae5a02d0>: Failed to establish anew connection: [Errno -3] Try again',)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.-redacted-.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.-redacted-.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
root@aa9ae2ae9c79:/$

 

 

and the docker log upon booting shows:

 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=-redacted-.org
SUBDOMAINS=cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=-redacted-
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cloud.-redacted-.org
E-mail address entered: -redacted-
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"

 

 

note: -redacted- is mine, not in the actual logs/process responses.

 

This was a working config, nothing changed, just the cert expired. It expired and auto-renewed once previously but this time its not working. Any help would be much appreciated!!

 

—-edit——

i think this was ultimately a few things. I tried creating a new install and it would work, verified firewall settings, nothing. Eventually docket crapped out and locked up the server. So I removed my Nat settings not my firewall, nuked the docket image, started with fresh settings, fresh docket image, and fresh letsenceypt install and its back to working. I tried using the previous app data on a reinstall but it still wouldn’t work after all that.

 

so, this post isn’t going to help anyone unless they just want to start over...

I have a feeling you poked around a bit too much inside the image. You're really not supposed to be going in and running "certbot renew" manually. We certainly don't support that. 

 

Next time, just check the logs in the log folder. Certbot already attempts to renew every night "properly". If that fails, logs will tell you why. 

 

For starters, you need to stop nginx before you can renew the certs via http, which the image does during the auto renews.

Link to comment

My Letsencrypt docker container stopped working. It was working fine till last week and suddenly I couldn't browse to my Home Assistant duckdns (subdomain1.mydomainname.duckdns.org) and NextCloud duckdns (subdomain2.mydomainname.duckdns.org) sites. Based on the log file, it was not an issue related to cert renewal.

 

There were no errors in letsencrypt.log file and don't know where to start looking to fix this issue.

 

I appreciate your help.

 

-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=mydomainname.duckdns.org
SUBDOMAINS=subdomain1,subdomain2
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

 

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d subdomain1.mydomainname.duckdns.org -d subdomain2.mydomainname.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

 

I get the following page when I browse to those sites.


 

This site can’t be reached

subdomain2.mydomainname.duckdns.org took too long to respond.

Try:

Checking the connection

Checking the proxy and the firewall

ERR_CONNECTION_TIMED_OUT

 

Link to comment
7 hours ago, aptalca said:

I have a feeling you poked around a bit too much inside the image. You're really not supposed to be going in and running "certbot renew" manually. We certainly don't support that. 

 

Next time, just check the logs in the log folder. Certbot already attempts to renew every night "properly". If that fails, logs will tell you why. 

 

For starters, you need to stop nginx before you can renew the certs via http, which the image does during the auto renews. 

 

that was my understanding, that it was suppose to auto renew, and i figured i'd just give it a little "nudge" to make it happen... and probably broke it.

 

but in my defense, the log does state

 

Your cert will expire on 2019-04-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

 

Link to comment
2 hours ago, 1812 said:

 

that was my understanding, that it was suppose to auto renew, and i figured i'd just give it a little "nudge" to make it happen... and probably broke it.

 

but in my defense, the log does state

 


Your cert will expire on 2019-04-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

 

That is a certbot message, directed to our image, not you. So it is telling our image, not you, to run it "again". 

 

If you didn't manually use certbot to get the cert, don't manually use it to renew. Also a rule of thumb, don't exec into the container to run things unless you're specifically told to by the lsio team

Edited by aptalca
  • Like 1
Link to comment
10 hours ago, stlrox said:

My Letsencrypt docker container stopped working. It was working fine till last week and suddenly I couldn't browse to my Home Assistant duckdns (subdomain1.mydomainname.duckdns.org) and NextCloud duckdns (subdomain2.mydomainname.duckdns.org) sites. Based on the log file, it was not an issue related to cert renewal.

 

There were no errors in letsencrypt.log file and don't know where to start looking to fix this issue.

 

I appreciate your help.

 

-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=mydomainname.duckdns.org
SUBDOMAINS=subdomain1,subdomain2
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

 

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d subdomain1.mydomainname.duckdns.org -d subdomain2.mydomainname.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

 

I get the following page when I browse to those sites.


 


This site can’t be reached

subdomain2.mydomainname.duckdns.org took too long to respond.

Try:

Checking the connection

Checking the proxy and the firewall

ERR_CONNECTION_TIMED_OUT

 

Did your ip change? 

 

Also not sure why you have only subdomains set to true. It prevents you from using yoursubdomain.duckdns.org with the cert but with no advantage

Edited by aptalca
Link to comment

This has been bothering me for awhile but I never got to it.  My Grafana docker is reverse proxied with .htaccess but it seems to timeout frequently and need to re-login.  Even trying to re-login seems to not really work and I need to refresh the page then it works fine for a bit until I get the login prompt again.

 

Has anyone else run into this issue or have a suggestion on what to try?

