[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 minutes ago, DZMM said:

Hi

 

I'm getting this error in my logs but it still seems to be working:

 


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

If you read back through the thread, you'll find everyone else gets this error and you'll also find it's harmless.

Link to comment

So really odd problem. Trying to setup OMBI as a subdomain. Done this many times before so pretty much have it down pat. Copy the sample and configure it. Everything looks great but it won't work. SSL problems it says. So then I change most host records and point the nginx server directly instead of going through my cloudflare/router and it works with port 4431. So think "ok this is weird shit". So I then put the OMBI port behind my warden subdomain. Works perfect. So then I think "ok config is hosed" and copy warden config into ombi config changing relevant things to make it work with ombi. Restart nginx and try to hit the subdomain again.. Nope SSL problems again. Stick it behind warden subdomain no problems. Infact any work domain no problems. Only the one that I just setup for OMBI doesn't work. Is there a way to see exactly what NGINX is seeing? I couldn't find a way to turn on debug logging in the config and didn't want to hose my current working one.

Link to comment

Hi,

 

I thought letscrypt renews certificates as they expire. I'm getting a message saying my certificate expired on the 2nd june.

Is there a way to fix this ?

 

Also getting the LUA errors which from what I can see I can ignore?

Quote

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size

 

But the bottom bit regarding the variables_hash ?

 

Thanks

 

Link to comment
3 hours ago, Lien1454 said:

Hi,

 

I thought letscrypt renews certificates as they expire. I'm getting a message saying my certificate expired on the 2nd june.

Is there a way to fix this ?

 

Also getting the LUA errors which from what I can see I can ignore?

 

But the bottom bit regarding the variables_hash ?

 

Thanks

 

Open your domain in a better and click on the lock to see if it really expired

 

If so, check the log in the config folder under letsencrypt to see why the renewal failed

Link to comment

Solved my problem with regard to accessing nextcloud (and other letsencrypt'd containers) from within the same LAN on a ubiquiti edgerouter setup.  Posting here in case it might be of any use to others, including @kelmino

 

I'm pretty sure that the issue was the "LAN interface" setting under Port Forwarding options in EdgeOS.  This setting needs to be "switch0" and nothing else on an edgerouter.  Both myself and kelmino had several LAN interfaces set to various ethernet ports here, which seems to make sense at first and doesn't cause any issues with port forwarding when dealing with incoming connections from the outside internet.  After reading ubiquiti's edgerouter port forwarding documentation and especially this ubiquiti forum post linked therewithin, I now realize that was incorrect.  Having "LAN interface" set incorrectly prevents the hairpin NAT feature from working with the auto firewall rules, preventing local access.

 

For transparency, I'm guilty of changing too many variables at once here and it is entirely possible that the fix was actually starting from a fresh config on edgeos v2.0.3 rather than using an old config migrated from v1.10.5.  I doubt that is the case though, as the only functional differences between my current config and a backup of the old config is the LAN interface options.  While troubleshooting this I updated my firmware to v2.0.3.  After that I reverted to the default config, ran the basic setup wizard, then manually re-created my small amount of port forwarding rules exactly as they were aside from the above mentioned change to the LAN interface list. 

 

If any ubiquiti users are still having issues with this specific issue (external access works, local access doesn't) after making this change, @ me and I'll try to help (even though I'm far from an expert)

 

See below for a screenshot of the port forwarding screen from my now-functioning setup:

 

Untitled.png.0a0a299a96663f366664ffd1ce522abe.png

Edited by deepthought
  • Like 1
Link to comment
Started getting:
nginx: [emerg] cannot load certificate "/config/keys/letsencrypt/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
I'm working on figuring out the fix.
What does this mean exactly? Mine is saying it too

Sent from my SM-G975U using Tapatalk

Link to comment
26 minutes ago, blaine07 said:

What does this mean exactly? Mine is saying it too emoji848.png

Sent from my SM-G975U using Tapatalk

The Certificate expired, but I don't know why it stopped renewing itself. A docker restart didn't fix it. I'm asking in the LS.io discord.

 

Fix by:

Quote

Delete the /config/etc folder and restart the container.

 

Edited by SteelzFinest
Link to comment
5 hours ago, blaine07 said:

That's funny because a bit back my certs all expired. Had to add a fictitious site to Letsencrypt, start service and let it error, delete fictitious and restart again to get all the certs to renew.

Sent from my SM-G975U using Tapatalk
 

Good to know! But I thought LetsEncrypt kept the certs updated automagically.

