soundfx Posted December 21, 2018 Share Posted December 21, 2018 I have tried for 3 days to get access to NextCloud on my unRAID working from outside my network. Here's were I stand: I have NextCloud up and working, I can access it from a browser on a connection within my own network using unraidIP:444 I can also access NextCloud from the android app when I'm connected to my own network using unraidIP:444 in the NextCloud app "Server address https://..." field. I have LetsEncrypt setup and working (I think). I using DuckDNS and the duckdns validation method. Here is the log from my LetsEncrypt. ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Australia/Sydney URL=workdamnit.duckdns.org SUBDOMAINS=wildcard EXTRA_DOMAINS= ONLY_SUBDOMAINS=true DHLEVEL=2048 VALIDATION=duckdns DNSPLUGIN= EMAIL=*******@gmail.com STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing Wildcard cert for only the subdomains of workdamnit.duckdns.org will be requested E-mail address entered: ******@gmail.com duckdns validation is selected the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org Certificate exists; parameters unchanged; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready I've tried a lot of different things to test that my DuckDNS is working but I'm not sure that it's actually doing what it's suppose to. If, when connected to my home network, I use workdamnit.duckdns.org it takes me to my modem/router login page. But using it outside my home network gets me nowhere. My NextCloud config.php file looks like this: <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'ocd07n9t02sn', 'passwordsalt' => '********', 'secret' => '*********', 'trusted_domains' => array ( 0 => '192.168.0.142:444', 1 => 'nextcloud.server.com', ), 'overwrite.cli.url' => 'https://192.168.0.142:444', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.0.142:3305', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '********', 'dbpassword' => '*******', 'installed' => true, ); I've tried so many different approaches, test, changes that I feel like the solution might be masked by a change I've made prior. Could someone give me a hand to fault find this? I've feel a little out of my depth but really want to make this happen. Quote Link to comment
nekromantik Posted December 21, 2018 Share Posted December 21, 2018 2 hours ago, soundfx said: I have tried for 3 days to get access to NextCloud on my unRAID working from outside my network. Here's were I stand: I have NextCloud up and working, I can access it from a browser on a connection within my own network using unraidIP:444 I can also access NextCloud from the android app when I'm connected to my own network using unraidIP:444 in the NextCloud app "Server address https://..." field. I have LetsEncrypt setup and working (I think). I using DuckDNS and the duckdns validation method. Here is the log from my LetsEncrypt. ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Australia/Sydney URL=workdamnit.duckdns.org SUBDOMAINS=wildcard EXTRA_DOMAINS= ONLY_SUBDOMAINS=true DHLEVEL=2048 VALIDATION=duckdns DNSPLUGIN= EMAIL=*******@gmail.com STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing Wildcard cert for only the subdomains of workdamnit.duckdns.org will be requested E-mail address entered: ******@gmail.com duckdns validation is selected the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org Certificate exists; parameters unchanged; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready I've tried a lot of different things to test that my DuckDNS is working but I'm not sure that it's actually doing what it's suppose to. If, when connected to my home network, I use workdamnit.duckdns.org it takes me to my modem/router login page. But using it outside my home network gets me nowhere. My NextCloud config.php file looks like this: <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'ocd07n9t02sn', 'passwordsalt' => '********', 'secret' => '*********', 'trusted_domains' => array ( 0 => '192.168.0.142:444', 1 => 'nextcloud.server.com', ), 'overwrite.cli.url' => 'https://192.168.0.142:444', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.0.142:3305', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '********', 'dbpassword' => '*******', 'installed' => true, ); I've tried so many different approaches, test, changes that I feel like the solution might be masked by a change I've made prior. Could someone give me a hand to fault find this? I've feel a little out of my depth but really want to make this happen. You need to forward port 443 or whatever you choose on your router to your letsencrypt container IP and port. Then set up nginx on the container to use the ssl cert and forward to nextcloud container. there is a example nextcloud config you can use and edit on the letsencrypt container. you just need to copy it to correct location ie /config/nginx/site-confs. Quote Link to comment