 

My dockers are all accessible with a subdomain and all work fine except for this random, I'm assuming, timeout issue.

 

This is my configuration which seems pretty standard.

 

# Grafana
#
server {
        listen 443 ssl;

        root /config/www;
        index index.html index.htm index.php;

        server_name grafana.*;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-G$
        ssl_prefer_server_ciphers on;

        client_max_body_size 0;

        location / {
                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.254.3:3000;
        }
}

 

Link to comment
55 minutes ago, aptalca said:

That is a certbot message, directed to our image, not you. So it is telling our image, not you, to run it "again". 

 

If you didn't manually use certbot to get the cert, don't manually use it to renew. Also a rule of thumb, don't exec into the container to run things unless you're specifically told to by the lsio team

 

I'm not here to get into a pissing contest with you over this, but nowhere does it say "attn users: don't do what this messages says to do if this container doesn't do what IT is suppose to be doing automatically." So it's natural that when something goes awry, and a user checks the logs to see what the problem is, and sees that message, they are going to attempt it.

 

I enjoy everything the LSIO team does, and am the beneficiary of many containers. And even admit that I probably borked it somehow after it initially would not auto renew as it should have (and I gave zero grief  to anyone about that.) So instead of wagging your finger at me, how about saying "oh yeah, I see how that could be confusing, maybe we could but a line in about not to do that, or mess with anything in the container at the top of the log after our nifty logo. I bet that would stop a lot of problems with users screwing up our containers needlessly."' ¯\_(ツ)_/¯

 

Either way, thanks for the feedback/information and keep up the good work!

Link to comment
1 hour ago, aptalca said:

Did your ip change? 

1

 

I verified my IP address and that was not changed. Looks like this issue started from last week change to LetsEncrypt docker.

 

As of now, there is a new update for this container. How do we know what changes were made in the new update?
 

"Jan 5 04:40:03 Tower root: Fix Common Problems: Warning: Docker Application letsencrypt has an update available for it"

 

1 hour ago, aptalca said:

Also not sure why you have only subdomains set to true. It prevents you from using yoursubdomain.duckdns.org with the cert but with no advantage

 

 

No idea. I used SpaceInvaderOne video for reference and kept same settings. Please if I need to change any setting related to this.

 

Thank you

Link to comment

Greetings everyone.  Thanks to the LSIO guys for putting all these wonderful dockers together for the community.  However I am significantly struggling getting LE up and running.  I have followed SpaceInvader One's tutorial and am not able to get certs.  I am using dreamhost for my hostname with DNS only on the TLD.  I am using dyndns for my dynamic dns.  I have setup a CNAME to redirect from tv.dreamhosttld.com to my.dyndns.com (samples not actual). On my internal network tv.dreamhosttld.com redirects to router management page. I have ports 80 and 443 forwarded and 80 is confirmed open.  I can never get 443 to show as open when checking.  When I run LE container I the error "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container".

 

I am using google wifi as a router.

Suddenlink as ISP

 

I've tried using the duckdns tutorial also and get the same errors.

 

http://mytld.duckdns.org/.well-known/acme-challenge/37J7aAsBb7O6J1AX84E8S_nwTmhCxQ9a4GgtnTY4mcE returns as not found

 

All my other port forwards and dns work to other containers. 

 

 

What info can I provide you all to help me get running?

Edited by discojon
Link to comment

Hi guys!

 

Sorry to bother you but I must be missing something pretty obvious.

 

Just installed this docker and I'm trying to access the basic index.html that's on the www folder but when I try to go to MY_LOCAL_IP:8080 (the port is the one I configured when installing the docker) I always get a connection error.

 

Any idea what I might be doing wrong?

 

Thanks in advance!

Link to comment
5 hours ago, 1812 said:

 

I'm not here to get into a pissing contest with you over this, but nowhere does it say "attn users: don't do what this messages says to do if this container doesn't do what IT is suppose to be doing automatically." So it's natural that when something goes awry, and a user checks the logs to see what the problem is, and sees that message, they are going to attempt it.

 

I enjoy everything the LSIO team does, and am the beneficiary of many containers. And even admit that I probably borked it somehow after it initially would not auto renew as it should have (and I gave zero grief  to anyone about that.) So instead of wagging your finger at me, how about saying "oh yeah, I see how that could be confusing, maybe we could but a line in about not to do that, or mess with anything in the container at the top of the log after our nifty logo. I bet that would stop a lot of problems with users screwing up our containers needlessly."' ¯\_(ツ)_/¯

 

Either way, thanks for the feedback/information and keep up the good work!

Wagging the finger was not the intention, apologies if it came across that way.

