Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

3499 posts in this topic Last Reply

Recommended Posts

10 hours ago, slimshizn said:

Lets encrypt didn't give new certs, so something's up.

This is a very brief description of your problem. What is the exact error in the log?

 

If it used to work and now is suddenly broken, it might be because of an issue of your port 80 routing (at least in my experience this is very often the culprit). Do you know how to access the docker command line and run a cert renewal test? This usually gives you a more detailed error message.

Share this post


Link to post
16 hours ago, Seige said:

This is a very brief description of your problem. What is the exact error in the log?

 

If it used to work and now is suddenly broken, it might be because of an issue of your port 80 routing (at least in my experience this is very often the culprit). Do you know how to access the docker command line and run a cert renewal test? This usually gives you a more detailed error message.

Yes, I also checked the ports using outside tests and they are open. Turns out that there was an issue with Cloudflare that night, I can access my RP now outside of my network. Inside my network is still an issue, using a USG3 for my router, upnp is on, not really sure how all the sudden I don't have access to my RP locally. If I visit 192.168.*.* it works fine but if I use my webpage name it will not connect and just times out. 

Share this post


Link to post

Sounds like a hairpin NAT / NAT reflection issue to me

Sent from my Mi A1 using Tapatalk

Share this post


Link to post

My ISP is blocking port 80 so I can't get certificates, is there any way around this? I've seen a little bit about DNS challenge, but from what I gather, you need to own the DNS server, which I don't so that doesn't seem like an option unless I'm misunderstanding that. I also been suggested to use a different port, but from what I've read, letsencrypt must use port 80?

 

For my setup I used SpaceInvader's video tutorial and CyanLab's tutorial

Share this post


Link to post
My ISP is blocking port 80 so I can't get certificates, is there any way around this? I've seen a little bit about DNS challenge, but from what I gather, you need to own the DNS server, which I don't so that doesn't seem like an option unless I'm misunderstanding that. I also been suggested to use a different port, but from what I've read, letsencrypt must use port 80?
 
For my setup I used SpaceInvader's video tutorial and CyanLab's tutorial
You don't need to own your DNS server.

Use cloudflare and your own domain.

Sent from my SM-N960U using Tapatalk

Share this post


Link to post

http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

this is what i get how do i fix this, i have absolutely no idea what this means

Share this post


Link to post
2 hours ago, Spoonsy1480 said:

http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

this is what i get how do i fix this, i have absolutely no idea what this means

You are just the 264th person to ask that in this thread.

Share this post


Link to post

Okay I've looked up hairpin nat on the USG, looked in the config.boot file and this is what shows up.
 

Quote

port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface eth1


Should disabling this fix my issue of not seeing server.com on my local network?

Share this post


Link to post
17 minutes ago, slimshizn said:

Okay I've looked up hairpin nat on the USG, looked in the config.boot file and this is what shows up.
 


Should disabling this fix my issue of not seeing server.com on my local network?

You need hairpin NAT enabled.  Probably better off asking support avenues for USG unless someone here knows and can answer.

 

Share this post


Link to post

If this that wasn’t the problem I am really confused these are my settings
IMG_2234.jpgIMG_2235.jpgIMG_2236.jpg
It was working but now it isn’t any help would be grateful


Sent from my iPhone using Tapatalk

Share this post


Link to post

@Spoonsy1480
Did you understand my previous comment? It means to go the bleeep bleeep bleeep bleep read the previous posts in this bleep bleeep thread.

 

And do you really think that we are supposed to read your mind about what is not working?

Do you go to the garage and say: My car was working, now it isn't working. What is wrong?

Share this post


Link to post
1 minute ago, saarg said:

@Spoonsy1480
Did you understand my previous comment? It means to go the bleeep bleeep bleeep bleep read the previous posts in this bleep bleeep thread.

 

And do you really think that we are supposed to read your mind about what is not working?

Do you go to the garage and say: My car was working, now it isn't working. What is wrong?

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

Share this post


Link to post
3 minutes ago, Spoonsy1480 said:

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

No idea either.

Share this post


Link to post
9 minutes ago, Spoonsy1480 said:

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

That error you posted, if you'd searched this thread or the github site for the container, has nothing to do with it.  As for why your stuff isn't working, no idea.

Share this post


Link to post

Hi guys.

Thank you for the container. I've recently re-set this container up. It's mostly working perfectly. 

I am running two nextcloud containers - one for personal and one for work. Reverse proxy works perfectly for the home one. 

