[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

17 minutes ago, Beaker69 said:

-snip-

As I am pretty new to all this any help would be gratefully appreciate.

See: 

Note: This reply is specific to nextcloud, but it concerns the entire LE docker container. So it's harmless.

Edited by Tuumke
Link to comment

I have had this docker running fine with next cloud for the last few months and update it regularly. I updated it again today and I am getting this error.
 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 15-urllib: executing...
Collecting urllib3==1.24.3
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9d3390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd0b8>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd278>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd2b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd3c8>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

ERROR: Could not find a version that satisfies the requirement urllib3==1.24.3 (from versions: none)

ERROR: No matching distribution found for urllib3==1.24.3

[cont-init.d] 15-urllib: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.


I have tried turning off pi-hole and anything that might be blocking it. I could ping out of the container.

Any help is much appreciated. Thanks in advance!

Link to comment
On 5/17/2019 at 2:02 PM, aptalca said:

If there is no setting for http auth, that usually means it doesn't work with it. Nextcloud has its own auth built in so likely it collides with http auth.

 

Do you mean br0? That's macvlan, not bridge, and it blocks connections between host and the containers on it. But I'm making assumptions because you are not providing enough info to understand the situation.

this works:

grafik.thumb.png.6d437799a1ad12bcf584adf4afdf204f.png

 

This not:

grafik.png.ce2e3329076b19b407e57c7f89325fcd.png

The address is in the right network and the address is also still free

Link to comment
4 hours ago, daveholst said:

I have had this docker running fine with next cloud for the last few months and update it regularly. I updated it again today and I am getting this error.
 


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 15-urllib: executing...
Collecting urllib3==1.24.3
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9d3390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd0b8>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd278>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd2b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x151cfa9bd3c8>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/urllib3/

ERROR: Could not find a version that satisfies the requirement urllib3==1.24.3 (from versions: none)

ERROR: No matching distribution found for urllib3==1.24.3

[cont-init.d] 15-urllib: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.


I have tried turning off pi-hole and anything that might be blocking it. I could ping out of the container.

Any help is much appreciated. Thanks in advance!

Another user had issues with adguard blocking it. Your issue is likely similar, possibly pi-hole

Link to comment

Is anyone else seeing this error in their Letsencrypt logs? I'm specifically talking about the LuaJIT and resty errors. My reverse proxy seems to be working fine otherwise.

 

("X"s for anonymization)

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 15-urllib: executing...
[cont-init.d] 15-urllib: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=XXXXX
SUBDOMAINS=XXXXXXXX
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=XXXXXXX
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d XXXXXXXXX
E-mail address entered: XXXXXXX
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom scripts found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Link to comment
18 hours ago, zandrsn said:

Is anyone else seeing this error in their Letsencrypt logs? I'm specifically talking about the LuaJIT and resty errors. My reverse proxy seems to be working fine otherwise.

 

("X"s for anonymization)

 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 15-urllib: executing...
[cont-init.d] 15-urllib: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=XXXXX
SUBDOMAINS=XXXXXXXX
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=XXXXXXX
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d XXXXXXXXX
E-mail address entered: XXXXXXX
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom scripts found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

I too have this exact same issue in my logs since upgrading to 6.7.0

Link to comment
34 minutes ago, SavellM said:

I too have this exact same issue in my logs since upgrading to 6.7.0

Please search the thread first. It has already been discussed multiple times. This will only cause issues if you use lua. It's an upstream issue so out of our hands.

Link to comment
On 5/14/2019 at 8:40 PM, CHBMB said:

I suspect, although, I'm not 100% sure as I'm not a networking guy that the dual router setup is causing some issues, essentially you have a double NAT

 

On 5/15/2019 at 3:08 AM, ijuarez said:

Ding ding ding ding double natting.


Can you ask your ISP to set the all in one to bridge mode?

Gentlemen, it took me some time before I actually had the time to work on this. I first removed router 2 and made sure the ip-range was correct. The network now works with only one (the first) router. Then I tried again, but had no luck. So after that I tried a clean install of the server and then it worked!

 

Thanks!

Edited by ErikH
Link to comment
15 minutes ago, ErikH said:

 

Gentlemen, it took me some time before I actually had the time to work on this. I first removed router 2 and made sure the ip-range was correct. The network now works with only one (the first) router. Then I tried again, but had no luck. So after that I tried a clean install of the server and then it worked!

 

Thanks!

Good hear that you got it working

Link to comment

Not sure where to start so hoping someone will be kind enough to lend me some advice...

 

Went to access my NextCloud server at the usual https and received following error: SEC_ERROR_EXPIRED_CERTIFICATE

 

I was always under understanding restarting letsencrypt container renewed certificates but evidently it is not. Further investigation led me to see that other pages setup with letsencrypt aren't being renewed either. I looked through letsencrypt log and didn't see anything that appears out of normal. I also tried running command "certbot renew" and received the following:

 

root@241b9e6c8ef7:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 446, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

 

That leads me to believe something is wrong with NextCloud CONF but I haven't changed or done anything to it at all. If I need to post it I can BUT did or is it possible a recent letsencrypt update broke something?

