Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

4264 posts in this topic Last Reply

Recommended Posts

1 hour ago, SavellM said:

Hi guys

So I setup letsencrypt last night. My domains are pointing to cloudflare and then I have my sub domains as A Records.

Now I used DNS as verification and put my cloudflare api key into letsencrypt. And when I check the logs it says Server Ready.

I then renamed the config files for sonar.sub-domain.conf-sample and removed the sample. Same for radarr and nzbget and some others.

Restarted letsencrypt and the entire server no dice. I just get a cloudflare host is unavailable.

Is there something specific I need to do to use cloudflare with my sub domains?

Ps all my dockers are from linuxserver.io

 

Is there some specific setup I need to do when using Cloudflare for my sub domains using A Records? I see people always mention CNAME. 

I have a static IP at home so I dont need DuckDNS. 

 

I keep getting Error 522 Connection Timed Out, Host Error from Cloudflare.

 

Thanks

Docker Log: https://pastebin.com/mPqxRFrq

1) turn off cloudflare proxy

2) fix your port forwarding

Share this post


Link to post

@aptalca Cloudflare has been set to DNS only on each A record, unless there is somewhere else?

Also Port Forwarding shouldnt matter as its doing DNS verification. 

Or do I still need to port forward 80 and 443 to unRAID? With DNS I thought it wouldnt need the ports anymore, and as you can see from the logs its kinda working?

 

Ok re-enabled my port forwarding and I think its working... derp

Also wouldnt using the Cloudflare proxy be of benefit?

Edited by SavellM

Share this post


Link to post

I just just received an email from Letsencrypt telling me that I need to renew my certificate because it will expire in 19 days, however when I check my Letsencrypt logs I see this:

<------------------------------------------------->
cronjob running on Tue Jan 21 02:08:00 EST 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/my.site/fullchain.pem expires on 2020-04-16 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Any suggestions for how I can figure out what's going on? Thanks.  

Share this post


Link to post
19 minutes ago, xthursdayx said:

/etc/letsencrypt/live/my.site/fullchain.pem expires on 2020-04-16 (skipped)

 

That email means, "one of the certs that you received with that email address is expiring". In this case, it's not the cert that your server is currently using.

Share this post


Link to post

Hello everybody,

 

i wanted to install this container and it failed giving me the following error:

8c411aab6af9fba2f9d3d982c8ac842944fcf80c320d4f90cfe0a3f9c22d181e
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (0ca54bc2bc38d42e5657046a19a28e0acc414439f640a0cba7bf4b711ff43e10): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

Don't really know what's up or how to fix it, any suggestions would be greatly appreciated.

i tried installing it on the bridge and on a custom network, both times same error.

Thanks in advance,

Timo

 

Share this post


Link to post

I am having a problem getting letsencrypt to work in Unraid. I followed the instruction provided on spaceinvader one video and I am getting this in the letsencrypt log:

http-01 challenge for sflalife-bw.ddns.net
http-01 challenge for sflalife.ddns.net
Waiting for verification...
Challenge failed for domain sflalife-bw.ddns.net
Challenge failed for domain sflalife.ddns.net

 

I am forwarding the following ports in pfsense:

WAN HTTP (80) > Unraid server IP port 180

WAN HTTPS (443) > Unraid server IP port 1443

 

I am using a custom network ‘proxynet’ and I can see letsencrypt is getting an IP.

I am using a VPN for my entire local network and have set up an alias for unraid to bypass the VPN and connect through the ISP provided public IP.

I have pfblocker set up in pfsense which is used to block adds.

I have tried disabling each on these services to see if they are the problem.

I am using No-IP for my subdomains. When I ping my subdomain, it resolves to my current external IP number.

I know I am missing something, I just can’t figure out what it is.

Hopefully someone out there has a similar setup and has had success getting letsencrypt to work.

Share this post


Link to post
On 1/21/2020 at 7:43 PM, aptalca said:

 

That email means, "one of the certs that you received with that email address is expiring". In this case, it's not the cert that your server is currently using.

Ah okay, thanks. I was just a little concerned because it listed all of the domains/subdomains I certify through the Letsencrypt container, and I'd never received one of these emails over the last three or four years of using Letsencrypt. 

Share this post


Link to post

I've had this container running for some time, and until recently it's been fine. However, my certs now aren't being renewed. I'm being told that the cert I have assigned to my nextcloud instance has expired. I'm getting the following logs in my letsencrypt container:

nginx: [emerg] still could not bind()
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)

I hope someone can help with this. I'm not sure what to do. There are no other apps that are using 180/1443 on the unraid server.

Edited by manderso

Share this post


Link to post

I setup router port forwarding for letsencypt 80 > 8080 and 443 > 8443

I am using xxxx.ddns.net services

I have also create a custom network "proxynet"

The log file showing "Server Ready"

 

but when I am trying to access my sites like next.ddns.net (example), I get error "The site can't be reach", "ERR_CONNECTION_RESET". I can ping next.ddns.net though

 

What other information I need to provide? Please help

 

Update:

Found out the issue, it seems I cant resolved dyndns on the same network, anyone know how to solve this?

 

Update 2:

Fixed, CTF broke NAT loopback

Edited by Kira

Share this post


Link to post
13 hours ago, manderso said:

I've had this container running for some time, and until recently it's been fine. However, my certs now aren't being renewed. I'm being told that the cert I have assigned to my nextcloud instance has expired. I'm getting the following logs in my letsencrypt container:


nginx: [emerg] still could not bind()
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)

I hope someone can help with this. I'm not sure what to do. There are no other apps that are using 180/1443 on the unraid server.