 

Ironically, most of our support requests are from users who don't read the docs or the logs but in your case, you just read too much 😉

 

I have a love hate relationship with certbot because although they act like they make everything easy for the users, I feel that their efforts are misguided. Like that message for instance, they do go out of their way to spam their "just do certbot renew" every chance they get but in reality nobody wants to have to run a manual command every two months on each production server. Certbot should instead focus on their automation and non-interactive operations so we don't have to try so hard to hack it. Anyway, that's my rant for the day. Perhaps that's why I was more touchy than usual. It's a fragile system due to the hacks. 

  • Like 1
Link to comment
5 hours ago, stlrox said:

 

I verified my IP address and that was not changed. Looks like this issue started from last week change to LetsEncrypt docker.

 

As of now, there is a new update for this container. How do we know what changes were made in the new update?
 

"Jan 5 04:40:03 Tower root: Fix Common Problems: Warning: Docker Application letsencrypt has an update available for it"

 

 

No idea. I used SpaceInvaderOne video for reference and kept same settings. Please if I need to change any setting related to this.

 

Thank you

There hasn't really been a significant change to the image. Our images do get refreshed for package and os updates weekly, that's why you see the update notification. The changelog on github or docker hub tells you the changes to the image other than package updates. 

 

In your case, make sure that the ip on duckdns matches your home ip. And also make sure that nothing changed with regards to the port mapping on unraid and port forwarding on your router. 

 

You can remove the only subdomains or set it to true but keep in mind that when you do so, it will try to validate the cert again and if there is a port related issue, it will fail. So you should perhaps wait until you figure out the connection issue before changing it. 

 

Another issue can be that your client ip may be blocked by fail2ban if you had isuues with authentication (not sure if you use htpasswd). 

 

Try connecting from a different ip, on a mobile phone through the cell connection, etc. 

Link to comment
1 hour ago, discojon said:

Greetings everyone.  Thanks to the LSIO guys for putting all these wonderful dockers together for the community.  However I am significantly struggling getting LE up and running.  I have followed SpaceInvader One's tutorial and am not able to get certs.  I am using dreamhost for my hostname with DNS only on the TLD.  I am using dyndns for my dynamic dns.  I have setup a CNAME to redirect from tv.dreamhosttld.com to my.dyndns.com (samples not actual). On my internal network tv.dreamhosttld.com redirects to router management page. I have ports 80 and 443 forwarded and 80 is confirmed open.  I can never get 443 to show as open when checking.  When I run LE container I the error "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container".

 

I am using google wifi as a router.

Suddenlink as ISP

 

I've tried using the duckdns tutorial also and get the same errors.

 

http://mytld.duckdns.org/.well-known/acme-challenge/37J7aAsBb7O6J1AX84E8S_nwTmhCxQ9a4GgtnTY4mcE returns as not found

 

 

What info can I provide you all to help me get running?

What is the validation error above that? Are you sure unraid is not using port 80?

Link to comment
7 hours ago, RAINMAN said:

This has been bothering me for awhile but I never got to it.  My Grafana docker is reverse proxied with .htaccess but it seems to timeout frequently and need to re-login.  Even trying to re-login seems to not really work and I need to refresh the page then it works fine for a bit until I get the login prompt again.

 

Has anyone else run into this issue or have a suggestion on what to try?

 

My dockers are all accessible with a subdomain and all work fine except for this random, I'm assuming, timeout issue.

 

This is my configuration which seems pretty standard.

 


# Grafana
#
server {
        listen 443 ssl;

        root /config/www;
        index index.html index.htm index.php;

        server_name grafana.*;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-G$
        ssl_prefer_server_ciphers on;

        client_max_body_size 0;

        location / {
                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.254.3:3000;
        }
}

 

Do you have any authentication options set up in grafana by any chance? Dual auth could cause problems. 

 

I haven't used grafana but your proxy conf seems fine. 

 

Also what is "frequently"? Do you always leave a browser window open with grafana? Just curious

  • Upvote 1
Link to comment
4 hours ago, aptalca said:

What is the validation error above that? Are you sure unraid is not using port 80?

Failed authorization procedure. mydns.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydns.duckdns.org/.well-known/acme-challenge/-LCQVHED8Knia-OQ2-ubfY9vnzqRXqQMGHnumFymRgc: Timeout during connect (likely firewall problem)

How do I see what ports unraid is using?

 

Edited by discojon
Link to comment
2 hours ago, discojon said:

Failed authorization procedure. mydns.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydns.duckdns.org/.well-known/acme-challenge/-LCQVHED8Knia-OQ2-ubfY9vnzqRXqQMGHnumFymRgc: Timeout during connect (likely firewall problem)

How do I see what ports unraid is using?

 

How do you access the unraid gui? 

Link to comment
15 hours ago, aptalca said:

Do you have any authentication options set up in grafana by any chance? Dual auth could cause problems. 

 

I haven't used grafana but your proxy conf seems fine. 

 

Also what is "frequently"? Do you always leave a browser window open with grafana? Just curious

It seems about 10 minutes.  Give or take.

 

There is authentication in Grafana but its not .htaccess based.  

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.