Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

2883 posts in this topic Last Reply

Recommended Posts

1 hour ago, Gobs said:

The plex.subdomain.conf:


# make sure that your dns has a cname set for plex, if plex is running in bridge mode, the below config should work as is, for host mode,
# replace the line "proxy_pass https://$upstream_plex:32400;" with "proxy_pass https://HOSTIP:32400;" HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;


    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_plex plex;
        proxy_pass https://$upstream_plex:32400;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Nginx is listening to port 180 and 1443, since ports 80 and 443 are forwarded on my router to 180 and 1443. Both nginx and plex are running on a custom network in bridge mode.

Is your Plex container name "plex"?

Share this post


Link to post
16 hours ago, aptalca said:

Is your Plex container name "plex"?

It is. Nginx log is shown below as well. In the Nginx log I saw this:

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
Signal handled: Terminated.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

But again, nextcloud works while plex doesn't which is weird.

Share this post


Link to post
13 minutes ago, Gobs said:

It is. Nginx log is shown below as well. In the Nginx log I saw this:


[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
Signal handled: Terminated.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

But again, nextcloud works while plex doesn't which is weird.

Is Plex all set up and running?

 

Also that's not the nginx log. That's part of a docker log of a container

Share this post


Link to post
3 hours ago, aptalca said:

Is Plex all set up and running?

 

Also that's not the nginx log. That's part of a docker log of a container

Yes, as in if I go to http://SERVER_IP:32400/web/index.html# I am greeted with a sign in page. I sign in and then Plex looks for servers but to no avail.

Share this post


Link to post
28 minutes ago, Gobs said:

Yes, as in if I go to http://SERVER_IP:32400/web/index.html# I am greeted with a sign in page. I sign in and then Plex looks for servers but to no avail.

Well there is your issue. Plex was never set up. You didn't claim your server. Until then it will block reverse proxy connections.

Share this post


Link to post

An issue I've had for the past 2 weeks. I've been able to open port 80 (TCP) on my router. (Confirmed on http://canyouseeme.org/.

I've followed SpaceIndaver's instructions, and created the docker, however I'm getting a 404 error:

 

Failed authorization procedure. myserver.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.duckdns.org/.well-known/acme-challenge/BPoI7fI9FIgfwZoIV_JSMFBjr1a8u1K5ATulxHV3gXQ: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

 

This seems like it's accessing a website, but returning a 404?

Share this post


Link to post
23 hours ago, aptalca said:

Well there is your issue. Plex was never set up. You didn't claim your server. Until then it will block reverse proxy connections.

Except I can't set it up since if I go to http://SERVER_IP:32400/web/index.html# and sign in Plex cannot find any servers.

 

EDIT: I think this is an issue with Plex. The account that originally claimed the server was deleted, but it would appear that it's still in the Plex database somehow since I cannot create an account with the same email address. I assume then that Plex still considers the server to be claimed by that account, and so won't let any other account claim it.

Edited by Gobs

Share this post


Link to post
16 hours ago, Tebasaki said:

An issue I've had for the past 2 weeks. I've been able to open port 80 (TCP) on my router. (Confirmed on http://canyouseeme.org/.

I've followed SpaceIndaver's instructions, and created the docker, however I'm getting a 404 error:

 

Failed authorization procedure. myserver.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.duckdns.org/.well-known/acme-challenge/BPoI7fI9FIgfwZoIV_JSMFBjr1a8u1K5ATulxHV3gXQ: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

 

This seems like it's accessing a website, but returning a 404?

I believe your port 80 is forwarded to your unraid gui at the moment

Share this post


Link to post
On 1/21/2019 at 3:33 PM, aptalca said:

I believe your port 80 is forwarded to your unraid gui at the moment

It's forwarded to my unraid server port 80, yes.

Share this post


Link to post
7 hours ago, Tebasaki said:

It's forwarded to my unraid server port 80, yes.

Don't do that. The unraid GUI is not meant to be exposed to the internet in general, only the local LAN.

Share this post


Link to post
7 hours ago, Tebasaki said:

It's forwarded to my unraid server port 80, yes.

