Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

4048 posts in this topic Last Reply

Recommended Posts

2 hours ago, aptalca said:

FYI, the new version of this image supports multiple domains through a new environment variable. Details are on the docker hub page

 

I've updated my docker how do I add the new variable?

Share this post


Link to post
I do have that, pfsense does it for me. I can do a nslookup from outside my home network and it will reply with the correct ip. But when the docket runs it just says no valid ip for my Google domains.  

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

Share this post


Link to post
7 hours ago, jrdnlc said:

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

 

sure send me the info, i like to use the domain i paid for.

 

Share this post


Link to post
7 hours ago, jrdnlc said:

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

Thanks!  I'm going to try what ijuarez suggested, but I think it should all be pretty automated right?  I mean, I run a ddclient docker to update my google domain with my current IP.  Then the letsencrypt docker should reference that domain and be good to go.  Right now I'd have to do it manually every time the IP changes.  Appreciate seeing how you managed it!

Share this post


Link to post
2 hours ago, ChaOConnor said:

Thanks!  I'm going to try what ijuarez suggested, but I think it should all be pretty automated right?  I mean, I run a ddclient docker to update my google domain with my current IP.  Then the letsencrypt docker should reference that domain and be good to go.  Right now I'd have to do it manually every time the IP changes.  Appreciate seeing how you managed it!

 

I don't use the ddclient docker. I use my router dynamic dns service to update my IP. Let me know how that goes. Feel free to message me

Share this post


Link to post

thanks to aptalca for the link, it took me several reads to understand how he set it up but i finally got it. No ip needed.

 

 

on goolge domains, select the domain you want to use, select DNS, create a dynamic dns entry for you domain.

 

us the @. whatever your domain is and add it

 

then create a cname record

 

www cname 1H  yourdomain,com then add it.

 

For DynamicDNS, setup whatever you want router, ddclient, whatever and use the new creds for the dynamic dns

 

run the docker and boom its good

 

 

Share this post


Link to post
On 7/4/2017 at 1:12 PM, Ezro said:

Does anyone know how to get this to work with the gitlab docker? (https://forums.lime-technology.com/topic/48653-support-gitlab-ce/)

 

I set my letsencrypt\nginx\site-confs to the following


  location /gitlab {
    include /config/nginx/proxy.conf;
    proxy_pass http://192.168.1.207:9080/gitlab;
  }

 

When I go to my server.duckdns.org/gitlab, I get a '404 not found' error.

 

Anyone have an idea how to fix this?

 

Sorry to bump, but I'm still having issues with Gitlab routing.

 

Also, I tried getting Nextcloud to work using this guide, and when I try to access https://192.168.1.207:444 I receive an "Insecure Connection" error. When I try to access server.duckdns.org/nextcloud/ I get a 502 bad gateway.

 

Does anyone know what I should look at in order to fix the Nextcloud routing?

Share this post


Link to post
On 7.7.2017 at 6:11 AM, ijuarez said:

 

I've updated my docker how do I add the new variable?

 

Hi,

 

I am also interested how to add the new variable.

 

Br,

Johannes

Share this post


Link to post
 
Hi,
 
I am also interested how to add the new variable.
 
Br,
Johannes


Click on "Add another Path, Port or Variable"

Share this post


Link to post
1 hour ago, aptalca said:

 


Click on "Add another Path, Port or Variable"

 

 

Like this?

 

 

Unbenannt.JPG

Share this post


Link to post
 
Like this?
 
 
Unbenannt.JPG.9143bc0f5b2da7443ef0638cd3932320.JPG


Key should be EXTRA_DOMAINS and don't forget the underscore in the middle

If you go to edit one of the other variables like the PUID, you can see the format

Share this post


Link to post

I want to restart nginx, without restarting the whole docker, prefferably by using 

docker exec letsencrypt nginx -s reload

But all i get is 

nginx: [error] open() "/run/nginx/nginx.pid" failed (2: No such file or directory)

Is there any easy fix i can do on my end?

Share this post


Link to post
I want to restart nginx, without restarting the whole docker, prefferably by using 
docker exec letsencrypt nginx -s reload

But all i get is 

nginx: [error] open() "/run/nginx/nginx.pid" failed (2: No such file or directory)

Is there any easy fix i can do on my end?



s6-svc -h /var/run/s6/services/nginx

Share this post


Link to post
On 8.7.2017 at 5:41 PM, aptalca said:

 


Key should be EXTRA_DOMAINS and don't forget the underscore in the middle

If you go to edit one of the other variables like the PUID, you can see the format

 

 

Thanks, it is working.

 

Br,

Johannes

Share this post


Link to post

All,

First of all ThanX!, I have been watching this thread for a while. it has helped me get letsencrypt/nginx running on my (Unraid)server with no real issues till now. I have a working nextcloud confg and I can get to my index page. (which I have modified slightly just so I know its mine) and can get my instance of couch potato running on my server. So now I am having issues with getting a rev proxy to my instance of home-assistant, I followed a thread bite from feb 17 about this but have tried the included config file with no success. So just looking for a little help. So here is what I have also done: copied my working nextcloud file an changed it accordingly. added the necessary stuff to the ha config file.