aptalca Posted December 21, 2018 Share Posted December 21, 2018 1 hour ago, nekromantik said: You need to forward port 443 or whatever you choose on your router to your letsencrypt container IP and port. Then set up nginx on the container to use the ssl cert and forward to nextcloud container. there is a example nextcloud config you can use and edit on the letsencrypt container. you just need to copy it to correct location ie /config/nginx/site-confs. Sounds like somebody didn't read the readme. Read the readme under the folder /config/nginx/proxy-confs and it will tell you how to enable the preset proxy confs (hint: you just rename the file) Each proxy conf also tells you what you need to change (if any) in the external app. Quote Link to comment
aptalca Posted December 21, 2018 Share Posted December 21, 2018 4 hours ago, soundfx said: I have tried for 3 days to get access to NextCloud on my unRAID working from outside my network. Here's were I stand: I have NextCloud up and working, I can access it from a browser on a connection within my own network using unraidIP:444 I can also access NextCloud from the android app when I'm connected to my own network using unraidIP:444 in the NextCloud app "Server address https://..." field. I have LetsEncrypt setup and working (I think). I using DuckDNS and the duckdns validation method. Here is the log from my LetsEncrypt. ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Australia/Sydney URL=workdamnit.duckdns.org SUBDOMAINS=wildcard EXTRA_DOMAINS= ONLY_SUBDOMAINS=true DHLEVEL=2048 VALIDATION=duckdns DNSPLUGIN= EMAIL=*******@gmail.com STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing Wildcard cert for only the subdomains of workdamnit.duckdns.org will be requested E-mail address entered: ******@gmail.com duckdns validation is selected the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org Certificate exists; parameters unchanged; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready I've tried a lot of different things to test that my DuckDNS is working but I'm not sure that it's actually doing what it's suppose to. If, when connected to my home network, I use workdamnit.duckdns.org it takes me to my modem/router login page. But using it outside my home network gets me nowhere. My NextCloud config.php file looks like this: <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'ocd07n9t02sn', 'passwordsalt' => '********', 'secret' => '*********', 'trusted_domains' => array ( 0 => '192.168.0.142:444', 1 => 'nextcloud.server.com', ), 'overwrite.cli.url' => 'https://192.168.0.142:444', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.0.142:3305', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '********', 'dbpassword' => '*******', 'installed' => true, ); I've tried so many different approaches, test, changes that I feel like the solution might be masked by a change I've made prior. Could someone give me a hand to fault find this? I've feel a little out of my depth but really want to make this happen. Also, forward the port 443 and then go to https://www.yourcustomsubdomain.duckdns.org and if you see the placeholder page, letsencrypt is working fine. Then you can set up nextcloud reverse proxy Quote Link to comment
soundfx Posted December 21, 2018 Share Posted December 21, 2018 (edited) I've started looking into the details you've suggested. I had read the readme and tried those things but had no luck and because I felt like I was just compounding possible solutions I tried to return everything back to default. Before I post anymore details here I just realised my ISP blocks both ports 443 and 80 on inbound connections. I wonder if this is a fundamental problem or should I still be able to get this to work? EDIT: I contacted my ISP and had them unblock the ports they were blocking. I can now see the 443 as open using http://canyouseeme.org/ and am getting a certificate exist feedback from https://www.sslshopper.com/ssl-checker.html There still seems to be some errors so I've got more work to do but progress. Shame I probably wont have much time over the next few days being the holidays and all. Edited December 22, 2018 by soundfx Added update. Quote Link to comment
L0rdRaiden Posted December 22, 2018 Share Posted December 22, 2018 (edited) @linuxserver.io There is a similar proyect maybe you can join forces. https://github.com/jc21/nginx-proxy-manager Edited December 22, 2018 by L0rdRaiden Quote Link to comment
strike Posted December 23, 2018 Share Posted December 23, 2018 If I want to make changes to /etc/logrotate.d/fail2ban can I map that file to /config so it doesn't get overwritten on restart? I tried to add a volume mapping but I think I messed it up.. I also need to create a file in /etc/fail2ban but I think that folder is already mapped to /config so I should be able to just create the file in /config/fail2ban/ right? I've never really made any changes to files that are not mapped in the appdata dir in any containers before so I'm a bit lost here. Quote Link to comment
