[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

21 hours ago, WyoFarr said:

Hi All,

 

After two days of googling,  a bit of an exaggeration, I can't figure out why I'm failing certification.  I think my port forwarding is set up correctly,  running an edgerouter x sfp.  ***** the domain name but it's filled out properly I think.  

 

here's the log output,  and attached is a screen shot of my port forwarding.  

 

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d *****
E-mail address entered: *****
http validation is selected
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
/usr/lib/python3.8/site-packages/digitalocean/LoadBalancer.py:19: SyntaxWarning: "is" with a literal. Did you mean "=="?
if type is 'cookies':
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:65: SyntaxWarning: "is" with a literal. Did you mean "=="?
if self.email is '' or self.token is '':
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:65: SyntaxWarning: "is" with a literal. Did you mean "=="?
if self.email is '' or self.token is '':
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:89: SyntaxWarning: "is" with a literal. Did you mean "=="?
if self.email is '' or self.token is '':
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:89: SyntaxWarning: "is" with a literal. Did you mean "=="?
if self.email is '' or self.token is '':
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:113: SyntaxWarning: "is" with a literal. Did you mean "=="?
if self.certtoken is '' or self.certtoken is None:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for *****
Waiting for verification...
Challenge failed for domain *****
http-01 challenge for *****
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: *****281407197_ScreenShot2020-01-10at6_45_01PM.thumb.png.a02384dd9e4a189bf89f696ca3159f02.png
Type: unauthorized
Detail: Invalid response from
http://*****/.well-known/acme-challenge/P_1kowh6nWwToCI-ORAGFWGYL3TfRmq28Znn3o6Q5IA
[162.241.225.183]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Your port forwarding is not correctly applied. Try restarting the router

Edited by aptalca
Link to comment
12 hours ago, Orejo said:

 I'm experiencing a strange issue. When I'm accessing Nextcloud locally, I get redirected to the unRAID dashboard and I get to see the login prompt for the dashboard. When I'm outside my network, the connection works fine. I have other services set up, such as Sonarr and Radarr, both of which work fine externally and internally. I've attached my config files.  config.php

nextcloud.subdomain.conf 1.06 kB · 1 download

It's your router and/or port settings. I'm assuming you're running unraid on port 443. Your router is redirecting internal (lan) requests to your domain to the unraid ip in the same 443 port, so you're getting unraid.

 

You can move unraid's https port to something else and run letsencrypt on 443 instead

  • Like 1
Link to comment

Hi all, First time posting, hope I'm in the right spot.

I managed to install letsencript with spaceinader ones video, my diffieculty is that I was hoping to use the web hosting part of the docker to run dolibarr.org an ERP & CRM. I managed to clean install it and connect the data base using mariadb and login. Then it randomly reactivated the install and got stuck there. Nothing I did fixed it.

 

Then I tried to installing dolibarr using the apache docker it worked to install and login, then the next day I could not login, i was stuck at the login page,

 

I want to use dolibarr for my own personal access. not have others access it.  it anyone as a better software than dolibarr please let me know.

 

I would appreciate any help that's available, have a wonder full day.

Link to comment

Hi, i've been using this docker without issue for months after following spaceinvaderone's video. A couple weeks ago i started getting notifications that my certs were going to expire however after checking the logs i couldn't find any issues. Unfortunately, they have now expired and I'm not sure how to debug further?

 

Here is a screenshot of my logs, docker and router settings. I also recently changed my router although i did add the port forwarding.

 

Any ideas?

letsencrypt docker settings.png

LetsEncrypt Log.png

router.png

Link to comment
Hi, i've been using this docker without issue for months after following spaceinvaderone's video. A couple weeks ago i started getting notifications that my certs were going to expire however after checking the logs i couldn't find any issues. Unfortunately, they have now expired and I'm not sure how to debug further?   Here is a screenshot of my logs, docker and router settings. I also recently changed my router although i did add the port forwarding.