 

Any and all help would be greatly appreciated. Need my NextCloud DOH 😞

 

Thanks!

 

Edit: should add; haven't changed anything with setup other than recently updating letsencrypt container and Unraid to 6.7.0. Don't know exactly when this stopped but nothing has changed about setup recently 😞

 

Edit 2: Google let me to "cerbot update_symlinks" and that reported:

 

root@241b9e6c8ef7:/# certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
renewal config file {} is missing a required file reference

Edited by blaine07
Link to comment

Has anyone started getting this log ?

nginx: [emerg] "location" directive is not allowed here in /config/nginx/proxy-confs/quassel-web.subfolder.conf:4
 

I had to remove the quassel-web.subfolder.conf file located in /mnt/cache/appdata/letsencrypt/nginx/proxy-confs/quassel-web.subfolder.conf

Link to comment
Has anyone started getting this log ?
nginx: [emerg] "location" directive is not allowed here in /config/nginx/proxy-confs/quassel-web.subfolder.conf:4
 
I had to remove the quassel-web.subfolder.conf file located in /mnt/cache/appdata/letsencrypt/nginx/proxy-confs/quassel-web.subfolder.conf
On mobile at the moment. Post the contents of the quassel-web.subfolder.conf file

Sent from my Mi A1 using Tapatalk

Link to comment
1 hour ago, CHBMB said:

On mobile at the moment. Post the contents of the quassel-web.subfolder.conf file

Sent from my Mi A1 using Tapatalk
 

 

Hello CHBMB,

The thing is I don't even use the Docker container quassel-web. I don't even know what this app is. I am not sure how long this quassel-web-sub* in the proxy-confs directory to begin with. It is just all of a sudden, I have the quassel-web-subdomain.conf.sample and quassel-web-subfolder.conf. The subfolder doesn't have the extension of .sample.

 

This is the content:

# Set base-url with docker run command env variable -e 'URL_BASE'='/quassel' and make sure Quassel-Web is running on http
# with -e 'HTTPS'='false' or if you're using -e 'ADVANCED'='true' by editing config.json appropriately

location ^~ /quassel {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_quassel_web quassel-web;
    proxy_pass http://$upstream_quassel_web:64080;
}

 

Link to comment
 
Hello CHBMB,
The thing is I don't even use the Docker container quassel-web. I don't even know what this app is. I am not sure how long this quassel-web-sub* in the proxy-confs directory to begin with. It is just all of a sudden, I have the quassel-web-subdomain.conf.sample and quassel-web-subfolder.conf. The subfolder doesn't have the extension of .sample.
 
This is the content:
# Set base-url with docker run command env variable -e 'URL_BASE'='/quassel' and make sure Quassel-Web is running on http# with -e 'HTTPS'='false' or if you're using -e 'ADVANCED'='true' by editing config.json appropriatelylocation ^~ /quassel {   # enable the next two lines for http auth   #auth_basic "Restricted";   #auth_basic_user_file /config/nginx/.htpasswd;   # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf   #auth_request /auth;   #error_page 401 =200 /login;   include /config/nginx/proxy.conf;   resolver 127.0.0.11 valid=30s;   set $upstream_quassel_web quassel-web;   proxy_pass http://$upstream_quassel_web:64080;}

 

Then just rename it .sample

Sent from my Mi A1 using Tapatalk

Link to comment
Not sure where to start so hoping someone will be kind enough to lend me some advice...
 
Went to access my NextCloud server at the usual https and received following error: SEC_ERROR_EXPIRED_CERTIFICATE
 
I was always under understanding restarting letsencrypt container renewed certificates but evidently it is not. Further investigation led me to see that other pages setup with letsencrypt aren't being renewed either. I looked through letsencrypt log and didn't see anything that appears out of normal. I also tried running command "certbot renew" and received the following:
 
root@241b9e6c8ef7:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 446, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf is broken. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/MYNextCLOUDDOMAIN.redacted.net.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
 
That leads me to believe something is wrong with NextCloud CONF but I haven't changed or done anything to it at all. If I need to post it I can BUT did or is it possible a recent letsencrypt update broke something?
 
Any and all help would be greatly appreciated. Need my NextCloud DOH
 
Thanks!
 
Edit: should add; haven't changed anything with setup other than recently updating letsencrypt container and Unraid to 6.7.0. Don't know exactly when this stopped but nothing has changed about setup recently
 
Edit 2: Google let me to "cerbot update_symlinks" and that reported:
 
root@241b9e6c8ef7:/# certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
renewal config file {} is missing a required file reference



Anyone? Anything?
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.