Mihle Posted November 22, 2019 Share Posted November 22, 2019 For fun I tried https://www.ssllabs.com/ssltest And this showed up, anything I should or should not do about that or is it just to ignore? Quote Link to comment
Tzundoku Posted November 23, 2019 Share Posted November 23, 2019 Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try. I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network. -Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443. -I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1. -I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180 add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443 /ip firewall nat add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid. Any ideas on where I might be messing up? Please ask if additional info might be required. Appreciate your time and effort. Quote Link to comment
saarg Posted November 23, 2019 Share Posted November 23, 2019 1 hour ago, Tzundoku said: Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try. I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network. -Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443. -I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1. -I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180 add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443 /ip firewall nat add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid. Any ideas on where I might be messing up? Please ask if additional info might be required. Appreciate your time and effort. In the mikrotek you should port forward 180 to 180 and 1443 to 1443 as you already port forwarded from 80 to 180 and 443 to 1443 in your isp modem. With the forwarding you set up now, all traffic is lost between the modem and your router. Quote Link to comment
aptalca Posted November 23, 2019 Share Posted November 23, 2019 3 hours ago, Tzundoku said: Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try. I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network. -Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443. -I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1. -I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180 add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443 /ip firewall nat add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid. Any ideas on where I might be messing up? Please ask if additional info might be required. Appreciate your time and effort. After following @saarg's advice, use this to confirm: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ Quote Link to comment
Marv Posted November 23, 2019 Share Posted November 23, 2019 Hi, I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS. But I'm struggling to get this to work. Here are the files I adjusted, maybe someone can have a look at this please: Letsencrypt container: config\nginx\proxy-confs\nextcloud.subdomain.conf server { listen 443 ssl; listen [::]:443 ssl; server_name cloud.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_nextcloud Nextcloud; proxy_max_temp_file_size 2048m; proxy_pass https://$upstream_nextcloud:443; } } Letsencrypt container: config\nginx\site-confs\default # redirect all traffic to https server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs #include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } } # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; Nextcloud container config\nginx\site-confs\default upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.2-fpm.sock; } server { listen 80; # listen [::]:80; server_name cloud.*; # enforce https return 301 https://$server_name:443$request_uri; } server { listen 443 ssl http2; # listen [::]:443 ssl http2; server_name cloud.*; # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # NOTE: some settings below might be redundant ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface real_ip_header X-Forwarded-For; set_real_ip_from 172.17.0.0/16; real_ip_recursive on; # Path to the root of your installation root /config/www/nextcloud; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last; # The following rule is only needed for the Social app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last; location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; } } Nextcloud container: config\www\nextcloud\config\default <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'xxx', 'passwordsalt' => 'xxx', 'secret' => 'xxx', 'trusted_domains' => array ( 0 => '192.168.121.10:444', 1 => 'cloud.mydomain.de', ), 'trusted_proxies' => ['letsencrypt'], 'overwrite.cli.url' => 'https://cloud.mydomain.de', 'overwritehost' => 'cloud.mydomain.de', 'overwriteprotocol' => 'https', '... ); I'm also running Emby with the same config files in Letsencrypt and have no issues there. When trying to load my Nextcloud site I just get 502 Bad Gateway after a while. Quote Link to comment