 

Any ideas?

104081712_letsencryptdockersettings.thumb.png.14efd82ee0e285623e19eaa6cd42cf2d.png

326739161_LetsEncryptLog.thumb.png.bc34cd3da3fd5fca116195b1dca258d4.png

router.thumb.png.8b1d4248cf541b1342bc44464ad0ea7f.png

 

 

 I can’t tell you what has went wrong but edit Letsencrypt, add a additional subdomain, save Letsencrypt config and then start Letsencrypt, let it boot. Stop Letsencrypt, remove subdomain, save and start it back up and they should renew. I’ve had issues occasionally with the certs not renewing, too, and this has 100% been the fix. :-)

 

 

Link to comment
5 hours ago, unRaide said:

Hi, i've been using this docker without issue for months after following spaceinvaderone's video. A couple weeks ago i started getting notifications that my certs were going to expire however after checking the logs i couldn't find any issues. Unfortunately, they have now expired and I'm not sure how to debug further?

 

Here is a screenshot of my logs, docker and router settings. I also recently changed my router although i did add the port forwarding.

 

Any ideas?

letsencrypt docker settings.png

LetsEncrypt Log.png

router.png

You don't have control over duckdns.org. You need to add your part of the address before that, like myurl.duckdns.org.

Not sure how you managed to get a cert that way.

 

Do you only get an email saying it is expired or do you see it in the browser going to your domain?

Link to comment
15 hours ago, aptalca said:

Your port forwarding is not correctly applied. Try restarting the router

Thanks for the help,  I've restarted the router and I'm still getting the same error messages.  I changed the ports and updated the let'sencrpyrt so it's using the same ports.  it looks like I'm receiving packets just perhaps not the let's encrypt?

Screen shot of my docker set up attached too.  Is there something wrong in the flow?  trying to cert my cloud.*****.com. which redirects to ****.duckdns.com which when I load that webpage it appears to come back to my router as I see the packet increment by 1 and bytes by 128.

1501115676_ScreenShot2020-01-12at8_11_17AM.thumb.png.3094d8f6b5f9670c8b6d46940783b59d.png

Screen Shot 2020-01-12 at 8.20.55 AM.png

Link to comment
4 hours ago, WyoFarr said:

Thanks for the help,  I've restarted the router and I'm still getting the same error messages.  I changed the ports and updated the let'sencrpyrt so it's using the same ports.  it looks like I'm receiving packets just perhaps not the let's encrypt?

Screen shot of my docker set up attached too.  Is there something wrong in the flow?  trying to cert my cloud.*****.com. which redirects to ****.duckdns.com which when I load that webpage it appears to come back to my router as I see the packet increment by 1 and bytes by 128.

1501115676_ScreenShot2020-01-12at8_11_17AM.thumb.png.3094d8f6b5f9670c8b6d46940783b59d.png

Screen Shot 2020-01-12 at 8.20.55 AM.png

The letsencrypt log you posted earlier shows port 80 going to unraid gui

Link to comment

Hi guys!

I really hope somebody can help me here. I switched from Comcast to AT&T Gigabit last week. AT&T forces you to use their own gateway. I configured it for IP passthrough in order to keep my Advanced Tomato wireless router setup. Now I can't access my duckdns subdomain from LAN. Externally everything still works. Here are the symptoms:

  • [mysubdomain].duckdns.org works fine externally
  • [mysubdomain].duckdns.org from LAN says "Establishing secure connection..." and then "This site can't be reached"
  • I can successfully ping [mysubdomain].duckdns.org from LAN and get public IP back
  • I can successfully trace [mysubdomain].duckdns.org from LAN
  • duckdns.org website shows the correct public IP
  • my Advanced Tomato router shows the correct public IP address forwarded to its WAN port
  • I restarted letsencrypt container and didn't see any errors in the log
  • I restarted duckdns container and didn't see any errors in the log
  • I didn't make any changes, other that replacing Comcast cable modem with AT&T gateway and configuring it for IP passthrough. I. e. port forwarding, nginx config, etc. are still the same and it worked fine before

What am I missing? How can I troubleshoot?

