Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

3825 posts in this topic Last Reply

Recommended Posts

If this has been asked and answered, i apologize in advance. I searched but nothing came up.

 

My situation:  Trying to add a second domain which i did by creating a variable in docker called EXTRA_DOMAINS. Seems to work.

 

My problem:  Firstly, does the second domain leverage the SUBDOMAINS already created for the first domain? What if i wish to use other subdomains not listed. Can i create another variable for just subdomains to be used by the second domain?

 

Thanks!

 

 

Share this post


Link to post
40 minutes ago, pimogo said:

If this has been asked and answered, i apologize in advance. I searched but nothing came up.

 

My situation:  Trying to add a second domain which i did by creating a variable in docker called EXTRA_DOMAINS. Seems to work.

 

My problem:  Firstly, does the second domain leverage the SUBDOMAINS already created for the first domain? What if i wish to use other subdomains not listed. Can i create another variable for just subdomains to be used by the second domain?

 

Thanks!

 

 

Extra domains takes fqdn's so add your subdomains in there as additional fqdn's

Share this post


Link to post

is letsencrypt currently down/ having problems? trying to follow https://www.youtube.com/watch?v=I0lhZc25Sro to get nextcloud working from outside of the network but keep getting the command failed while trying to pulldown letsencrypt/ when running the docker it failing to reach the domains from duckdns even with ports forwarded on the router. spent around 3 hours trying to get this to work. any help would be great. (did try and use Resilio Sync instead of nextcloud but that had just as many problems if not more problems than this). anyone know a easy way of sending pictures and files from phone to unraid let me know.

 

Share this post


Link to post
4 hours ago, C_James said:

is letsencrypt currently down/ having problems? trying to follow https://www.youtube.com/watch?v=I0lhZc25Sro to get nextcloud working from outside of the network but keep getting the command failed while trying to pulldown letsencrypt/ when running the docker it failing to reach the domains from duckdns even with ports forwarded on the router. spent around 3 hours trying to get this to work. any help would be great. (did try and use Resilio Sync instead of nextcloud but that had just as many problems if not more problems than this). anyone know a easy way of sending pictures and files from phone to unraid let me know.

 

Post the commands or settings you tried and the error messages you got.

Share this post


Link to post

so set up the duckdns and duckdns docker so set up letencrypt and gets this "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" port forwards have been made for the ports. but the challenge fails every time. is there a way to get nextcloud to work from outside the local network on unraid easier? or any dockers apps that allow items to be send to a folder on unraid from a phone like pictures and that ? last 4 days has been trying to get nextcloud/resilio sync all are from linuxserver

Share this post


Link to post
28 minutes ago, C_James said:

so set up the duckdns and duckdns docker so set up letencrypt and gets this "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" port forwards have been made for the ports. but the challenge fails every time. is there a way to get nextcloud to work from outside the local network on unraid easier? or any dockers apps that allow items to be send to a folder on unraid from a phone like pictures and that ? last 4 days has been trying to get nextcloud/resilio sync all are from linuxserver

Take one step at a time. You have not gotten your certs yet, no point in messing around with reverse proxy.

 

See here: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Share this post


Link to post
Posted (edited)

so what do you recommend? like ive tried to everything ive read online, contacted ISP and they say they are not blocking any ports so im totally stumped

Edited by C_James

Share this post


Link to post

Hello, my server rebooted recently, ungracefully due to a power outage, and now my domains are reporting that the server is down through CloudFlare. I have Cypto set to Full as Flexible does not work for me if that matters.

 

image.png.5a6e624a88c4c1eb870f52c6805afbcd.png

 

image.png.38a170406f086c66619468966f60010f.png


I tracked the error down to mean that WordPress is blocking the IPs from CloudFlare so I tried to add the CloudFlare IPs into NGINX but I cant get it to work. Here is how I did that:

  1. Created the file cloudflare-allow.conf with the whitelisted CloudFlare IPs (contents below) and put it in the same location as ssl.conf and nginx.conf
    • # https://www.cloudflare.com/ips
      # IPv4
      
      allow 173.245.48.0/20;
      allow 103.21.244.0/22;
      allow 103.22.200.0/22;
      allow 103.31.4.0/22;
      allow 141.101.64.0/18;
      allow 108.162.192.0/18;
      allow 190.93.240.0/20;
      allow 188.114.96.0/20;
      allow 197.234.240.0/22;
      allow 198.41.128.0/17;
      allow 162.158.0.0/15;
      allow 104.16.0.0/12;
      allow 172.64.0.0/13;
      allow 131.0.72.0/22;
      