aptalca Posted December 24, 2018 Share Posted December 24, 2018 8 hours ago, strike said: If I want to make changes to /etc/logrotate.d/fail2ban can I map that file to /config so it doesn't get overwritten on restart? I tried to add a volume mapping but I think I messed it up.. I also need to create a file in /etc/fail2ban but I think that folder is already mapped to /config so I should be able to just create the file in /config/fail2ban/ right? I've never really made any changes to files that are not mapped in the appdata dir in any containers before so I'm a bit lost here. Why are you trying to modify the logrotate config file? Quote Link to comment
strike Posted December 24, 2018 Share Posted December 24, 2018 3 hours ago, aptalca said: Why are you trying to modify the logrotate config file? Well, I'm creating a jail for repeat offenders and want to have logs for a whole year. So I want to change the rotation to monthly and have it delete any logs older than 13 months. Right now the settings are weekly rotation and I only have logs for 7 weeks. Quote Link to comment
strike Posted December 26, 2018 Share Posted December 26, 2018 On 12/23/2018 at 10:43 PM, strike said: If I want to make changes to /etc/logrotate.d/fail2ban can I map that file to /config so it doesn't get overwritten on restart? I tried to add a volume mapping but I think I messed it up.. I also need to create a file in /etc/fail2ban but I think that folder is already mapped to /config so I should be able to just create the file in /config/fail2ban/ right? I've never really made any changes to files that are not mapped in the appdata dir in any containers before so I'm a bit lost here. On 12/24/2018 at 7:30 AM, aptalca said: Why are you trying to modify the logrotate config file? On 12/24/2018 at 11:06 AM, strike said: Well, I'm creating a jail for repeat offenders and want to have logs for a whole year. So I want to change the rotation to monthly and have it delete any logs older than 13 months. Right now the settings are weekly rotation and I only have logs for 7 weeks. Any thoughts/ideas regarding this? Quote Link to comment
aptalca Posted December 27, 2018 Share Posted December 27, 2018 6 hours ago, strike said: Any thoughts/ideas regarding this? For the logrotate, you can map it as a path so container side it will be /etc/logrotate.d/fail2ban and host side would be wherever your custom file is at on your unraid. For the actions and filters, just put your new configs into the respective folders under /config as they are already made available for user customization. I used recidive in the past where regular bans were short lived (5mins) but if an ip got banned 3 times in a 10 hr period, they would be banned for a whole week. Never did anything longer than that. Quote Link to comment
strike Posted December 27, 2018 Share Posted December 27, 2018 8 hours ago, aptalca said: For the logrotate, you can map it as a path so container side it will be /etc/logrotate.d/fail2ban and host side would be wherever your custom file is at on your unraid. Thanks! I believe I tried this but it didn't work, can't remember what went wrong though. I'll try it again when I have time. Quote Link to comment
tillkrueger Posted December 28, 2018 Share Posted December 28, 2018 I think I asked this question before but still fail to understand: could someone explain to me, step-by-step, how to move/redirect the letsencrypt/appdata/www folder from my SSD cache drive, where it is now, to the unRAID array? Quote Link to comment
jasonz940 Posted December 28, 2018 Share Posted December 28, 2018 I have been having some trouble with my cert not renewing. I followed the instructions in Spaceinvader One's video (https://youtu.be/I0lhZc25Sro) and it worked for a while until the cert expired. All the instructions I found said to restart the container, which I have done several times. Even restarted the entire server after an Unraid update. The logs show no errors. When look at LinuxServer.io's LetsEncrypt GitHub page one of the more recent updates says this: "08.12.18: Had to remove cert renewal during container start due to certbot's new undocumented "feature" of up to 8 minute random delay." If certs don't renew on startup is there a command that can be run to force its renewal? Quote Link to comment
aptalca Posted December 28, 2018 Share Posted December 28, 2018 1 hour ago, tillkrueger said: I think I asked this question before but still fail to understand: could someone explain to me, step-by-step, how to move/redirect the letsencrypt/appdata/www folder from my SSD cache drive, where it is now, to the unRAID array? Map a new folder in the container settings, say /mnt/user/www on the unraid side and /www on the container side. Then in your nginx site config, set the root directive to /www Quote Link to comment