Edited by izarkhin
Link to comment
18 hours ago, blaine07 said:

 I can’t tell you what has went wrong but edit Letsencrypt, add a additional subdomain, save Letsencrypt config and then start Letsencrypt, let it boot. Stop Letsencrypt, remove subdomain, save and start it back up and they should renew. I’ve had issues occasionally with the certs not renewing, too, and this has 100% been the fix. 🙂

 

 

Awesome, that did the trick... thx @blaine07!!!

 

@saarg, just following spaceinvaderone's instructions @ 13:48.

 

Link to comment

I was reinstalling my letsencrypt, mariadb and nextcloud due to the fact that for some reason I lost all connection to my nextcloud and now, when I install letsencrypt following spaceinvader's tutorial, the log files for the container report that both of my subdomains fail challenges. I have used the same duckdns.org and subdomains for several years with no problem and have installed letsencrypt the exact same way several times. This is the first time I see this error.

 

Am I missing something?

 

letsencryptlog.txt

Edited by levster
Link to comment
8 hours ago, izarkhin said:

Hi guys!

I really hope somebody can help me here. I switched from Comcast to AT&T Gigabit last week. AT&T forces you to use their own gateway. I configured it for IP passthrough in order to keep my Advanced Tomato wireless router setup. Now I can't access my duckdns subdomain from LAN. Externally everything still works. Here are the symptoms:

  • [mysubdomain].duckdns.org works fine externally
  • [mysubdomain].duckdns.org from LAN says "Establishing secure connection..." and then "This site can't be reached"
  • I can successfully ping [mysubdomain].duckdns.org from LAN and get public IP back
  • I can successfully trace [mysubdomain].duckdns.org from LAN
  • duckdns.org website shows the correct public IP
  • my Advanced Tomato router shows the correct public IP address forwarded to its WAN port
  • I restarted letsencrypt container and didn't see any errors in the log
  • I restarted duckdns container and didn't see any errors in the log
  • I didn't make any changes, other that replacing Comcast cable modem with AT&T gateway and configuring it for IP passthrough. I. e. port forwarding, nginx config, etc. are still the same and it worked fine before

What am I missing? How can I troubleshoot?

Look into hairpin nat

  • Like 1
Link to comment

Quick question: I'm looking into setting up calibre-web and reverse proxying it using this LE container.

When I check my nginx proxy-conf folder, I only see a subfolder sample file for calibre-web whereas pretty much every other container has both a subdomain and subfolder option.

Does calibre-web alone work only with subfolders or is there an issue with my LE container install?

I've restarted the LE container multiple times since I noticed the absence of the subdomain file (assuming it exists). My understanding is that the container re-downloads any missing proxy-conf files upon restart?

Edited by rragu
Clarity/accuracy
Link to comment
1 minute ago, rragu said:

Quick question: I'm looking into setting up calibre-web and reverse proxying it using this LE container.

When I check my nginx proxy-conf folder, I only see a subfolder sample file for calibre-web whereas pretty much every other container has both a subdomain and subfolder option.

Does calibre-web alone work only with subfolders or is there an issue with my LE container install?

I've restarted the LE container multiple times since I noticed the absence of the subdomain file (assuming it exists). My understanding is that the container re-downloads any missing proxy-conf files upon restart?

That just means nobody made a proxy conf for subdomain.

Link to comment
1 minute ago, saarg said:

That just means nobody made a proxy conf for subdomain.

I just checked the LSIO GitHub reverse-proxy-conf repository (https://github.com/linuxserver/reverse-proxy-confs) and actually there is a 'calibre-web.subdomain.conf.sample' file here.

1) I assume I can just copy that file over into my LE container manually and continue as usual?

