Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

4048 posts in this topic Last Reply

Recommended Posts

1 hour ago, g0nz0 said:

I'm trying to use this container, which I had working for a single subdomain, but now I'm getting the following after trying to add additional domains:
 


Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

I've treid rebuilding the container etc, but I'm not unable to get past this error.

Any one able to help or point me in the right direction as this appears to be an issue with custom internal code so I'm at a loss at being able to debug the issue myself.

Thanks for the help.

 

Post your container settings

Share this post


Link to post
4 hours ago, aptalca said:

Post your container settings

Sorry to be dense, but are they in an xml file somewhere like with rancher and it's API?

Share this post


Link to post
13 minutes ago, g0nz0 said:

Sorry to be dense, but are they in an xml file somewhere like with rancher and it's API?

If not, this is a copy paste from the docker container edit page:
 

Name:	letsencrypt
Repository:	linuxserver/letsencrypt
Network Type: Custom: br2.2502	
Fixed IP address (optional): 10.250.2.101
Subnet: 10.250.2.0/24
Console shell command:	Shell
Privileged:	ON
http:   Container Port: 80
https:  Container Port: 443
Email:	gonzo@g0nz0.me.uk
Domain Name: g0nz0.me.uk
Subdomain(s):	unifi,plex,firewall,
Only Subdomains:	true
Diffie Hellman:	2048
Validation:	http
AppData Config Path:	/mnt/user/appdata/letsencrypt

 

Edited by g0nz0

Share this post


Link to post
2 minutes ago, g0nz0 said:

If not, this is a copy paste from the docker container edit page:
 


Name:	letsencrypt
Repository:	linuxserver/letsencrypt
Network Type: Custom: br2.2502	
Fixed IP address (optional): 10.250.2.101
Subnet: 10.250.2.0/24
Console shell command:	Shell
Privileged:	ON
http:   Container Port: 80
https:  Container Port: 443
Email:	gonzo@g0nz0.me.uk
Domain Name: g0nz0.me.uk
Subdomain(s):	unifi,plex,firewall,
Only Subdomains:	true
Diffie Hellman:	2048
Validation:	http
AppData Config Path:	/mnt/user/appdata/letsencrypt

 

Seriously, it's working again now. The issue must have been an error coming back from the letsencrypt API or certbot and just not being handled well in the code.
 

If you're a / the dev on this project, let me know if you want some log extracts (specifically what you want from the logs etc) and I'll get them to you to investigate.

Share this post


Link to post
18 minutes ago, g0nz0 said:

Seriously, it's working again now. The issue must have been an error coming back from the letsencrypt API or certbot and just not being handled well in the code.
 

If you're a / the dev on this project, let me know if you want some log extracts (specifically what you want from the logs etc) and I'll get them to you to investigate.

I don't think we need them, if it were a widespread issue, we'd have heard by now.  As it stands a solitary report I don't think justifies a conclusion of the container logic not handling things well.  If the API/certbot had an issue, no amount of rewriting of the container is going to fix that.

Share this post


Link to post

Having issues with python cryptography -- looks like py3-openssl was updated just a few hours after the current latest version was updated, and is causing issues because py3-cryptography is outdated now? I'm no expert, just a bit of digging. Error is:

 

pkg_resources.ContextualVersionConflict: (cryptography 2.6.1 (/usr/lib/python3.7/site-packages), Requirement.parse('cryptography>=2.8'), {'PyOpenSSL'})

EDIT: In the meantime, running this in console and restarting works fine, though it has to be done each time the container is recreated (edited, etc)
apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade
 

apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade

 

Edited by drumstyx

Share this post


Link to post
6 hours ago, drumstyx said:

Having issues with python cryptography -- looks like py3-openssl was updated just a few hours after the current latest version was updated, and is causing issues because py3-cryptography is outdated now? I'm no expert, just a bit of digging. Error is:

 


pkg_resources.ContextualVersionConflict: (cryptography 2.6.1 (/usr/lib/python3.7/site-packages), Requirement.parse('cryptography>=2.8'), {'PyOpenSSL'})

EDIT: In the meantime, running this in console and restarting works fine, though it has to be done each time the container is recreated (edited, etc)
apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade
 


apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade

 

https://github.com/linuxserver/docker-letsencrypt/issues/379#issuecomment-555991614

Share this post


Link to post

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

Share this post


Link to post
1 hour ago, Tzundoku said:

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:


/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

In the mikrotek you should port forward 180 to 180 and 1443 to 1443 as you already port forwarded from 80 to 180 and 443 to 1443 in your isp modem. With the forwarding you set up now, all traffic is lost between the modem and your router.

Share this post


Link to post
3 hours ago, Tzundoku said:

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:


/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

After following @saarg's advice, use this to confirm: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Share this post


Link to post

Hi,

 

I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS.

But I'm struggling to get this to work.

 

Here are the files I adjusted, maybe someone can have a look at this please:

 

Letsencrypt container:

config\nginx\proxy-confs\nextcloud.subdomain.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud Nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Letsencrypt container:

config\nginx\site-confs\default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	#include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

Nextcloud container

config\nginx\site-confs\default

upstream php-handler {
    server 127.0.0.1:9000;
    # server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    # listen [::]:80;
    server_name cloud.*;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name cloud.*;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant  
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface
    real_ip_header X-Forwarded-For;
    set_real_ip_from 172.17.0.0/16;
    real_ip_recursive on;

    # Path to the root of your installation
    root /config/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
	}

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

 

Nextcloud container:

config\www\nextcloud\config\default

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.121.10:444',
    1 => 'cloud.mydomain.de',
  ),
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://cloud.mydomain.de',
  'overwritehost' => 'cloud.mydomain.de',
  'overwriteprotocol' => 'https',
  '...
);

 

I'm also running Emby with the same config files in Letsencrypt and have no issues there.

When trying to load my Nextcloud site I just get 502 Bad Gateway after a while.

Share this post


Link to post
3 hours ago, Marv said:

Hi,

 

I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS.

But I'm struggling to get this to work.

 

Here are the files I adjusted, maybe someone can have a look at this please:

 

Letsencrypt container:

config\nginx\proxy-confs\nextcloud.subdomain.conf


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud Nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Letsencrypt container:

config\nginx\site-confs\default


# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	#include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

Nextcloud container

config\nginx\site-confs\default


upstream php-handler {
    server 127.0.0.1:9000;
    # server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    # listen [::]:80;
    server_name cloud.*;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name cloud.*;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant  
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface
    real_ip_header X-Forwarded-For;
    set_real_ip_from 172.17.0.0/16;
    real_ip_recursive on;

    # Path to the root of your installation
    root /config/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
	}

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

 

Nextcloud container:

config\www\nextcloud\config\default


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.121.10:444',
    1 => 'cloud.mydomain.de',
  ),
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://cloud.mydomain.de',
  'overwritehost' => 'cloud.mydomain.de',
  'overwriteprotocol' => 'https',
  '...
);

 

I'm also running Emby with the same config files in Letsencrypt and have no issues there.

When trying to load my Nextcloud site I just get 502 Bad Gateway after a while.

You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud"

Share this post


Link to post
8 hours ago, aptalca said:

You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud"

 

But my container is named "Nextcloud" actually. That's why I'm using:

set $upstream_nextcloud Nextcloud;

Isn't this correct then?

Share this post


Link to post
9 hours ago, Marv said:

 

But my container is named "Nextcloud" actually. That's why I'm using:


set $upstream_nextcloud Nextcloud;

Isn't this correct then?

You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places.

We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work.

Share this post


Link to post
15 hours ago, saarg said:

You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places.

We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work.

 

Ok thanks. I'll try this later.

 

Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example.

Is this possible?

Share this post


Link to post
4 hours ago, Marv said:

 

Ok thanks. I'll try this later.