Link to comment
Good to know! But I thought LetsEncrypt kept the certs updated automagically.
Last time mine needed them updated it didnt do it on its own... couple accounts of it NOT doing it on it's own in previous pages. No idea who what why but

Sent from my SM-G975U using Tapatalk

Link to comment
23 minutes ago, blaine07 said:

Last time mine needed them updated it didnt do it on its own... couple accounts of it NOT doing it on it's own in previous pages. No idea who what why but emoji2373.png

Sent from my SM-G975U using Tapatalk
 

It's usually because the user makes changes to either port 80 mapping or their dns settings so validation fails

Link to comment
2 hours ago, blaine07 said:

No disrespect: I don't know how that is done so if I did it was unintentional. Is it possible unintentionally?

Sent from my SM-G975U using Tapatalk
 

Check the log folder, under letsencrypt and it will tell you exactly why the renewal failed. Then you can figure out what you may or may not have done

Link to comment
Check the log folder, under letsencrypt and it will tell you exactly why the renewal failed. Then you can figure out what you may or may not have done
I see "Cert not yet due for renewal" and "No renewals were attempted. No hooks were run."

Meh was just curious why we was getting error above but that doesn't seem related to error a few posts up?

Sent from my SM-G975U using Tapatalk

Link to comment

I'm having a little issue. My modem went dead and I got a new one. Previously I was using a separate router but my new modem is a modem/router. I had this docker set up with Ombi and a dynamic DNS. I don't think this is an Ombi issue so I'm asking here. I could access my Ombi page over the internet. Well now I don't know what's going on but nothing seems to be working. I tried so many different troubleshooting steps that now I'm all turned around and can't make any assumptions as to what I did or didn't do. What I do know is:

1. I can't get the dynamic dns to work in my router but that's tabled because...

2. I cannot access Ombi from outside my network just using my ip address either

3. I have port 80 and 443 forwarded to my unraid server

4. I have the letsencrypt docker settings for domain and subdomain correct for my dynamic dns

5. I have the letsencrypt docker ports mapped as

172.17.0.3:443/TCP192.168.1.2:443
172.17.0.3:80/TCP192.168.1.2:8008

6. There are no errors in the letsencrypt docker log

7. If I try to go to the letsencrypt webui through the unraid docker back I get "ERROR_INTERNET_SEC_CERT_REVOKED", which I find strange as there are no errors in the log  That happens in Edge. When I use Chrome it says the cert is wrong because it's for my dns subdomain and not my internal IP. I expected that, make an exception, and it loads using my internal IP.

8. I know this sounds crazy but my sister has no problems accessing the Ombi app that this is linked to. I actually got a requests from here the other day. I'm completely baffled why she is the only one that can access it outside my network.

9. I do IT professionally but I really LOATHE networking

 

I'm all sorts of turned around. I might try and just put my old router back and turn off the router features on my modem but I don't think that will help anyway. I'll try as a last resort though. Any ideas?

Edited by bobbintb
Link to comment
4 hours ago, bobbintb said:

I'm having a little issue. My modem went dead and I got a new one. Previously I was using a separate router but my new modem is a modem/router. I had this docker set up with Ombi and a dynamic DNS. I don't think this is an Ombi issue so I'm asking here. I could access my Ombi page over the internet. Well now I don't know what's going on but nothing seems to be working. I tried so many different troubleshooting steps that now I'm all turned around and can't make any assumptions as to what I did or didn't do. What I do know is:

1. I can't get the dynamic dns to work in my router but that's tabled because...

2. I cannot access Ombi from outside my network just using my ip address either

3. I have port 80 and 443 forwarded to my unraid server

4. I have the letsencrypt docker settings for domain and subdomain correct for my dynamic dns

5. I have the letsencrypt docker ports mapped as

172.17.0.3:443/TCP192.168.1.2:443
172.17.0.3:80/TCP192.168.1.2:8008

6. There are no errors in the letsencrypt docker log

7. If I try to go to the letsencrypt webui through the unraid docker back I get "ERROR_INTERNET_SEC_CERT_REVOKED", which I find strange as there are no errors in the log  That happens in Edge. When I use Chrome it says the cert is wrong because it's for my dns subdomain and not my internal IP. I expected that, make an exception, and it loads using my internal IP.

8. I know this sounds crazy but my sister has no problems accessing the Ombi app that this is linked to. I actually got a requests from here the other day. I'm completely baffled why she is the only one that can access it outside my network.

9. I do IT professionally but I really LOATHE networking

 

I'm all sorts of turned around. I might try and just put my old router back and turn off the router features on my modem but I don't think that will help anyway. I'll try as a last resort though. Any ideas?

 

If the only thing you changed was the modem/router, then the problem is there.

Post a screenshot of the port forwarding and we'll check if it's correct.

 

It doesn't really make sense that your sister can access ombi,but you can't.

 

You have updated your domain to point to your new IP?