      # IPv6
      allow 2400:cb00::/32;
      allow 2606:4700::/32;
      allow 2803:f800::/32;
      allow 2405:b500::/32;
      allow 2405:8100::/32;
      allow 2a06:98c0::/29;
      allow 2c0f:f248::/32;

       

  2. Edited the site-conf default file for my main site to add the lines:
    • include /config/nginx/cloudflare-allow.conf;
      deny all;

       

  3. Restarted the LetsEncrypt container.

This did not work so I am not sure I am doing this correctly. Can anyone lend a hand to advise the proper way to do this or if I am even barking up the right tree?

 

Thanks,

Share this post


Link to post
3 hours ago, Riotz said:

Hello, my server rebooted recently, ungracefully due to a power outage, and now my domains are reporting that the server is down through CloudFlare. I have Cypto set to Full as Flexible does not work for me if that matters.

 

image.png.5a6e624a88c4c1eb870f52c6805afbcd.png

 

image.png.38a170406f086c66619468966f60010f.png


I tracked the error down to mean that WordPress is blocking the IPs from CloudFlare so I tried to add the CloudFlare IPs into NGINX but I cant get it to work. Here is how I did that:

  1. Created the file cloudflare-allow.conf with the whitelisted CloudFlare IPs (contents below) and put it in the same location as ssl.conf and nginx.conf
    • 
      # https://www.cloudflare.com/ips
      # IPv4
      
      allow 173.245.48.0/20;
      allow 103.21.244.0/22;
      allow 103.22.200.0/22;
      allow 103.31.4.0/22;
      allow 141.101.64.0/18;
      allow 108.162.192.0/18;
      allow 190.93.240.0/20;
      allow 188.114.96.0/20;
      allow 197.234.240.0/22;
      allow 198.41.128.0/17;
      allow 162.158.0.0/15;
      allow 104.16.0.0/12;
      allow 172.64.0.0/13;
      allow 131.0.72.0/22;
      
      # IPv6
      allow 2400:cb00::/32;
      allow 2606:4700::/32;
      allow 2803:f800::/32;
      allow 2405:b500::/32;
      allow 2405:8100::/32;
      allow 2a06:98c0::/29;
      allow 2c0f:f248::/32;

       

  2. Edited the site-conf default file for my main site to add the lines:
    • 
      include /config/nginx/cloudflare-allow.conf;
      deny all;

       

  3. Restarted the LetsEncrypt container.

This did not work so I am not sure I am doing this correctly. Can anyone lend a hand to advise the proper way to do this or if I am even barking up the right tree?

 

Thanks,

uninstall reinstall? other than that no idea wish i could get what im trying to do to work, no luck at all.

Share this post


Link to post
5 hours ago, Riotz said:

Hello, my server rebooted recently, ungracefully due to a power outage, and now my domains are reporting that the server is down through CloudFlare. I have Cypto set to Full as Flexible does not work for me if that matters.

 

image.png.5a6e624a88c4c1eb870f52c6805afbcd.png

 

image.png.38a170406f086c66619468966f60010f.png


I tracked the error down to mean that WordPress is blocking the IPs from CloudFlare so I tried to add the CloudFlare IPs into NGINX but I cant get it to work. Here is how I did that:

  1. Created the file cloudflare-allow.conf with the whitelisted CloudFlare IPs (contents below) and put it in the same location as ssl.conf and nginx.conf
    • 
      # https://www.cloudflare.com/ips
      # IPv4
      
      allow 173.245.48.0/20;
      allow 103.21.244.0/22;
      allow 103.22.200.0/22;
      allow 103.31.4.0/22;
      allow 141.101.64.0/18;
      allow 108.162.192.0/18;
      allow 190.93.240.0/20;
      allow 188.114.96.0/20;
      allow 197.234.240.0/22;
      allow 198.41.128.0/17;
      allow 162.158.0.0/15;
      allow 104.16.0.0/12;
      allow 172.64.0.0/13;
      allow 131.0.72.0/22;
      