2) Maybe something to look into regarding why this file alone doesn't seem to get retrieved by the LE container upon restart (assuming this issue isn't specific to me)?

Link to comment

Hi,

 

I've now received twice the "Let's Encrypt certificate expiration notice for domain" email and my certificate will now expire in 10 days.

I've been using this Let's Encrypt container for two years without a single problem (btw : thanks a lot!) but it seems something went wrong few weeks ago.

When going to my \appdata\letsencrypt\log\letsencrypt folder, no log have been written since the 15th of december  

 

image.thumb.png.377e5cd40203d03c556706715f1fc494.png

 

(ordered by last modification date)

 

I don't recall modifying any config on my Unraid server in this timeframe, except upgrading to the final 6.8.0 (directly from the last 6.7.x version) and installing Wireguard (which is working fine).  I don't know how to check the exact date I've installed Unraid 6.8.0 but it was quickly after its release.

 

What I've tried without any success

  • restarting the docker
  • restarting the server
  • updating to Unraid 6.8.1
  • Looking for the the following informations

Logs are well written in the parent directories \log\fail2ban, \log\nginx and \log\php so I guess it's not a file permission issue.

 

I see the following alert/error in the docker logs but from what I've found in this thread it's no big deal

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

The docker container doesn't stop.

 

I've double checked my ports forwarding 

 

image.thumb.png.721f932e28122e6b4eaa6a86f93b92d3.png

 

image.thumb.png.21a3ce9c907d0661e8311ec03731e231.png

 

and tested with success both my 80 and 443 ports with https://www.canyouseeme.org because I had issue with my ports forwarding two years ago when installing this docker.

 

Any help would be greatly appreciated 😅

 

Thanks!

 

(my Unraid diagnostics are in attachment)

 

Edit : Except for this issue, I have no problem accessing my services (e.g. : AirSonic / Ubooquity) from outside my network using my https url.

 

Londinium

unraid-diagnostics-20200113-1716.zip

Edited by Londinium
Link to comment
2 hours ago, Londinium said:

Hi,

 

I've now received twice the "Let's Encrypt certificate expiration notice for domain" email and my certificate will now expire in 10 days.

I've been using this Let's Encrypt container for two years without a single problem (btw : thanks a lot!) but it seems something went wrong few weeks ago.

When going to my \appdata\letsencrypt\log\letsencrypt folder, no log have been written since the 15th of december  

 

image.thumb.png.377e5cd40203d03c556706715f1fc494.png

 

(ordered by last modification date)

 

I don't recall modifying any config on my Unraid server in this timeframe, except upgrading to the final 6.8.0 (directly from the last 6.7.x version) and installing Wireguard (which is working fine).  I don't know how to check the exact date I've installed Unraid 6.8.0 but it was quickly after its release.

 

What I've tried without any success

  • restarting the docker
  • restarting the server
  • updating to Unraid 6.8.1
  • Looking for the the following informations

Logs are well written in the parent directories \log\fail2ban, \log\nginx and \log\php so I guess it's not a file permission issue.

 

I see the following alert/error in the docker logs but from what I've found in this thread it's no big deal


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

The docker container doesn't stop.

 

I've double checked my ports forwarding 

 

image.thumb.png.721f932e28122e6b4eaa6a86f93b92d3.png

 

image.thumb.png.21a3ce9c907d0661e8311ec03731e231.png

 

and tested with success both my 80 and 443 ports with https://www.canyouseeme.org because I had issue with my ports forwarding two years ago when installing this docker.

 

Any help would be greatly appreciated 😅

 

Thanks!

 

(my Unraid diagnostics are in attachment)

 

Edit : Except for this issue, I have no problem accessing my services (e.g. : AirSonic / Ubooquity) from outside my network using my https url.

