Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

4134 posts in this topic Last Reply

Recommended Posts

11 hours ago, aptalca said:

Also do a refresh of the browser (perhaps a force refresh with ctrl F5 or shift F5)

Thank you. I was modifying the right file just had to learn how to save using nano Text editor. 

Share this post


Link to post
On 3/8/2018 at 10:35 AM, BrandonG777 said:

I'm trying to use Google DNS, followed directions to the best of my abilities but I get this...

Failed authorization procedure. 777.mystupiddomain.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "_osh_Dq_e2Ns8E02XDK4ahHa7ZaIn7JEO0N6nGxK5GI" found at _acme-challenge.777.mystupiddomain.com

 

I've now hit the rate limit so be awhile before I can try anything. Damn this is frustrating.

Were you able to get this to work with Google DNS?

I have 25 subdomains and a wildcard cert seems like it would make more sense at this point.
I get to the acme-challenge step and it says that it cannot find a text record.

 

I setup the service account, the dns api, the managed zone.  Not sure what I am missing.

Share this post


Link to post
27 minutes ago, growlith said:

Were you able to get this to work with Google DNS?

I have 25 subdomains and a wildcard cert seems like it would make more sense at this point.
I get to the acme-challenge step and it says that it cannot find a text record.

 

I setup the service account, the dns api, the managed zone.  Not sure what I am missing.

Just to confirm, are you using Google cloud dns and not Google domains dns?

 

This only works with Google cloud dns, the paid version

Share this post


Link to post
On 7/24/2019 at 2:22 AM, ebnerjoh said:

Hi, 

 

was there recently a change on Letsencrypt? Today my websites were broken, because the certificate was not renewed. Last Renewal was in April. In the Logs I cannot find an relating error, of course there are warnings, but I do not think they are responsible for the issue.

 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=familie-ebner.at
SUBDOMAINS=cloud,tauchen,solar,ha,solar2,nr,nr2,wetter,wetter2,mqtt,
EXTRA_DOMAINS=cloud.ff-metnitz.at,slideshow.ff-metnitz.at,backup.ff-metnitz.at,
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=johannes@familie-ebner.at
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cloud.familie-ebner.at -d tauchen.familie-ebner.at -d solar.familie-ebner.at -d ha.familie-ebner.at -d solar2.familie-ebner.at -d nr.familie-ebner.at -d nr2.familie-ebner.at -d wetter.familie-ebner.at -d wetter2.familie-ebner.at -d mqtt.familie-ebner.at
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d cloud.ff-metnitz.at -d slideshow.ff-metnitz.at -d backup.ff-metnitz.at
E-mail address entered: johannes@familie-ebner.at
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/ha.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/mqtt.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr2.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter2.familie-ebner.at:42
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:443, ignored
Server ready

 

Did you find a solution for this? I just updated the container yesterday and now all my sites are down with this error.

 

EDIT: I eliminated this error by commenting out the ssl on; because apparently its not needed with the listen 443 ssl http2;

However, in doing this, I now have a new error:

 

nginx: [emerg] the size 52428800 of shared memory zone "SSL" conflicts with already declared size 10485760 in /config/nginx/ssl.conf:3

 

I am not finding much on google, any advice is appreciated!

 

Edited by WexfordStyle
corrected and found another error

Share this post


Link to post
On 12/8/2019 at 3:44 PM, WexfordStyle said:

Did you find a solution for this? I just updated the container yesterday and now all my sites are down with this error.

 

EDIT: I eliminated this error by commenting out the ssl on; because apparently its not needed with the listen 443 ssl http2;

However, in doing this, I now have a new error:

 

nginx: [emerg] the size 52428800 of shared memory zone "SSL" conflicts with already declared size 10485760 in /config/nginx/ssl.conf:3

 

I am not finding much on google, any advice is appreciated!

 

Also having this exact problem after doing my weekly updates on Sunday. Can't seem to find a solution though?