Link to comment
10 hours ago, blaine07 said:

I see "Cert not yet due for renewal" and "No renewals were attempted. No hooks were run."

Meh was just curious why we was getting error above but that doesn't seem related to error a few posts up?

Sent from my SM-G975U using Tapatalk
 

Are you sure your certs were expired? What made you think they were?

 

And what error are you referring to? You might be confusing two separate issues

Link to comment
9 hours ago, bobbintb said:

I'm having a little issue. My modem went dead and I got a new one. Previously I was using a separate router but my new modem is a modem/router. I had this docker set up with Ombi and a dynamic DNS. I don't think this is an Ombi issue so I'm asking here. I could access my Ombi page over the internet. Well now I don't know what's going on but nothing seems to be working. I tried so many different troubleshooting steps that now I'm all turned around and can't make any assumptions as to what I did or didn't do. What I do know is:

1. I can't get the dynamic dns to work in my router but that's tabled because...

2. I cannot access Ombi from outside my network just using my ip address either

3. I have port 80 and 443 forwarded to my unraid server

4. I have the letsencrypt docker settings for domain and subdomain correct for my dynamic dns

5. I have the letsencrypt docker ports mapped as

172.17.0.3:443/TCP192.168.1.2:443
172.17.0.3:80/TCP192.168.1.2:8008

6. There are no errors in the letsencrypt docker log

7. If I try to go to the letsencrypt webui through the unraid docker back I get "ERROR_INTERNET_SEC_CERT_REVOKED", which I find strange as there are no errors in the log  That happens in Edge. When I use Chrome it says the cert is wrong because it's for my dns subdomain and not my internal IP. I expected that, make an exception, and it loads using my internal IP.

8. I know this sounds crazy but my sister has no problems accessing the Ombi app that this is linked to. I actually got a requests from here the other day. I'm completely baffled why she is the only one that can access it outside my network.

9. I do IT professionally but I really LOATHE networking

 

I'm all sorts of turned around. I might try and just put my old router back and turn off the router features on my modem but I don't think that will help anyway. I'll try as a last resort though. Any ideas?

If it works from outside the lan, your issue is hairpin nat. Google how to enable it for your new router

Link to comment
Are you sure your certs were expired? What made you think they were?
 
And what error are you referring to? You might be confusing two separate issues
Yeah something definitely got spun around. Facepalm sorry.

My concern was(& it was mentioned somewhere above I think):

"nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size"

Not sure what I unintentionally placed myself into-- SORRY!

Certs this time aren't expired; last time when they were due up for renewal they didnt renew but that was resolved by addition of fictitious site, starting up and errors, removing and restarting and certs renewed. Seems like a lot are having some issue at some capacity with certs not auto renewing for some reason though.

Sent from my SM-G975U using Tapatalk

Link to comment
On 7/1/2019 at 9:20 PM, deepthought said:

Solved my problem with regard to accessing nextcloud (and other letsencrypt'd containers) from within the same LAN on a ubiquiti edgerouter setup.  Posting here in case it might be of any use to others, including @kelmino

 

I'm pretty sure that the issue was the "LAN interface" setting under Port Forwarding options in EdgeOS.  This setting needs to be "switch0" and nothing else on an edgerouter.  Both myself and kelmino had several LAN interfaces set to various ethernet ports here, which seems to make sense at first and doesn't cause any issues with port forwarding when dealing with incoming connections from the outside internet.  After reading ubiquiti's edgerouter port forwarding documentation and especially this ubiquiti forum post linked therewithin, I now realize that was incorrect.  Having "LAN interface" set incorrectly prevents the hairpin NAT feature from working with the auto firewall rules, preventing local access.

 

For transparency, I'm guilty of changing too many variables at once here and it is entirely possible that the fix was actually starting from a fresh config on edgeos v2.0.3 rather than using an old config migrated from v1.10.5.  I doubt that is the case though, as the only functional differences between my current config and a backup of the old config is the LAN interface options.  While troubleshooting this I updated my firmware to v2.0.3.  After that I reverted to the default config, ran the basic setup wizard, then manually re-created my small amount of port forwarding rules exactly as they were aside from the above mentioned change to the LAN interface list. 

 

If any ubiquiti users are still having issues with this specific issue (external access works, local access doesn't) after making this change, @ me and I'll try to help (even though I'm far from an expert)

 

See below for a screenshot of the port forwarding screen from my now-functioning setup:

 

Untitled.png.0a0a299a96663f366664ffd1ce522abe.png

Thanks for this, I'll try it when I get home tonight!

 

 I didn't want to try this while I was at work and it knock out my internet and the ability to remote in and have my server down all day.  I'll let you know if it works.

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.