 

Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example.

Is this possible?

Sure, the proxy confs get imported into the default site conf via "include" statements when nginx reads them

Share this post


Link to post

Hey everyone, I had to change DNS configurations recently due to port 80 being blocked and I'm having a heck of a time since moving to Cloudflare and trying to use DNS authentication. I have tried many things and am getting 522 errors from Cloudflare and am hoping that you can help me.

 

I most recently started over with the letsencrypt container, here is my configs....

 

Log file output

Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=xxx.net
SUBDOMAINS=cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=support@xxx.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d cloud.xxx.net
E-mail address entered: support@xxx.com
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

My Cloudflare.ini is set okay based on the cert being setup - skipping that

 

Proxy config for nextcloud (also the name in my docker settings:


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:8000;
    }
}

 

Nextcloud and Letsencrypt Docker configs are attached. Unraid web interface runs on another port so I do actually use 443 for Letsencrypt

 

My Cloudflare settings are also attached. I'm not sure if my subdomains should be proxied or not and what my SSL setting should be.

 

Thanks for any help you can offer!

 

 

Annotation 2019-11-26 183616.png

cf_list.png

cf_ssl.png

 

 

letsencrypt.png

Edited by Kash76
added info

Share this post


Link to post

@Kash76
You do not change the port in the proxy conf when using a custom bridge as letsencryptaand nextcloud are talking internally  and don't use the port forwards.

Change it from 8000 back to 443.

Share this post


Link to post
5 hours ago, saarg said:

@Kash76
You do not change the port in the proxy conf when using a custom bridge as letsencryptaand nextcloud are talking internally  and don't use the port forwards.

Change it from 8000 back to 443.

Thanks much for the response.  I changed it back to this and am still getting 522 errors on network and 523 off network

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Share this post


Link to post

Alright, I feel really dumb, but I cannot get Ubooquity to work, at all.  I get the "welcome to our server" page.

 

server_name comics.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2202/ubooquity/;
    }

    location /admin {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2203/ubooquity/admin/;
    }

 

I have tried without the /ubooquity, etc, and it does not work.  I've gotten it to work by using comics.domain.com/ubooquity/ with only the port listed in proxy_pass instead of the URL, but had no CSS and would show me no actual data, so something is wonky...  I own the domain, and use a dynamic dns to update my domain name, all my cnames are pointed to domain.com and other things work (organizr, booksonic as mentioned below), just hung up here on ubooquity currently, but if anything with a base URL doesn't work I don't know how functional this is for me, I was happy with redirects but I would prefer to use an https connection if possible

 

I had a similar issue with Booksonic, and was able to just turn off the /booksonic/ part of that URL so it loads direct without the base URL, I could not get it to work if I had /booksonic in the proxy_pass line either...  I cannot determine how to do that with my Ubooquity server, so if I should ask there instead, just let me know

 

Herlp.  Please.

Edited by PsiKoTicK
Clarity

Share this post


Link to post

I was alerted via email that my LetsEncrypt cert was expiring soon.  I decided to run "certbot renew" from the CLI but received the below error.  After much troubleshooting I am unable to determine what could be causing the issue.  The logs do not give much info other than what is below.  Any thoughts?

 

root@f74f982f283f:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping.
All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Share this post


Link to post
5 minutes ago, MrMoosieMan said:

I was alerted via email that my LetsEncrypt cert was expiring soon.  I decided to run "certbot renew" from the CLI but received the below error.  After much troubleshooting I am unable to determine what could be causing the issue.  The logs do not give much info other than what is below.  Any thoughts?

 

root@f74f982f283f:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping.
All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I just answered my own question.  Not sure why but my API key had changed with Cloudflare.  Replaced the key and BAM, it renewed without issue. 

Share this post


Link to post
3 hours ago, Kash76 said:

Thanks much for the response.  I changed it back to this and am still getting 522 errors on network and 523 off network

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Turn off cloudflare proxy (click on the orange cloud)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.