Reverse proxy for the work container doesn't seem to work for me - it just re-directs to the home container.

Home container is called "nextcloud" and mapped to nextcloud.XXX Work container is called "nextcloud_works" and mapped to nextcloudwork.XXX.

Both being run as sub-domain reverse proxies. 

Attached are the reverse proxy configs for both. Any help would be appreciated.

Thanks

nextcloudwork.subdomain.conf nextcloud.subdomain.conf

Share this post


Link to post

Still looking for a working calibre subdomain config file. I have:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name calibre.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_calibre calibre;
        proxy_max_temp_file_size 2048m;
        proxy_pass http://$upstream_calibre:8083;
    }
}

with my calibre docker named 'calibre', however accessing the site gives me a bad gateway error. Any ideas?

Share this post


Link to post
10 hours ago, FireFtw said:

Still looking for a working calibre subdomain config file. I have:


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name calibre.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_calibre calibre;
        proxy_max_temp_file_size 2048m;
        proxy_pass http://$upstream_calibre:8083;
    }
}

with my calibre docker named 'calibre', however accessing the site gives me a bad gateway error. Any ideas?

If you are using our calibre container, have the containers on their own custom bridge, you are using the wrong port. It's either 8080 or 8081.

When using the name to resolve the container, you need to use the ports internally in the containers.

Share this post


Link to post
15 hours ago, storm123 said:

Hi guys.

Thank you for the container. I've recently re-set this container up. It's mostly working perfectly. 

I am running two nextcloud containers - one for personal and one for work. Reverse proxy works perfectly for the home one. 

Reverse proxy for the work container doesn't seem to work for me - it just re-directs to the home container.

Home container is called "nextcloud" and mapped to nextcloud.XXX Work container is called "nextcloud_works" and mapped to nextcloudwork.XXX.

Both being run as sub-domain reverse proxies. 

Attached are the reverse proxy configs for both. Any help would be appreciated.

Thanks

nextcloudwork.subdomain.conf 1.07 kB · 0 downloads nextcloud.subdomain.conf 1.06 kB · 0 downloads

Try changing the variable name to upstream_nextcloud_works

Share this post


Link to post
5 hours ago, aptalca said:

Try changing the variable name to upstream_nextcloud_works

Thanks mate.

Gave it a go.

I now get a connection but it goes to a 500 internal server error.

image.png.c239c27acd8f244fe6600647ae6e44db.png

Any logs I can share to help track down the final step?

Share this post


Link to post
13 hours ago, saarg said:

If you are using our calibre container, have the containers on their own custom bridge, you are using the wrong port. It's either 8080 or 8081.

When using the name to resolve the container, you need to use the ports internally in the containers.

Yep, forgot I didn't have the bridge swapped over. The internal and external ports are both 8083 on the newest docker.

Share this post


Link to post

Help please - my cert won't renew.  It's been so long since I've had problems with LE I can't work out how to fix:

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=MyDOMAIN.com
SUBDOMAINS=www,unifi,ha,nextcloud,office,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=me@email.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MyDOMAIN.com -d unifi.MyDOMAIN.com -d ha.MyDOMAIN.com -d nextcloud.MyDOMAIN.com -d office.MyDOMAIN.com -d home.MyDOMAIN.com -d heimdall.MyDOMAIN.com
E-mail address entered: me@email.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for MyDOMAIN.com
Waiting for verification...
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Share this post


Link to post
On 6/13/2019 at 7:02 PM, storm123 said:

Thanks mate.

Gave it a go.

I now get a connection but it goes to a 500 internal server error.

image.png.c239c27acd8f244fe6600647ae6e44db.png

Any logs I can share to help track down the final step?

Anyone able to offer some wisdom with this please?

Thanks

Share this post


Link to post
10 hours ago, DZMM said:

Help please - my cert won't renew.  It's been so long since I've had problems with LE I can't work out how to fix:

 


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=MyDOMAIN.com
SUBDOMAINS=www,unifi,ha,nextcloud,office,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=me@email.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MyDOMAIN.com -d unifi.MyDOMAIN.com -d ha.MyDOMAIN.com -d nextcloud.MyDOMAIN.com -d office.MyDOMAIN.com -d home.MyDOMAIN.com -d heimdall.MyDOMAIN.com
E-mail address entered: me@email.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for MyDOMAIN.com
Waiting for verification...
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 

Port 80 is most likely blocked somewhere between your ISP and the container.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.