tillkrueger Posted December 28, 2018 Share Posted December 28, 2018 thanks, aptalca! I shall try to wrap my head around that after this new IT guy I hired is done migrating my Bluehost account to my unRAID server. Quote Link to comment
tillkrueger Posted December 28, 2018 Share Posted December 28, 2018 when you say "unraid side" and "container side", do you mean that I need to use the "+ Add another Path, Port..." option in the Advanced settings of the Docker's "Edit" page? (see attached) And then choose "Path"? so if I wanted to move the www folder to - say - unRAID/Sites/avpmatrix/, what would the correct settings/syntax be for those input fields? Quote Link to comment
aptalca Posted December 29, 2018 Share Posted December 29, 2018 8 hours ago, tillkrueger said: when you say "unraid side" and "container side", do you mean that I need to use the "+ Add another Path, Port..." option in the Advanced settings of the Docker's "Edit" page? (see attached) And then choose "Path"? so if I wanted to move the www folder to - say - unRAID/Sites/avpmatrix/, what would the correct settings/syntax be for those input fields? Start here: Quote Link to comment
entourage2111 Posted December 30, 2018 Share Posted December 30, 2018 (edited) Hi everyone, I hope someone can provide me with some advice as I’m pulling my hair out over this. I followed the tutorial posted by spaceinvaderone (linked below) which shows how to setup letsencrypt https://www.youtube.com/watch?v=I0lhZc25Sro&t=753s Unfortunately as soon as I run letsencrypt, I get the error message in the log which states: Failed authorization procedure. blabla.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://blabla.duckdns.org/.well-known/acme-challenge/wL2-Ux5ap6jNeo4TLJ44KY9Rp9OBcYjSqAZVlbBxnwA: Timeout during connect (likely firewall problem) I’ve made sure with my ISP (Virgin media-UK) that both port 80 and 443 are not blocked. I just can’t seem to get this setup. Can anyone guide me on this? Port forwarding looks to be fine on the router as I’ve looked at three different videos which explain how to do it on that router. Please see picture to below to show how its setup on the router side... Can anyone help? I would really appreciate it Edited December 30, 2018 by entourage2111 Quote Link to comment
JonathanM Posted December 30, 2018 Share Posted December 30, 2018 51 minutes ago, entourage2111 said: Please see picture to below to show how its setup on the router side... Can anyone help? I would really appreciate it Assuming you have set up the NGINX docker to listen on 180 and 1443, you need to switch the local and external port ranges. 80 and 443 need to be external. Quote Link to comment
entourage2111 Posted December 30, 2018 Share Posted December 30, 2018 8 hours ago, jonathanm said: Assuming you have set up the NGINX docker to listen on 180 and 1443, you need to switch the local and external port ranges. 80 and 443 need to be external. Hi, silly me - that was the issue! I've now switched and it's all working. Thanks for taking the time to help me. Quote Link to comment
jasonz940 Posted December 31, 2018 Share Posted December 31, 2018 On 12/28/2018 at 12:27 PM, jasonz940 said: I have been having some trouble with my cert not renewing. I followed the instructions in Spaceinvader One's video (https://youtu.be/I0lhZc25Sro) and it worked for a while until the cert expired. All the instructions I found said to restart the container, which I have done several times. Even restarted the entire server after an Unraid update. The logs show no errors. When look at LinuxServer.io's LetsEncrypt GitHub page one of the more recent updates says this: "08.12.18: Had to remove cert renewal during container start due to certbot's new undocumented "feature" of up to 8 minute random delay." If certs don't renew on startup is there a command that can be run to force its renewal? Is this a stupid question maybe? I found instructions for commands to run for other containers but I am hesitant to try them here. I'm new to Docker and don't want to mess up my container or have to go through having to configure a new container instance. Quote Link to comment
aptalca Posted December 31, 2018 Share Posted December 31, 2018 47 minutes ago, jasonz940 said: Is this a stupid question maybe? I found instructions for commands to run for other containers but I am hesitant to try them here. I'm new to Docker and don't want to mess up my container or have to go through having to configure a new container instance. You shouldn't need to force a renewal. Auto renewals are attempted daily. Check the log/letsencrypt folder to see what's going on Quote Link to comment