Share this post


Link to post
4 hours ago, mattmill said:

Also having this exact problem after doing my weekly updates on Sunday. Can't seem to find a solution though?

Did you check line 3 of your ssl.conf?

Share this post


Link to post
On 12/10/2019 at 6:34 AM, aptalca said:

Did you check line 3 of your ssl.conf?

 

I took the weak ass way out and just killed my config and started fresh. I had done it a couple of years ago and my letsencrypt config was hacked together from here and there.

 

Much easier now thanks to the LS.io team. 👐

Share this post


Link to post

Getting "Let's Encrypt certificate expiration notice". I had thought, in the past, certs where automatically renewed? Or you could force renewal by stopping and starting LE? I can delete and start again but this just started happening in the past few weeks. All was good previously. Just wondering as in the notes above others are having some weirdness. I can submit logs if that helps?

Share this post


Link to post
7 minutes ago, TexasDave said:

Getting "Let's Encrypt certificate expiration notice". I had thought, in the past, certs where automatically renewed? Or you could force renewal by stopping and starting LE? I can delete and start again but this just started happening in the past few weeks. All was good previously. Just wondering as in the notes above others are having some weirdness. I can submit logs if that helps?

I would. That would help to troubleshoot.

Share this post


Link to post

Log from starting earkier today....deleted email and domains.


 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=duckdns.org
SUBDOMAINS=aaa,bbb,ccc
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=xxx@zzz.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d aaa -d bbbb -d cccc
E-mail address entered: xxx@zzz.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Share this post


Link to post
50 minutes ago, TexasDave said:

Log from starting earkier today....deleted email and domains.


 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=duckdns.org
SUBDOMAINS=aaa,bbb,ccc
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=xxx@zzz.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d aaa -d bbbb -d cccc
E-mail address entered: xxx@zzz.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Did you check the certificate if it's really expiring?

 

The certificate is renewed at night, so be sure to leave you server on or else it will not be renewed.

you can also just add a new fake subdomain to trigger a new certificate.

Share this post


Link to post

I used this handy site (check-your-website.server-daten.de) to check and yes, the certs were expiring.

 

In the docker I deleted one of my domains, then added it back, and now I am back on the 90 day window (cheating, I know).

 

I suspect that it relates to a restore I had to do a few months ago and it is now just manifesting itself. But now sorted...

 

Two side questions - how do you access certbot or ssl-cert from the command line in unRAID? Or how can I check cert status directly from unRAID rather than using a 3rd party site? Just curious. Thanks!

Share this post


Link to post
I used this handy site (check-your-website.server-daten.de) to check and yes, the certs were expiring.
 
In the docker I deleted one of my domains, then added it back, and now I am back on the 90 day window (cheating, I know).
 
I suspect that it relates to a restore I had to do a few months ago and it is now just manifesting itself. But now sorted...
 
Two side questions - how do you access certbot or ssl-cert from the command line in unRAID? Or how can I check cert status directly from unRAID rather than using a 3rd party site? Just curious. Thanks!
Load your site in the browser and check the cert in Chrome/Firefox

Sent from my Mi A1 using Tapatalk

Share this post


Link to post

Hello, wondering if an expert can immediately identify the problem here to save me some time messing with my app subfolder conf. 
 

I have my webapp accessible via https://mydomain.duckdns.org:444/appname/
 

this successfully brings you to the login page for this webapp. Once you submit your credentials, you get sent to:


https://mydomain.duckdns.org/appname/entrance/

 

instead of 

 

https://mydomain.duckdns.org:444/appname/entrance/

 

if you go ahead and add the port back in then you’re fine the rest of the way, but that initial login causes the port to disappear from the URL. 

 

location ^~ /appname {
auth_basic “Restricted”;

auth_basic_user_file /config/nginx/.htpasswd;

include /config/nginx/proxy.conf;

proxy_pass http://appname:80;

}

 

Any ideas what I need to add to solve this? Thanks!

