[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hi, 

 

was there recently a change on Letsencrypt? Today my websites were broken, because the certificate was not renewed. Last Renewal was in April. In the Logs I cannot find an relating error, of course there are warnings, but I do not think they are responsible for the issue.

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=familie-ebner.at
SUBDOMAINS=cloud,tauchen,solar,ha,solar2,nr,nr2,wetter,wetter2,mqtt,
EXTRA_DOMAINS=cloud.ff-metnitz.at,slideshow.ff-metnitz.at,backup.ff-metnitz.at,
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cloud.familie-ebner.at -d tauchen.familie-ebner.at -d solar.familie-ebner.at -d ha.familie-ebner.at -d solar2.familie-ebner.at -d nr.familie-ebner.at -d nr2.familie-ebner.at -d wetter.familie-ebner.at -d wetter2.familie-ebner.at -d mqtt.familie-ebner.at
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d cloud.ff-metnitz.at -d slideshow.ff-metnitz.at -d backup.ff-metnitz.at
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/ha.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/mqtt.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr2.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter2.familie-ebner.at:42
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:443, ignored
Server ready

 

Link to comment
25 minutes ago, ebnerjoh said:

Hi,

 

I have reverted back now the letsencrypt version, and I was able to fix all errors and warnings, except the last 4 warnings. But the certs are still not updated.

 

Br,

Johannes

Do you turn off the server at night? The renewal script is running at night.

You could try to add a subdomain and see if your certificate is renewed. If it is, remove the added subdomain.

Link to comment
7 minutes ago, saarg said:

Do you turn off the server at night? The renewal script is running at night.

You could try to add a subdomain and see if your certificate is renewed. If it is, remove the added subdomain.

Hi, no, I am not shutting down.

 

I got it now working by reverting back to an older Letsencrypt installation and running a "certbot renew" in the Docker-CLI.

 

I need to look in detail when I have more time.

Link to comment
1 hour ago, ebnerjoh said:

Hi, no, I am not shutting down.

 

I got it now working by reverting back to an older Letsencrypt installation and running a "certbot renew" in the Docker-CLI.

 

I need to look in detail when I have more time.

Don't run certbot manually. Simply adding or removing a subdomain is enough to trigger a renewal.

Link to comment
4 hours ago, ebnerjoh said:

Hi, no, I am not shutting down.

 

I got it now working by reverting back to an older Letsencrypt installation and running a "certbot renew" in the Docker-CLI.

 

I need to look in detail when I have more time.

Letsencrypt renewal attempt logs are in the config folder

Link to comment

Trying to get the Letsencrypt container working with a very standard setup but it doesn't seem to be listening on any ports.

I have the docker container configured with a bridge network, and port 81 and 444, with no conflicts.

 

Once it's running should I then be able to hit <UNRAIDIP>:81 and <UNRAIDIP>:444 ??

Or do a netstat inside the docker container and see it listening on those ports?

 

My port forwards from the outside are perfect but it's definitely not listening like I would expect :(

Link to comment
7 hours ago, zer0zer0 said:

Trying to get the Letsencrypt container working with a very standard setup but it doesn't seem to be listening on any ports.

I have the docker container configured with a bridge network, and port 81 and 444, with no conflicts.

 

Once it's running should I then be able to hit <UNRAIDIP>:81 and <UNRAIDIP>:444 ??

Or do a netstat inside the docker container and see it listening on those ports?

 

My port forwards from the outside are perfect but it's definitely not listening like I would expect :(

Hard for us to say anything when you haven't posted any log, docker run command or screenshot of port forwarding.

The nginx part isn't started until the certificate is created

Link to comment
9 hours ago, saarg said:

Hard for us to say anything when you haven't posted any log, docker run command or screenshot of port forwarding.

The nginx part isn't started until the certificate is created

All I needed to know is if it should be listening or not, and you answered that perfectly! Thank you :D

 

I also noticed the actual container ports were stuck on port 81/444 for some reason, so I deleted and recreated it and it started up listening on 80/443, and also switched to dns validation, and things are working as expected now :)

Edited by zer0zer0
Link to comment

The only left over annoying part of this is going to 'jellyfin.website.com' doesn't redirect so it doesn't work. you have to manually enter in 'https://jellyfin.website.com'. I think I'm probably just missing a setting in NGINX but I haven't been able to find anything, anybody know how to fix this?