      # IPv6
      allow 2400:cb00::/32;
      allow 2606:4700::/32;
      allow 2803:f800::/32;
      allow 2405:b500::/32;
      allow 2405:8100::/32;
      allow 2a06:98c0::/29;
      allow 2c0f:f248::/32;

       

  2. Edited the site-conf default file for my main site to add the lines:
    • 
      include /config/nginx/cloudflare-allow.conf;
      deny all;

       

  3. Restarted the LetsEncrypt container.

This did not work so I am not sure I am doing this correctly. Can anyone lend a hand to advise the proper way to do this or if I am even barking up the right tree?

 

Thanks,

Turn off cloudflare proxy (orange cloud)?

That's what we recommend anyway. If you want to proxy through cloudflare, we don't officially support that (ie. you're on your own).

Share this post


Link to post
9 hours ago, C_James said:

so what do you recommend? like ive tried to everything ive read online, contacted ISP and they say they are not blocking any ports so im totally stumped

Did you follow the steps in the link I posted for you? You didn't even post a full log. You keep saying it doesn't work. I don't know how you expect us to help you more.

Share this post


Link to post
Posted (edited)

I mistakenly clobbered my letsencrypt docker.  Hint don't install two dockers with the same name, even mistakenly.

 

So I started over new and followed the same walk through as I did last time, but things didn't work this time.

 

https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/

 

I filled in the docker just like the tutorial says, but using my data which is also on duckdns.org.  It first went wrong  after I started the docker and I couldn't even connect to get the "Welcome to our server" message.  When I connect to port 81 I get "site cannot be reached, connection refused".  I continued, thinking that now I may need more configuration to get it working.

 

After completing the setup and adding a /sonarr subdirectory I still get that message for port 81, but now for port 444 I get a password prompt, which I enter and then it gives me 403 Forbidden NGINIX 1.16.1.

 

I was happy to see the username/password prompt, but the 403 is annoying.  It happens for every subdirectory.

 

Any ideas?

 

thanks

david

Edited by lovingHDTV

Share this post


Link to post
Posted (edited)
40 minutes ago, lovingHDTV said:

I mistakenly clobbered my letsencrypt docker.  Hint don't install two dockers with the same name, even mistakenly.

 

So I started over new and followed the same walk through as I did last time, but things didn't work this time.

 

https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/

 

I filled in the docker just like the tutorial says, but using my data which is also on duckdns.org.  It first went wrong  after I started the docker and I couldn't even connect to get the "Welcome to our server" message.  When I connect to port 81 I get "site cannot be reached, connection refused".  I continued, thinking that now I may need more configuration to get it working.

 

After completing the setup and adding a /sonarr subdirectory I still get that message for port 81, but now for port 444 I get a password prompt, which I enter and then it gives me 403 Forbidden NGINIX 1.16.1.

 

I was happy to see the username/password prompt, but the 403 is annoying.  It happens for every subdirectory.

 

Any ideas?

 

thanks

david

OK I narrowed it down to my password file.  If I remove it from the site-confs/default I can access everything internally and externally.  If I put in:

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

I immediately get a 403 Forbidden message.  no chance to even enter the password.  

 

I tried Edge, as I hadn't use it and I did get the password prompt before getting the 403 message.  

Edited by lovingHDTV

Share this post


Link to post
40 minutes ago, lovingHDTV said:

OK I narrowed it down to my password file.  If I remove it from the site-confs/default I can access everything internally and externally.  If I put in:

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

I immediately get a 403 Forbidden message.  no chance to even enter the password.  

 

I tried Edge, as I hadn't use it and I did get the password prompt before getting the 403 message.  

Nevermind, I found that my .htpasswd was located at /config/nginx/site-confs/.htpasswd.

 

moved it to the correct place and everything started working.

Share this post


Link to post
On 8/26/2019 at 5:59 PM, aptalca said:

Turn off cloudflare proxy (orange cloud)?

That's what we recommend anyway. If you want to proxy through cloudflare, we don't officially support that (ie. you're on your own).