You do see the issue, right? Unraid gui runs on port 80?

 

You gotta use a different port for letsencrypt

Edited by aptalca

Share this post


Link to post

 

 

I am trying to get letsencrypt to work with sonarr and having issues.  I have my own domain [domain name].me.  I am running duckdns to update the ip address.  When I start letsencrypt, I am receiving the below error in the log.  My domain is registered with 1and1 and updated the cname to point to the duckdns one that was created.   Created the subdomain of sonarr.[domain name].me off my domain with 1and1. 

 

On my router, I have port forwarded 443 to 1443 and 80 to 180, which match the settings in the docker container.  

 

Any ideas on what is going on?  Please note I am pretty new to UnRaid and dockers and have been struggling with this part of the setup.  After removing and reinstalling the dockers, I am still having the same issues.  

 

 

Error that I am receiving...

 

Failed authorization procedure. sonarr.[domain name].me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94 [2607:f1c0:100f:f000::2fa]: 204

 

- The following errors were reported by the server:

Domain: sonarr.[domain name].me
Type: unauthorized
Detail: Invalid response from
http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94
[2607:f1c0:100f:f000::2fa]: 204

 

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Share this post


Link to post
1 hour ago, JohnSracic said:

 

 

I am trying to get letsencrypt to work with sonarr and having issues.  I have my own domain [domain name].me.  I am running duckdns to update the ip address.  When I start letsencrypt, I am receiving the below error in the log.  My domain is registered with 1and1 and updated the cname to point to the duckdns one that was created.   Created the subdomain of sonarr.[domain name].me off my domain with 1and1. 

 

On my router, I have port forwarded 443 to 1443 and 80 to 180, which match the settings in the docker container.  

 

Any ideas on what is going on?  Please note I am pretty new to UnRaid and dockers and have been struggling with this part of the setup.  After removing and reinstalling the dockers, I am still having the same issues.  

 

 

Error that I am receiving...

 

Failed authorization procedure. sonarr.[domain name].me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94 [2607:f1c0:100f:f000::2fa]: 204

 

- The following errors were reported by the server:

Domain: sonarr.[domain name].me
Type: unauthorized
Detail: Invalid response from
http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94
[2607:f1c0:100f:f000::2fa]: 204

 

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Either your ip or your port forwarding is incorrect. Letsencrypt servers get a response, but it's not from the letsencrypt container.

Share this post


Link to post

Hello fellow unRAID users,

 

first I'd like to thank the Linuxserver-Team for the great work with this and all the other containers.

 

I have one small question:

- Will there be added TLS 1.3 support in the future? If yes, do you have an ETA?

 

Reason behind my question: I would like to use TLS 1.3 for my services running on unRAID. I'd like to avoid creating my own letsencrypt container as I really like the easy-to-use letsencrypt container provided by the Linuxserver-Team.

 

Thank you very much in advance and kind regards,

 

bioneye

Share this post


Link to post
On 1/23/2019 at 11:52 AM, aptalca said:

Either your ip or your port forwarding is incorrect. Letsencrypt servers get a response, but it's not from the letsencrypt container.

@aptalca, first I want to say thank you for your help.  

 

As you mentioned, there was an issue with the DDNS not updating the subdomain.  Finally got that figured out.  Now I have an issue with sonarr and radarr.  When I navigate to the https://sonarr.[domainname].me, I get the login page for sonarr and radarr both, but after logging in it just spins (the 4 little dots across the screen).  If I click the WebUI from either of these dockers, it works as it should.  Any idea what would cause this? 

 

Figured it out...  since I was using the binhex version of sonarr and radarr, I changed the one line in the configs but overlooked the line for the api. All working now. 

 

Edited by JohnSracic

Share this post


Link to post
5 hours ago, bioneye said:

Hello fellow unRAID users,

 

first I'd like to thank the Linuxserver-Team for the great work with this and all the other containers.

 

I have one small question:

- Will there be added TLS 1.3 support in the future? If yes, do you have an ETA?

 

Reason behind my question: I would like to use TLS 1.3 for my services running on unRAID. I'd like to avoid creating my own letsencrypt container as I really like the easy-to-use letsencrypt container provided by the Linuxserver-Team.