aptalca Posted November 23, 2019 Share Posted November 23, 2019 3 hours ago, Marv said: Hi, I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS. But I'm struggling to get this to work. Here are the files I adjusted, maybe someone can have a look at this please: Letsencrypt container: config\nginx\proxy-confs\nextcloud.subdomain.conf server { listen 443 ssl; listen [::]:443 ssl; server_name cloud.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_nextcloud Nextcloud; proxy_max_temp_file_size 2048m; proxy_pass https://$upstream_nextcloud:443; } } Letsencrypt container: config\nginx\site-confs\default # redirect all traffic to https server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs #include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } } # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; Nextcloud container config\nginx\site-confs\default upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.2-fpm.sock; } server { listen 80; # listen [::]:80; server_name cloud.*; # enforce https return 301 https://$server_name:443$request_uri; } server { listen 443 ssl http2; # listen [::]:443 ssl http2; server_name cloud.*; # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # NOTE: some settings below might be redundant ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface real_ip_header X-Forwarded-For; set_real_ip_from 172.17.0.0/16; real_ip_recursive on; # Path to the root of your installation root /config/www/nextcloud; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last; # The following rule is only needed for the Social app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last; location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; } } Nextcloud container: config\www\nextcloud\config\default <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'xxx', 'passwordsalt' => 'xxx', 'secret' => 'xxx', 'trusted_domains' => array ( 0 => '192.168.121.10:444', 1 => 'cloud.mydomain.de', ), 'trusted_proxies' => ['letsencrypt'], 'overwrite.cli.url' => 'https://cloud.mydomain.de', 'overwritehost' => 'cloud.mydomain.de', 'overwriteprotocol' => 'https', '... ); I'm also running Emby with the same config files in Letsencrypt and have no issues there. When trying to load my Nextcloud site I just get 502 Bad Gateway after a while. You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud" Quote Link to comment
Marv Posted November 24, 2019 Share Posted November 24, 2019 8 hours ago, aptalca said: You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud" But my container is named "Nextcloud" actually. That's why I'm using: set $upstream_nextcloud Nextcloud; Isn't this correct then? Quote Link to comment
saarg Posted November 24, 2019 Share Posted November 24, 2019 9 hours ago, Marv said: But my container is named "Nextcloud" actually. That's why I'm using: set $upstream_nextcloud Nextcloud; Isn't this correct then? You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places. We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work. Quote Link to comment
Marv Posted November 25, 2019 Share Posted November 25, 2019 15 hours ago, saarg said: You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places. We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work. Ok thanks. I'll try this later. Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example. Is this possible? Quote Link to comment
aptalca Posted November 25, 2019 Share Posted November 25, 2019 4 hours ago, Marv said: Ok thanks. I'll try this later. Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example. Is this possible? Sure, the proxy confs get imported into the default site conf via "include" statements when nginx reads them Quote Link to comment
Kash76 Posted November 27, 2019 Share Posted November 27, 2019 (edited) Hey everyone, I had to change DNS configurations recently due to port 80 being blocked and I'm having a heck of a time since moving to Cloudflare and trying to use DNS authentication. I have tried many things and am getting 522 errors from Cloudflare and am hoping that you can help me. I most recently started over with the letsencrypt container, here is my configs.... Log file output Variables set: PUID=99 PGID=100 TZ=America/Chicago URL=xxx.net SUBDOMAINS=cloud EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=dns DNSPLUGIN=cloudflare [email protected] STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d cloud.xxx.net E-mail address entered: [email protected] dns validation via cloudflare plugin is selected Certificate exists; parameters unchanged; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] 99-custom-files: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-files: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) Server ready My Cloudflare.ini is set okay based on the cert being setup - skipping that Proxy config for nextcloud (also the name in my docker settings: server { listen 443 ssl; listen [::]:443 ssl; server_name cloud.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_nextcloud nextcloud; proxy_max_temp_file_size 2048m; proxy_pass https://$upstream_nextcloud:8000; } } Nextcloud and Letsencrypt Docker configs are attached. Unraid web interface runs on another port so I do actually use 443 for Letsencrypt My Cloudflare settings are also attached. I'm not sure if my subdomains should be proxied or not and what my SSL setting should be. Thanks for any help you can offer! Edited November 27, 2019 by Kash76 added info Quote Link to comment
saarg Posted November 27, 2019 Share Posted November 27, 2019 @Kash76 You do not change the port in the proxy conf when using a custom bridge as letsencryptaand nextcloud are talking internally and don't use the port forwards. Change it from 8000 back to 443. Quote Link to comment
Kash76 Posted November 27, 2019 Share Posted November 27, 2019 5 hours ago, saarg said: @Kash76 You do not change the port in the proxy conf when using a custom bridge as letsencryptaand nextcloud are talking internally and don't use the port forwards. Change it from 8000 back to 443. Thanks much for the response. I changed it back to this and am still getting 522 errors on network and 523 off network server { listen 443 ssl; listen [::]:443 ssl; server_name cloud.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_nextcloud nextcloud; proxy_max_temp_file_size 2048m; proxy_pass https://$upstream_nextcloud:443; } } Quote Link to comment