jasonz940 Posted January 1, 2019 Share Posted January 1, 2019 22 hours ago, aptalca said: You shouldn't need to force a renewal. Auto renewals are attempted daily. Check the log/letsencrypt folder to see what's going on When I click on the log icon next to the Docker container there are no errors that show up there. When I look at the log inside appdata/letsencrypt I can see where the issue happens. Letsencrypt can't connect to my server over HTTP for verification. I have verified the firewall/port forwarding settings on my router are correct. HTTPS works as expected and when I go to the root URL over HTTP it gets redirected to HTTPS, so that's correct too. Trying to navigate to the full URL where the acme-challenge is in a browser I get a "connection refused" response. Is something messed up in my NGINX config I wonder? I'm not sure where to look from here but I really appreciate the help. Here's the log: <-------------------------------------------------> cronjob running on Sun Dec 30 02:08:00 EST 2018 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log Non-interactive renewal: random delay of 442 seconds - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/sub2.duckdns.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi Renewing an existing certificate Performing the following challenges: http-01 challenge for sub2.duckdns.org http-01 challenge for sub1.duckdns.org Waiting for verification... Cleaning up challenges Attempting to renew cert (sub2.duckdns.org) from /etc/letsencrypt/renewal/sub2.duckdns.org.conf produced an unexpected error: Failed authorization procedure. sub1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]: Timeout during connect (likely firewall problem), sub2.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]: Timeout during connect (likely firewall problem). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1 Error output from if: cat: {privkey,fullchain}.pem: No such file or directory 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub1.duckdns.org Type: connection Detail: Fetching http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]: Timeout during connect (likely firewall problem) Domain: sub2.duckdns.org Type: connection Detail: Fetching http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. <-------------------------------------------------> Quote Link to comment
aptalca Posted January 1, 2019 Share Posted January 1, 2019 (edited) 1 hour ago, jasonz940 said: When I click on the log icon next to the Docker container there are no errors that show up there. When I look at the log inside appdata/letsencrypt I can see where the issue happens. Letsencrypt can't connect to my server over HTTP for verification. I have verified the firewall/port forwarding settings on my router are correct. HTTPS works as expected and when I go to the root URL over HTTP it gets redirected to HTTPS, so that's correct too. Trying to navigate to the full URL where the acme-challenge is in a browser I get a "connection refused" response. Is something messed up in my NGINX config I wonder? I'm not sure where to look from here but I really appreciate the help. Here's the log: <-------------------------------------------------> cronjob running on Sun Dec 30 02:08:00 EST 2018 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log Non-interactive renewal: random delay of 442 seconds - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/sub2.duckdns.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi Renewing an existing certificate Performing the following challenges: http-01 challenge for sub2.duckdns.org http-01 challenge for sub1.duckdns.org Waiting for verification... Cleaning up challenges Attempting to renew cert (sub2.duckdns.org) from /etc/letsencrypt/renewal/sub2.duckdns.org.conf produced an unexpected error: Failed authorization procedure. sub1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]: Timeout during connect (likely firewall problem), sub2.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]: Timeout during connect (likely firewall problem). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1 Error output from if: cat: {privkey,fullchain}.pem: No such file or directory 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub1.duckdns.org Type: connection Detail: Fetching http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]: Timeout during connect (likely firewall problem) Domain: sub2.duckdns.org Type: connection Detail: Fetching http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. <-------------------------------------------------> Renewals or validation don't get affected by nginx settings as letsencrypt/certbot puts up its own webserver during validation. Something changed in your system since the original validation that letsencrypt server is no longer able to access the container on port 80 Edited January 1, 2019 by aptalca Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.