Link to comment
1 hour ago, FireFtw said:

The only left over annoying part of this is going to 'jellyfin.website.com' doesn't redirect so it doesn't work. you have to manually enter in 'https://jellyfin.website.com'. I think I'm probably just missing a setting in NGINX but I haven't been able to find anything, anybody know how to fix this?

Check the top of the default site config

Link to comment

Since a few weeks i'm using GeoIP2, but after the last two container updates, GeoLit2-City.mmdb couldn't been found.

In the container log I see the following message: [emerg] MMDB_open("/var/lib/libmaxminddb/GeoLite2-City.mmdb") failed - Error opening the specified MaxMind DB file in /config/nginx/nginx.conf:36. After manualy running .//etc/periodic/weekly/libmaxminddb everything works again.

 

Link to comment
6 hours ago, capino said:

Since a few weeks i'm using GeoIP2, but after the last two container updates, GeoLit2-City.mmdb couldn't been found.

In the container log I see the following message: [emerg] MMDB_open("/var/lib/libmaxminddb/GeoLite2-City.mmdb") failed - Error opening the specified MaxMind DB file in /config/nginx/nginx.conf:36. After manualy running .//etc/periodic/weekly/libmaxminddb everything works again.

 

I have a theory about that. Can you create an issue on the GitHub repo so we can track it easier?

Link to comment

hey guys!, i hope im in the right place as i am a noob to unraid and dockers which are awesome so far in my experience, i am trying to use this docker to install the web panel open game panel and i am missing php dependencies. here is what it is saying its missing, any ideas on how to make it work? is it an unraid issue or can it be added to this docker? any help is appreciated. 

 

Checking required file permissions:

includes/config.inc.phpOK

modules/TS3Admin/templates_cOK

Checking PHP version:

PHP Version >= 5.37.3.6

Checking required modules:

PHP XML-RPC moduleNot found

PHP Curl moduleFound

PHP XML ReaderFound

PHP JSON ExtensionFound

PHP Zip ExtensionFound

PHP mbstring ExtensionFound

Pear XXTEA

Found

Pear

Not found

file_get_contents()

Found

allow_url_fopen=on

Found

Checking optional modules:

PHP BCMath ExtensionNot found.

 

Thanks

Edited by crgcputech79
Link to comment
34 minutes ago, crgcputech79 said:

hey guys!, i hope im in the right place as i am a noob to unraid and dockers which are awesome so far in my experience, i am trying to use this docker to install the web panel open game panel and i am missing php dependencies. here is what it is saying its missing, any ideas on how to make it work? is it an unraid issue or can it be added to this docker? any help is appreciated. 

 

Checking required file permissions:

includes/config.inc.phpOK

modules/TS3Admin/templates_cOK

Checking PHP version:

PHP Version >= 5.37.3.6

Checking required modules:

PHP XML-RPC moduleNot found

PHP Curl moduleFound

PHP XML ReaderFound

PHP JSON ExtensionFound

PHP Zip ExtensionFound

PHP mbstring ExtensionFound

Pear XXTEA

Found

Pear

Not found

file_get_contents()

Found

allow_url_fopen=on

Found

Checking optional modules:

PHP BCMath ExtensionNot found.

 

Thanks

You can request php modules to be added and unless they're really fringe cases, we add them.

 

What exactly are you trying to set up?

Link to comment
7 hours ago, Riotz said:

Can anyone please tell me why I am seeing these wget errors in my log? Also any change of getting php7_ladap added to the container?

 

image.png.2181e4f7a388d070f5c3f43fefee8923.png

 

Thanks,

Looks like attempts to update the geoip db are failing. Harmless but we'll look into it

  • Upvote 1
Link to comment

Hey Guys, I have a quick question. I had @CHBMB help me a couple of months ago. I wanted to know if is possible to always have the (Subdomain www,) to always be deleted? The reason why is because every time I update the docker it always comes back and I have to deleted in order for the docker to work or how can I make it work with the (Subdomain www,)? Thanks in advance.

Link to comment
19 hours ago, aptalca said:

Looks like attempts to update the geoip db are failing. Harmless but we'll look into it

Thanks so much. What about php7_ldap integration into the container? Would really love to use the PLEX for LDAP container with my Wordpress sites.
 

Thanks again,

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.