PsiKoTicK Posted November 27, 2019 Share Posted November 27, 2019 (edited) Alright, I feel really dumb, but I cannot get Ubooquity to work, at all. I get the "welcome to our server" page. server_name comics.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202/ubooquity/; } location /admin { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2203/ubooquity/admin/; } I have tried without the /ubooquity, etc, and it does not work. I've gotten it to work by using comics.domain.com/ubooquity/ with only the port listed in proxy_pass instead of the URL, but had no CSS and would show me no actual data, so something is wonky... I own the domain, and use a dynamic dns to update my domain name, all my cnames are pointed to domain.com and other things work (organizr, booksonic as mentioned below), just hung up here on ubooquity currently, but if anything with a base URL doesn't work I don't know how functional this is for me, I was happy with redirects but I would prefer to use an https connection if possible I had a similar issue with Booksonic, and was able to just turn off the /booksonic/ part of that URL so it loads direct without the base URL, I could not get it to work if I had /booksonic in the proxy_pass line either... I cannot determine how to do that with my Ubooquity server, so if I should ask there instead, just let me know Herlp. Please. Edited November 27, 2019 by PsiKoTicK Clarity Quote Link to comment
MrMoosieMan Posted November 27, 2019 Share Posted November 27, 2019 I was alerted via email that my LetsEncrypt cert was expiring soon. I decided to run "certbot renew" from the CLI but received the below error. After much troubleshooting I am unable to determine what could be causing the issue. The logs do not give much info other than what is below. Any thoughts? root@f74f982f283f:/# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mydomain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator dns-cloudflare, Installer None Renewing an existing certificate Performing the following challenges: dns-01 challenge for mydomain.com Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini Cleaning up challenges Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Quote Link to comment
MrMoosieMan Posted November 27, 2019 Share Posted November 27, 2019 5 minutes ago, MrMoosieMan said: I was alerted via email that my LetsEncrypt cert was expiring soon. I decided to run "certbot renew" from the CLI but received the below error. After much troubleshooting I am unable to determine what could be causing the issue. The logs do not give much info other than what is below. Any thoughts? root@f74f982f283f:/# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mydomain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator dns-cloudflare, Installer None Renewing an existing certificate Performing the following challenges: dns-01 challenge for mydomain.com Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini Cleaning up challenges Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) I just answered my own question. Not sure why but my API key had changed with Cloudflare. Replaced the key and BAM, it renewed without issue. Quote Link to comment
aptalca Posted November 27, 2019 Share Posted November 27, 2019 3 hours ago, Kash76 said: Thanks much for the response. I changed it back to this and am still getting 522 errors on network and 523 off network server { listen 443 ssl; listen [::]:443 ssl; server_name cloud.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_nextcloud nextcloud; proxy_max_temp_file_size 2048m; proxy_pass https://$upstream_nextcloud:443; } } Turn off cloudflare proxy (click on the orange cloud) Quote Link to comment
aptalca Posted November 27, 2019 Share Posted November 27, 2019 1 hour ago, PsiKoTicK said: Alright, I feel really dumb, but I cannot get Ubooquity to work, at all. I get the "welcome to our server" page. server_name comics.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202/ubooquity/; } location /admin { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2203/ubooquity/admin/; } I have tried without the /ubooquity, etc, and it does not work. I've gotten it to work by using comics.domain.com/ubooquity/ with only the port listed in proxy_pass instead of the URL, but had no CSS and would show me no actual data, so something is wonky... I own the domain, and use a dynamic dns to update my domain name, all my cnames are pointed to domain.com and other things work (organizr, booksonic as mentioned below), just hung up here on ubooquity currently, but if anything with a base URL doesn't work I don't know how functional this is for me, I was happy with redirects but I would prefer to use an https connection if possible I had a similar issue with Booksonic, and was able to just turn off the /booksonic/ part of that URL so it loads direct without the base URL, I could not get it to work if I had /booksonic in the proxy_pass line either... I cannot determine how to do that with my Ubooquity server, so if I should ask there instead, just let me know Herlp. Please. You're mixing and matching elements from subdomains and subfolder proxy method. Which are you trying to accomplish? Quote Link to comment
