[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Just now, ofthethorn said:

All seems to work now. Alas, still no connection to the local server. Probably should've added that I can't even connect to plex docker IP address.

Did you configure also enable access from outside your network in Plex and open port 32400 in your router to your docker? If so, disable that all. Your plex docker should only be accessible through your LE setup.

 

And what mode is Plex on? Own IP, or bridge or host, or?

Link to comment
Just now, Kaizac said:

Did you configure also enable access from outside your network in Plex and open port 32400 in your router to your docker? If so, disable that all. Your plex docker should only be accessible through your LE setup.

 

And what mode is Plex on? Own IP, or bridge or host, or?

Port 32400 is closed, so that's a negative.

Plex is on a separate network, the same as duckDNS and Le.

Link to comment
Just now, ofthethorn said:

Port 32400 is closed, so that's a negative.

Plex is on a separate network, the same as duckDNS and Le.

Seperate network? What does that mean? If you mean a VLAN and you haven't enabled access from your LAN to that VLAN your router/firewall is blocking your local access.

Link to comment
Just now, Kaizac said:

Seperate network? What does that mean? If you mean a VLAN and you haven't enabled access from your LAN to that VLAN your router/firewall is blocking your local access.

That may actually be it. I followed spaceinvader one's guide, I believe. And he recommended making a new docker network.

Link to comment
Just now, ofthethorn said:

That may actually be it. I followed spaceinvader one's guide, I believe. And he recommended making a new docker network.

Try giving plex it's own IP first by putting it on br0 or something. That will put it on your LAN. If you can access it locally then, you know that's the issue.

  • Upvote 1
Link to comment
7 minutes ago, Kaizac said:

Try giving plex it's own IP first by putting it on br0 or something. That will put it on your LAN. If you can access it locally then, you know that's the issue.

Another quick update: since my router is a piece of trash I cannot control (forced by ISP) I decided to just add a second plex container, change its name and give it its own appdata folder. This container will solely be used for local access and is not setup in the LE docker. 

This won't have any downsides I hope...

Thanks for all your help though! Really appreciate the effort.

Link to comment
5 minutes ago, ofthethorn said:

Another quick update: since my router is a piece of trash I cannot control (forced by ISP) I decided to just add a second plex container, change its name and give it its own appdata folder. This container will solely be used for local access and is not setup in the LE docker. 

This won't have any downsides I hope...

Thanks for all your help though! Really appreciate the effort.

But why? It's incredibly inefficient, straining your server needlessley and you have configure 2 dockers. You can have both, local and WAN access to the same docker. You just need to configure it well.

 

So your DuckDNS doesn't need to be on the docker network. It can just be in host mode on your Unraid box. For your LE docker I would also give that docker it's own IP and make sure your redirect your router to that IP (I assume this is what you also did for your current setup?). And then in your nginx config you use the ip of your Plex docker and both WAN as LAN access should work.

 

  • Like 1
Link to comment
5 hours ago, Kaizac said:

But why? It's incredibly inefficient, straining your server needlessley and you have configure 2 dockers. You can have both, local and WAN access to the same docker. You just need to configure it well.

 

So your DuckDNS doesn't need to be on the docker network. It can just be in host mode on your Unraid box. For your LE docker I would also give that docker it's own IP and make sure your redirect your router to that IP (I assume this is what you also did for your current setup?). And then in your nginx config you use the ip of your Plex docker and both WAN as LAN access should work.

 

I got it. I got stuck after doing what you described. I, like a complete dummy, forgot to change the plex conf file.

Got it all working. Thanks for all the help man. 
 

Link to comment

Trying to setup an HTML5 speedtest to be accessable via subdomain but I am having no luck.  All other dockers work on subdomains fine, and the speedtest works on the localip:port, but for some reason nginx is having an issue serving it.  My config is:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_speedtest speedtest;
        proxy_pass http://$upstream_speedtest:6580;
    }
}

 

Any ideas?

Link to comment
4 minutes ago, thrroow said:

Trying to setup an HTML5 speedtest to be accessable via subdomain but I am having no luck.  All other dockers work on subdomains fine, and the speedtest works on the localip:port, but for some reason nginx is having an issue serving it.  My config is:

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_speedtest speedtest;
        proxy_pass http://$upstream_speedtest:6580;
    }
}

 

Any ideas?

Is your speedtest running inside a container named speedtest? And is that service listening on port 6580 inside the container? If it's actually listening on 80 inside the container but you mapped it to 6580 on the host, you need to use 80 in the proxy pass directive

Link to comment
1 minute ago, aptalca said:

Is your speedtest running inside a container named speedtest? And is that service listening on port 6580 inside the container? If it's actually listening on 80 inside the container but you mapped it to 6580 on the host, you need to use 80 in the proxy pass directive

Yes the container is called "speedtest" and it maps 80:6580.  It's setup in the exact same manner as sonarr/radarr etc. except with the docker name and port switched out.

Link to comment
7 hours ago, thrroow said:

Yes the container is called "speedtest" and it maps 80:6580.  It's setup in the exact same manner as sonarr/radarr etc. except with the docker name and port switched out.

Then like I said, use port 80 in your proxy pass directive

Link to comment

Hi all,

 

Having an odd issue at container startup "Can't open privkey.pem for reading, No such file or directory".  However, the keys are saved in the folder specified and the privileges for the files should allow letsencrypt to access them (even tried 777). Any help would be appreciated.