I did this and I can connect to it internally but not from any outside network. It was working perfectly while proxied (orange cloud) through cloudflare. I am not sure why it stopped working all of a sudden. I guess I will look elsewhere for an explanation. I just dont get why it broke all of a sudden.

Share this post


Link to post
6 hours ago, Riotz said:

I did this and I can connect to it internally but not from any outside network. It was working perfectly while proxied (orange cloud) through cloudflare. I am not sure why it stopped working all of a sudden. I guess I will look elsewhere for an explanation. I just dont get why it broke all of a sudden.

Stupid question but did your external IP change?  I get cloudflare message only if my Internet is down or my IP has changed.

 

https://whatismyipaddress.com/

Share this post


Link to post
4 hours ago, sauso said:

Stupid question but did your external IP change?  I get cloudflare message only if my Internet is down or my IP has changed.

 

https://whatismyipaddress.com/

It turns out the configuration on my UniFi controller needed to be reloaded. Traffic was not passing through port 443. Now I have a new problem with the container...

 

image.png.5af1e54f5e48a9aa80b29de77d43ac92.png

 

image.thumb.png.25a345373d27a0a12f6a1b45c9a095c0.png

 

Is there a way to fix this?

Share this post


Link to post
Posted (edited)

It works fine but i notice this in Logs.

 

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

Is this something to worry about / future update? 

 

 

 

Sorry ill change my question, I guess its harmless which is cool, It just doesn't fix my OCD !

Edited by Nano

Share this post


Link to post
1 hour ago, Nano said:

It works fine but i notice this in Logs.

 

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

Is this something to worry about / future update? 

This response 2 months ago in this thread sums it up nicely.

https://forums.unraid.net/topic/51808-support-linuxserverio-letsencrypt-nginx/?do=findComment&comment=748653

Share this post


Link to post
On 8/30/2019 at 5:11 AM, jonathanm said:

Hi I had a similar issue and did a github search, from what I can understand the issue does not cause anything to malfunction and is not an issue with the docker, will have to wait for a fix. I am confused because my certs seem to have expired. How do I fix that?

Share this post


Link to post

Is it possible to not have NGINX not respond on the External IP, For example to get rid of the 

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: me@example.com

 

Ofcourse all the SubDomains work but it would be better if the default external would reject it. 

 

Possible ?

Share this post


Link to post
12 hours ago, Nano said:

Is it possible to not have NGINX not respond on the External IP, For example to get rid of the 

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: me@example.com

 

Ofcourse all the SubDomains work but it would be better if the default external would reject it. 

 

Possible ?

Comment out the main location block in the default site config

Share this post


Link to post
15 hours ago, aptalca said:

Comment out the main location block in the default site config

Hi I did this but then it just redirected directly to a subdomain. 

 

I did as follow's in "Site Confs" Defaults


# main server block
#server {
#    listen 443 ssl http2 default_server;
#    listen [::]:443 ssl http2 default_server;
#
#    root /config/www;
#    index index.html index.htm index.php;
#}

server {

 

I pasted the server { at the bottom after commenting out as otherwise letencrypt log would just whine

Share this post


Link to post

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close to 3 yrs of rock solid performance.  I often forget its even running.  I thought about switching to the Nginx Proxy Manager for the nice GUI and the fact the nginx syntax makes me commit typo errors for whatever reason.  However the lack of fail2ban in that container has kept me away.  I'm so glad you guys decided to bake that in.  You can watch what I assume are bots getting blocked daily and its a nice peace of mind.  

 

This container works great with my firewalled "docker" VLAN using Custom br0.  Between the firewall and fail2ban I feel my little home setup is about as secure as I can get it.

 

As a fellow dev I know we don't always hear a peep from users in regards to appreciation for our hours of hard work.  So thanks again for keeping this container going.  I really do appreciate it.

Share this post


Link to post

Hi, trying to get UNMS to work correctly, has anyone had success with this? I can connect ok to the GUI but can't get devices to connect! Here is my conf file.

 

# make sure that your dns has a cname set for unms and that your unms container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name unms.berecomputing.co.uk;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_unms unms;
        proxy_pass https://$upstream_unms:443;
    }

    location /wss {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_unms unms;
        proxy_pass https://$upstream_unms:443;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_ssl_verify off;
    }

}

Can anyone see anything wrong here?

Cheers,

Tim

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.