aptalca Posted November 27, 2019 Share Posted November 27, 2019 1 hour ago, MrMoosieMan said: I just answered my own question. Not sure why but my API key had changed with Cloudflare. Replaced the key and BAM, it renewed without issue. Glad to hear it is fixed. But keep in mind that we do not support running manual commands like "certbot renew" inside the container unless we ask you to run a specific one. All the necessary info about renewals is in the readme. Quote Link to comment
Kash76 Posted November 27, 2019 Share Posted November 27, 2019 37 minutes ago, aptalca said: Turn off cloudflare proxy (click on the orange cloud) Thank you! Making progress, did that and am now getting "ERR_SSL_PROTOCOL_ERROR" in Chrome and "SSL_ERROR_RX_RECORD_TOO_LONG" in Firefox. I usually do not have issues like this but am having a hell of a time troubleshooting this. Nothing in my error log, access log has entries like this... 10.x.x.x - - [27/Nov/2019:12:15:12 -0600] "\x16\x03\x01\x01.\x01\x00\x01*\x04\x03H\xC4z\xDE\x0B(\xF8\x9E-\x88\xD0l0\x8EC\xC9\x14\xBD\xC2\xD0\xFEq{\xE8\x07H\x9EX\xFDs\xF6D\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" Quote Link to comment
dandiodati Posted November 27, 2019 Share Posted November 27, 2019 (edited) On 10/8/2019 at 12:06 PM, dandiodati said: Anyone else have luck setting up letsencrypt and unms ? I have both services running in docker containers. If I send a websocket request (curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://192.168.x.x:443/) then the nginx service within letsencrypt container just redirects me to its default home page instead of the unms container. If I use a regular https request then I do get redirected to the unms container(The login page). So something is weird with trying to connect as a websocket container which is needed for discovery. I tried the setting above too but no luck. Still have not been able to get letsencrypt to reverse proxy for unms. MothyTim sent me his configuration on a previous post but still did not work. The regular login redirects me fine just the websocket does not work therefore unms device discovery etc dont work correctly. Anyone else have luch with unms ? I'm using the nico640/docker-unms docker container which starts find and works correctly (websockets included) when I connect directly to it. I attached my letsencrypt nginx/proxy-confs/unms.subdomain.conf configuration. I have a custom network bridge step up for the letsencypt container and unms (also have nextcloud in there which works correctly). My DNS is setup correct at cloudflare with A name for main ip address and C names for unms and nextcloud pointing to it. Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution. Dan unms.subdomain.conf Edited November 27, 2019 by dandiodati Quote Link to comment
dandiodati Posted November 27, 2019 Share Posted November 27, 2019 5 minutes ago, dandiodati said: Still have not been able to get letsencrypt to reverse proxy for unms. MothyTim sent me his configuration on a previous post but still did not work. The regular login redirects me fine just the websocket does not work therefore unms device discovery etc dont work correctly. Anyone else have luch with unms ? I'm using the nico640/docker-unms docker container which starts find and works correctly (websockets included) when I connect directly to it. I attached my letsencrypt nginx/proxy-confs/unms.subdomain.conf configuration. I have a custom network bridge step up for the letsencypt container and unms (also have nextcloud in there which works correctly). My DNS is setup correct at cloudflare with A name for main ip address and C names for unms and nextcloud pointing to it. On i did notice this error in letsencypt log but does not see to cause any issues: nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution. Dan unms.subdomain.conf Quote Link to comment
blaine07 Posted November 27, 2019 Share Posted November 27, 2019 Wow, some crazy stuff being asked lately. I’m just wanting to reach out for some much more basic info LOL. I know their are some VERY knowledgeable folks subbed here so...I currently and using Letsencrypt with DuckDNS through pfSense Appliance to Letsencrypt and to my containers. I am using GoDaddy as domain registrar, Hostgator for Hosting. I am debating switching entire setup to Cloudflare, port 80/443 is NOT being blocked by ISP. What are advantages with Cloudflare or using it versus current setup? Is it a real pain to switch current entire setup to using Cloudflare over how it’s currently setup? Should I? Should I not switch? Quote Link to comment
Kash76 Posted November 27, 2019 Share Posted November 27, 2019 2 hours ago, Kash76 said: Thank you! Making progress, did that and am now getting "ERR_SSL_PROTOCOL_ERROR" in Chrome and "SSL_ERROR_RX_RECORD_TOO_LONG" in Firefox. I usually do not have issues like this but am having a hell of a time troubleshooting this. Nothing in my error log, access log has entries like this... 10.x.x.x - - [27/Nov/2019:12:15:12 -0600] "\x16\x03\x01\x01.\x01\x00\x01*\x04\x03H\xC4z\xDE\x0B(\xF8\x9E-\x88\xD0l0\x8EC\xC9\x14\xBD\xC2\xD0\xFEq{\xE8\x07H\x9EX\xFDs\xF6D\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" Well this is embarrassing. I had the http and https ports for LetsEncrypt crossed. Thanks for the support and sorry for the bother!! Quote Link to comment
aptalca Posted November 28, 2019 Share Posted November 28, 2019 3 hours ago, Kash76 said: Well this is embarrassing. I had the http and https ports for LetsEncrypt crossed. Thanks for the support and sorry for the bother!! No worries. Glad to hear it works 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.