 

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/privkey.pem
Your cert will expire on 2019-06-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Can't open privkey.pem for reading, No such file or directory
22760616274792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

22760616274792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Edit:

 

After fiddling a bit the problem  continues and now I cannot get new certs.

 

...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
An unexpected error occurred:

There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: XXXXXXX.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
Can't open privkey.pem for reading, No such file or directory
23291569253224:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

23291569253224:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

[services.d] done.
Server ready
Server ready
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Edited by cablecutter
Link to comment
8 hours ago, cablecutter said:

Hi all,

 

Having an odd issue at container startup "Can't open privkey.pem for reading, No such file or directory".  However, the keys are saved in the folder specified and the privileges for the files should allow letsencrypt to access them (even tried 777). Any help would be appreciated.

 


- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/privkey.pem
Your cert will expire on 2019-06-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Can't open privkey.pem for reading, No such file or directory
22760616274792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

22760616274792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Edit:

 

After fiddling a bit the problem  continues and now I cannot get new certs.

 


...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
An unexpected error occurred:

There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: XXXXXXX.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
Can't open privkey.pem for reading, No such file or directory
23291569253224:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

23291569253224:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

[services.d] done.
Server ready
Server ready
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Post your container settings

Link to comment
11 hours ago, aptalca said:

Post your container settings

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Edited by cablecutter
Link to comment
2 minutes ago, cablecutter said:

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 


2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

You've hit the request limit:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Need to wait for that to reset which I believe is 7 days.

Link to comment
34 minutes ago, cablecutter said:

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 


2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

It seems when you messed with the permissions, you prevented the container from properly deleting the certs folder and when it regenerated certs, it created a duplicate folder with a 0001 appended to the name. Start over, don't change any permissions.

 

Also a side note, duckdns shouldn't really be the url variable. Url should be yoursubdomain.duckdns.org and subdomains should be any sub-subdomains you would like to use ie. "sonarr" so you can access sonarr.yoursubdomain.duckdns.org

 

If you need to add additional duckdns subdomains (usually needed for servers with different IPs, although I doubt that's the case here since they all need to point to the same letsencrypt instance), put them in the extra domains.

Edited by aptalca
Link to comment
14 hours ago, cablecutter said:

Thanks aptalca, I deleted the folder and started from scratch, but won't be able to test this again until the cert request count resets.

If you change the set, you'll be able to get a cert because your current restriction is "for the exact set of domains". I recommend starting with one duckdns subdomain as the url and see what happens. You can then expand if you need to

Link to comment

OK, I REALLY need help!!!

I'm exhausted trying to make this work (Letsencrypt and NGINX)
After A LOT of time trying to get my certificates to validate, I finally contacted my ISP who confirmed they are blocking port 80...

So I got my domain name to CloudFlare and change the validation to that so FINALLY, I was able to get Letsencrypt get the certificates.

letsencrypt.thumb.png.b612889028fb8e276ba3515d0a8c929d.png

 

So now, my problem is nginx, I just can't get the HTTPS url to work. (trying first with nextcloud and SABNZBD)

I read a lot of tutorials, etc... and pretty sure I got everything right...

Here is my letsencrypt docker settings:

letsencryptdocker.thumb.png.94fa019ca8d0045688bf8e00638ecd9c.png

-CNAME created

cloudflare.thumb.png.a38a30e8d0b566fe44e1c5069777d6e0.png

-I can ping the subdomains

-Did the custom network for the dockers and assigned letsencrypt, nextcloud and SABNZBD to it

dockers.thumb.png.ea50fa791842a9f5c5bc055e6188354d.png

-Did my NAT config in my PFSENSE to open 443 (to 443 since that's what i'm using in the docker (UNRAID is using another port than 80 also)

pfsense.thumb.png.c17d5b7477bad0bd3432eb417984a31f.png

 

I confirmed port 443 is opened when Letsencrypt is running so the port is opened:
port.png.9f1019731dbfe958526635d3b7519605.png

 

Renamed the file in /appdata/letsencrypt/nginx/proxy-confs (the one for nextcloud subdomain and sabnzbd for subdomain)

861926920_2019-03-1101_42_38-proxy-confs-sfUNRAID-WinSCP.png.eaada094503796edfbf0fb8a90365e80.png

 

Edited the config.php in /appdata/nextcloud/www/nextcloud (change my actual domain name for "mydomain.ca")

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oceazvkmg45k',
  'passwordsalt' => 'EaiIqWmh7ARTfOGMcQPjIlPy/ZXcmL',
  'secret' => 'UfTMrKdIb3ZmO/CNaFUgZSz2ygB91jt8M4JcyJ5aizsHxGWe',
  'trusted_domains' => 
  array (
    0 => '192.168.1.5:444',
    1 => 'nextcloud.mydomain.ca',
  ),  
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://nextcloud.mydomain.ca/',
  'overwritehost' => 'nextcloud.mydomain.ca',
  'overwriteprotocol' => 'https',  
  'dbtype' => 'mysql',
  'version' => '15.0.2.0',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.5:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'sf-Pass',
  'installed' => true,
);

Restarted all dockers multiple times but still cannot access using https://nextcloud.mydomain.ca

error.thumb.png.43b88d1479b9a86b05aeb5b964019e25.png

 

Please help, I'm out of idea (and patience lol)

 

***I'm on RC version 6.7.0 RC5, god I hope that is not why it's not working...

 

 

Edited by sfnetwork
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.