Did you change it to host networking?

Because right now nginx isn't even starting.

 

You said "I'm being told that the cert. . . has expired". Who told you that? Email or browser?

Share this post


Link to post

Onlyoffice DS docker needs the certificates installed in /mnt/user/appdata/onlyofficeds/Data/certs folder. I copied the certs from letsencrypt to this folder. It works. But, I need to find a way to automate the certs from LE docker as the static LE certs in onlyoffice docker will expire in max. 3 months. How can I do that? Does a symbolic link to LE certs work? Or should I set a cron job to copy LE certs everyday?

Thanks.

Share this post


Link to post
4 hours ago, aptalca said:

Did you change it to host networking?

Because right now nginx isn't even starting.

 

You said "I'm being told that the cert. . . has expired". Who told you that? Email or browser?

That came from nextcloud that said my cert had expired.

And I haven't changed any settings, including networking. I had followed spaceinvaders guide for setting up nextcloud behind a letsencrypt cert, and that's using a proxynet network I setup for this purpose.

Share this post


Link to post
1 hour ago, manderso said:

That came from nextcloud that said my cert had expired.

And I haven't changed any settings, including networking. I had followed spaceinvaders guide for setting up nextcloud behind a letsencrypt cert, and that's using a proxynet network I setup for this purpose.

What do you mean by nextcloud told you?

Share this post


Link to post
23 hours ago, Kira said:

I setup router port forwarding for letsencypt 80 > 8080 and 443 > 8443

I am using xxxx.ddns.net services

I have also create a custom network "proxynet"

The log file showing "Server Ready"

 

but when I am trying to access my sites like next.ddns.net (example), I get error "The site can't be reach", "ERR_CONNECTION_RESET". I can ping next.ddns.net though

 

What other information I need to provide? Please help

 

Update:

Found out the issue, it seems I cant resolved dyndns on the same network, anyone know how to solve this?

 

Update 2:

Fixed, CTF broke NAT loopback

How did you fix it exactly? I'm having the same issue.

 

Update: issue fixed. Thank you for pointing to CTF being the root cause! I've been fiddling with my router settings for almost 3 weeks now :)

Edited by izarkhin

Share this post


Link to post
15 hours ago, sse450 said:

Onlyoffice DS docker needs the certificates installed in /mnt/user/appdata/onlyofficeds/Data/certs folder. I copied the certs from letsencrypt to this folder. It works. But, I need to find a way to automate the certs from LE docker as the static LE certs in onlyoffice docker will expire in max. 3 months. How can I do that? Does a symbolic link to LE certs work? Or should I set a cron job to copy LE certs everyday?

Thanks.

It's explained in the readme

Share this post


Link to post

Hey again!

 

is there any references you can provide in regards to php-fpm setup.

 

Or is this out of the scope of the docker configs and just requires manually connecting to the box and adding the appropriate confs fpm side?

 

Thanks!

Share this post


Link to post
23 hours ago, saarg said:

What do you mean by nextcloud told you?

Looking at page information, on the security tab in firefox, for my nextcloud page, I see

Verified by: Let's Encrypt,

Expires on: December 28, 2019.

Share this post


Link to post
4 hours ago, phyzical said:

Hey again!

 

is there any references you can provide in regards to php-fpm setup.

 

Or is this out of the scope of the docker configs and just requires manually connecting to the box and adding the appropriate confs fpm side?

 

Thanks!

What are you trying to do?

 

Php is already set up and ready to go. The default nginx site config has a php block that works out of the box for the main server block.

Share this post


Link to post
4 hours ago, aptalca said:

What are you trying to do?

 

Php is already set up and ready to go. The default nginx site config has a php block that works out of the box for the main server block.

hey

 

sorry, yeah i saw there was a www block but im trying to add additional apps

Share this post


Link to post
15 hours ago, manderso said:

Looking at page information, on the security tab in firefox, for my nextcloud page, I see

Verified by: Let's Encrypt,

Expires on: December 28, 2019.

Did you copy the certificate from the letsencrypt container to the Nextcloud container?

If you are using reverse proxy, check what the browser says about the certificate.

Share this post


Link to post
15 hours ago, phyzical said:

hey

 

sorry, yeah i saw there was a www block but im trying to add additional apps

Just replicate that php block for any server blocks you need

Share this post


Link to post

Is there a way to get this container to request multiple certs for different domains.  not adding an extra domain to the main cert.

 

IE: 1 cert per domain. with wildcards?

Edited by blackpanther989

Share this post


Link to post
1 hour ago, blackpanther989 said:

Is there a way to get this container to request multiple certs for different domains.  not adding an extra domain to the main cert.

 

IE: 1 cert per domain. with wildcards?

No

Share this post


Link to post
8 hours ago, aptalca said:

Just replicate that php block for any server blocks you need

i figured it was that simple but the part that i dont know is how does each block line up with a particular app.

 

but.. now that i think about it, what i remember from when i used guis ispconfig ect. The blocks line up with a user not a nginx server directive.

 

or am i wrong on that?

 

thanks!

Share this post


Link to post
2 hours ago, phyzical said:

i figured it was that simple but the part that i dont know is how does each block line up with a particular app.

 

but.. now that i think about it, what i remember from when i used guis ispconfig ect. The blocks line up with a user not a nginx server directive.

 

or am i wrong on that?

 

thanks!

?? Php-fpm is just a processor. Your index file and root directive tell nginx where the necessary files are. When php files are called, they are sent to the processor.

 

What exactly are you trying to accomplish here? What are these apps you're referring to?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.