Share this post


Link to post
1 hour ago, josh1014 said:

Hello, wondering if an expert can immediately identify the problem here to save me some time messing with my app subfolder conf. 
 

I have my webapp accessible via https://mydomain.duckdns.org:444/appname/
 

this successfully brings you to the login page for this webapp. Once you submit your credentials, you get sent to:


https://mydomain.duckdns.org/appname/entrance/

 

instead of 

 

https://mydomain.duckdns.org:444/appname/entrance/

 

if you go ahead and add the port back in then you’re fine the rest of the way, but that initial login causes the port to disappear from the URL. 

 

location ^~ /appname {
auth_basic “Restricted”;

auth_basic_user_file /config/nginx/.htpasswd;

include /config/nginx/proxy.conf;

proxy_pass http://appname:80;

}

 

Any ideas what I need to add to solve this? Thanks!

Probably the app redirecting to the host address without the port

Share this post


Link to post

Hey guys,

I'm looking to set up minio with LE, however, I don't see a minio in the config files. Could someone help me out with how to make a config file for it? I really don't have a clue how to write them or what it needs to say. Would appreciate some help with this. Thanks so much!

Share this post


Link to post

Hi,

Im trying to get an conf made for traccar, found this, but it doesnt work, so can someone point me in a direction why it fails, or perhaps share a working conf?

 

server {
    listen          IP:80;
    server_name     DOMAIN.COM;
location / {
        proxy_pass http://127.0.0.1:8082;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
location /api/socket {
        proxy_pass http://localhost:8082/api/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

 

Share this post


Link to post
5 hours ago, SDEN said:

Hi,

Im trying to get an conf made for traccar, found this, but it doesnt work, so can someone point me in a direction why it fails, or perhaps share a working conf?

 

server {
    listen          IP:80;
    server_name     DOMAIN.COM;
location / {
        proxy_pass http://127.0.0.1:8082;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
location /api/socket {
        proxy_pass http://localhost:8082/api/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

 

Both localhost and 127.0.0.1 refer to locations inside the letsencrypt container. Replace that with an address letsencrypt can use to access traccar

 

Also it's set to listen only on port 80, which is not right.

 

Don't copy paste a config from elsewhere. Take an existing proxy conf and modify accordingly. Also see the examples provided in the default site conf.

Edited by aptalca

Share this post


Link to post

I have this working on my unraid server with sonarr, radarr, nextcloud and plex. But i have another Unbuntu NUC server running Invoice Ninja.  I have made a subdomain for it but how do I create a .conf  to file for it to use outside of the docker network?

 

 Thanks

Edited by Technazz

Share this post


Link to post
6 hours ago, Technazz said:

I have this working on my unraid server with sonarr, radarr, nextcloud and plex. But i have another Unbuntu NUC server running Invoice Ninja.  I have made a subdomain for it but how do I create a .conf  to file for it to use outside of the docker network?

 

 Thanks

Modify an existing conf and use the ip in the proxy pass directive

Share this post


Link to post

Hi,

Everything is working for me but my logs get cleared. Can I turn this off? I think they're getting cleared every week or so.

Thanks

Share this post


Link to post
2 hours ago, hypermmi said:

Hi,

Everything is working for me but my logs get cleared. Can I turn this off? I think they're getting cleared every week or so.

Thanks

They get rotated weekly. You should have logs for up to a year

Share this post


Link to post

Just had my certificates expire. Restarted the LE container several times, but it never tried to renew the cert. I also backup my appdata every night, so the container gets restarted nightly. Ended up having to run the renew command manually. 

 

I had gotten some emails saying the certificates were set to expire today, but I just assumed that was normal and that they would get renewed automatically. Guess not.

 

cronjob running on Sun Nov 17 02:08:00 CST 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2019-12-26 (skipped)
No renewals were attempted.
No hooks were run.

I found this repeated over and over in the letsencrypt logs. So it new it was expiring, but never renewed it.

 

Is there anything glaringly obvious that would keep the LE container from renewing the certificates automatically?

Edited by drawmonster

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.