 

Thank you very much in advance and kind regards,

 

bioneye

It needs a newer version of nginx that is not yet released for alpine stable. When it is released, or image will use it.

Share this post


Link to post
It's forwarded to my unraid server port 80, yes.

 Might u have a way of setting up a VPN on your server, to separate the public and internal parts of your unRAID system, Tabasaki?

 

I have my unRAID webUI running at port 8008 of my VPN, so I can access it at (in my case) 10.0.195.2:8008 *only* after connecting with OpenVPN, and as far as public access goes, *only* port 80 is exposed for my static IP address which points to letsencrypt’s Nginx server.

 

That way you could safely SFTP, SSH, and do everything you need to do “under the hood”, with minimal public exposure of your unRAID server.

 

 

Share this post


Link to post

Hi there

 

im trying to get a wildcard cert using Cloudflare but it keeps giving this error - I’ve checked the API key, even regenerated a new one but it just keeps giving the same error every time.  is there anything you can suggest trying? 👍

 

Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=jaxnet.uk
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=X@protonmail.com
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of domain.net will be requested
E-mail address entered: x@protonmail.com
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.net
Cleaning up challenges
Error determining zone_id: 0 connection failed.. Please confirm that you have supplied valid Cloudflare API credentials.

Edited by jack0w

Share this post


Link to post
1 hour ago, jack0w said:

Hi there

 

im trying to get a wildcard cert using Cloudflare but it keeps giving this error - I’ve checked the API key, even regenerated a new one but it just keeps giving the same error every time.  is there anything you can suggest trying? 👍

 

Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=jaxnet.uk
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=X@protonmail.com
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of jaxnet.uk will be requested
E-mail address entered: x@protonmail.com
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for jaxnet.uk
Cleaning up challenges
Error determining zone_id: 0 connection failed.. Please confirm that you have supplied valid Cloudflare API credentials.

Make sure you're using the global api key and not the other one. It's a bit confusing to get to global the api key on the cloudflare interface.

 

Also make sure that you're copying and pasting correctly and not missing or introducing characters

  • Like 1

Share this post


Link to post

When I try to connect to my site via subdomain.domain.com it says that the certificate has expired since 26th january. When I restart letsencrypt it does not automatically renew. Can I run a command to force it to renew?

Share this post


Link to post
4 hours ago, truetype said:

When I try to connect to my site via subdomain.domain.com it says that the certificate has expired since 26th january. When I restart letsencrypt it does not automatically renew. Can I run a command to force it to renew?

Check the logs under letsencrypt folder to see why the renewals failed the last 30 nights

Share this post


Link to post
4 hours ago, aptalca said:

Check the logs under letsencrypt folder to see why the renewals failed the last 30 nights

Thanks for reply. Seems to be a failure with fullchain.pem, and also firewall problem but I haven't changed any firewall settings during the last 6 months...

See log here please https://pastebin.com/UnEP0a4B

 

EDIT: Maybe it has todo with cname configuration at my domain provider? I set my domain as cname to duckdns, that's the only change I made in the past 2 months. 

Edited by truetype

Share this post


Link to post

I’m getting ready to setup a reverse proxy for my Tautulli and Ombi containers but I wanted to see where I should buy my domain first. I know it’s possible to just use DuckDNS as a solution but I wanted a cheap domain that my parents would remember. I was thinking under $5 for the year.

 

I’m going to follow spaceinvader one’s guide on YouTube so if anyone has any advice, I’d greatly appreciate that as well.

Share this post


Link to post
1 hour ago, ramblinreck47 said:

I’m getting ready to setup a reverse proxy for my Tautulli and Ombi containers but I wanted to see where I should buy my domain first. I know it’s possible to just use DuckDNS as a solution but I wanted a cheap domain that my parents would remember. I was thinking under $5 for the year.

 

I’m going to follow spaceinvader one’s guide on YouTube so if anyone has any advice, I’d greatly appreciate that as well.

Namecheap is my default go to provider.  Using Cloudflare as DNS

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now