 

Londinium

unraid-diagnostics-20200113-1716.zip 80.63 kB · 0 downloads

The readme explains how to troubleshoot that

Link to comment
10 hours ago, rragu said:

I just checked the LSIO GitHub reverse-proxy-conf repository (https://github.com/linuxserver/reverse-proxy-confs) and actually there is a 'calibre-web.subdomain.conf.sample' file here.

1) I assume I can just copy that file over into my LE container manually and continue as usual?

2) Maybe something to look into regarding why this file alone doesn't seem to get retrieved by the LE container upon restart (assuming this issue isn't specific to me)?

That was just added a few days ago. It will be included in the next letsencrypt build: https://github.com/linuxserver/reverse-proxy-confs/pull/111

Link to comment

Now that you're required to have a registered account and a  (free) license to get geolite2 updates, anyone knows how to get it to work with nginx?

 

https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

 

 Edit: Nevermind.. The answer is provided in the posted link, I'll just have to adjust my update script.

Edited by strike
Link to comment
On 1/12/2020 at 12:40 PM, aptalca said:

The letsencrypt log you posted earlier shows port 80 going to unraid gui

Sorry where are you seeing this in the log?   In the original post I had 180 and 1443 like the space invader one video.  after bashing my head against this I decided to start over, this time the ports in use at 7980 and 7443.  I've rebooted everything multiple times it seems like the port forwarding id working but I let's encrypt is failing to get back to itself.  I did just notice this in the log.  it's using a self assigned IP address for the server? 169.xxx. etc is most definitely not what unsaid is configured to,  is this my problem/ if it is how do I fix this?

Screen Shot 2020-01-13 at 4.30.43 PM.png

Link to comment
12 hours ago, rragu said:

I just checked the LSIO GitHub reverse-proxy-conf repository (https://github.com/linuxserver/reverse-proxy-confs) and actually there is a 'calibre-web.subdomain.conf.sample' file here.

1) I assume I can just copy that file over into my LE container manually and continue as usual?

2) Maybe something to look into regarding why this file alone doesn't seem to get retrieved by the LE container upon restart (assuming this issue isn't specific to me)?

It gets added to letsencrypt when it's built, so whenever there is an updated package for the container.

You can just add it to you proxy folder and it will work.

Link to comment
On 1/11/2020 at 10:25 PM, aptalca said:

It's your router and/or port settings. I'm assuming you're running unraid on port 443. Your router is redirecting internal (lan) requests to your domain to the unraid ip in the same 443 port, so you're getting unraid.

 

You can move unraid's https port to something else and run letsencrypt on 443 instead

Thank you, appreciate your quick response. I can now access nextcloud locally, thanks!

 

I moved unraid‘s https port to a different port and let letsencrypt run on 443; the letsencrypt http port is still on 81. Can I leave it as is or do I need to change the http port from either unraid or the letsencrypt container?

Link to comment
1 hour ago, Orejo said:

Thank you, appreciate your quick response. I can now access nextcloud locally, thanks!

 

I moved unraid‘s https port to a different port and let letsencrypt run on 443; the letsencrypt http port is still on 81. Can I leave it as is or do I need to change the http port from either unraid or the letsencrypt container?

You can leave it. When you type address in the url bar (inside your lan), use https so the requests go to letsencrypt. Http requests will go to unraid's port 80

Link to comment
1 hour ago, WyoFarr said:

Sorry where are you seeing this in the log?   In the original post I had 180 and 1443 like the space invader one video.  after bashing my head against this I decided to start over, this time the ports in use at 7980 and 7443.  I've rebooted everything multiple times it seems like the port forwarding id working but I let's encrypt is failing to get back to itself.  I did just notice this in the log.  it's using a self assigned IP address for the server? 169.xxx. etc is most definitely not what unsaid is configured to,  is this my problem/ if it is how do I fix this?

Screen Shot 2020-01-13 at 4.30.43 PM.png

That ip is what letsencrypt is getting for your domain name. Check your dns settings if that is not your public ip

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.