 

Now what I get is "502 Bad Gateway" when I go to https://subdomain.my_server.com

 

Here is a portion from the error log file:

2017/07/10 14:47:06 [error] 347#347: *1 SSL_do_handshake() failed (SSL: error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number) while SSL handshaking to upstream, client: ISP, server: SUBDOMAIN.myserver.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://0.0.0.0:port/favicon.ico", host: "SUBDOMAIN.myserver.com", referrer: "https://SUBDOMAIN.myserver.com/"

 

And here is the "site-confs" file:( just the one that seems to be the issue):

# This is the virtual host part that allows a subdomain include

server {  
    listen 443 ssl;
    server_name subdomain.my_server.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'there is really a key here';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://0.0.0.0:port/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

hopefully I didn't redact too much info for it to make sense but here it is. I am sure it is something that I missed, so I would appreciate some extra eyes. 

 

ThanX in advance 

Mikey

Share this post


Link to post
19 hours ago, mikeyw said:

All,

First of all ThanX!, I have been watching this thread for a while. it has helped me get letsencrypt/nginx running on my (Unraid)server with no real issues till now. I have a working nextcloud confg and I can get to my index page. (which I have modified slightly just so I know its mine) and can get my instance of couch potato running on my server. So now I am having issues with getting a rev proxy to my instance of home-assistant, I followed a thread bite from feb 17 about this but have tried the included config file with no success. So just looking for a little help. So here is what I have also done: copied my working nextcloud file an changed it accordingly. added the necessary stuff to the ha config file.

 

Now what I get is "502 Bad Gateway" when I go to https://subdomain.my_server.com

 

Here is a portion from the error log file:


2017/07/10 14:47:06 [error] 347#347: *1 SSL_do_handshake() failed (SSL: error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number) while SSL handshaking to upstream, client: ISP, server: SUBDOMAIN.myserver.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://0.0.0.0:port/favicon.ico", host: "SUBDOMAIN.myserver.com", referrer: "https://SUBDOMAIN.myserver.com/"

 

And here is the "site-confs" file:( just the one that seems to be the issue):


# This is the virtual host part that allows a subdomain include

server {  
    listen 443 ssl;
    server_name subdomain.my_server.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'there is really a key here';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://0.0.0.0:port/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

hopefully I didn't redact too much info for it to make sense but here it is. I am sure it is something that I missed, so I would appreciate some extra eyes. 

 

ThanX in advance 

Mikey

 

A couple of thing I noticed. . .

I am not sure if 0.0.0.0 is the real ip you are trying to reverse proxy or if that's your redaction. If former, that is incorrect. 0.0.0.0 in net=bridge will refer only to the letsencrypt container, not the host and not other containers. You can use the server ip to connect to a different container.

 

Also, you are trying to reverse proxy an https page. That is likely the reason you are getting the ssl handshake error (or a combination with a nonexistent service on 0.0.0.0 as referenced above). Try to use an http address for the reverse proxy.

Edited by aptalca

Share this post


Link to post
15 hours ago, mattekure said:

I just read that LetsEncrypt recently announced that starting in Jan 2018, they will offer wildcard certificates for free.  so you could have one for all the subdomains

 

https://arstechnica.com/information-technology/2017/07/lets-encrypt-to-start-offering-free-wildcard-certificates-for-https/

 

DNS challenge only :|

 

https://community.letsencrypt.org/t/wildcard-certificates-coming-january-2018/37567/8

Share this post


Link to post

I just switched back to unRAID, and am working on getting the LE+Nginx docker setup. Nginx starts, but the logs are constantly being populated with the following:

2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:82 failed (98: Address in use)
2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:444 failed (98: Address in use)

No matter what I put the port to in the docker config, or in the nginx.conf, these errors just stream across with the port I specified. Nothing is using those ports except for nginx. I'm able to access most of the proxy_pass (except plex, working on that too), but within just a few minutes, my error.log is growing huge. Anyone come across this before?

Share this post


Link to post
I just switched back to unRAID, and am working on getting the LE+Nginx docker setup. Nginx starts, but the logs are constantly being populated with the following:
2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:82 failed (98: Address in use)2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:444 failed (98: Address in use)

No matter what I put the port to in the docker config, or in the nginx.conf, these errors just stream across with the port I specified. Nothing is using those ports except for nginx. I'm able to access most of the proxy_pass (except plex, working on that too), but within just a few minutes, my error.log is growing huge. Anyone come across this before?



I suspect you highly modified the nginx. conf and perhaps removed the "daemon off" setting so it's trying to launch a second instance unsuccessfully.

Did you by any chance copy your nginx settings over from another install? If so, go back to defaults by deleting them and restarting the container. Then modify the defaults as needed.

If that doesn't work, post your container settings along with nginx and site configs and we'll take a look.

Share this post


Link to post
1 hour ago, aptalca said:

 


I suspect you highly modified the nginx. conf and perhaps removed the "daemon off" setting so it's trying to launch a second instance unsuccessfully.

Did you by any chance copy your nginx settings over from another install? If so, go back to defaults by deleting them and restarting the container. Then modify the defaults as needed.

If that doesn't work, post your container settings along with nginx and site configs and we'll take a look.

 

 

Should I not be editing the nginx.conf then? Just put my config in the site-confs/default? I use a subdomain map for my proxy pass, with some nifty logic that has worked on other boxes, e.g.:

 

        map $subdomain $proxy_url {
                pr      "http://192.168.1.103:3000";
                py      "http://192.168.1.103:8181";
                cp      "http://192.168.1.103:5050";
                pms     "http://192.168.1.103:32400";
                nzb     "http://192.168.1.103:6789";
                down    "http://192.168.1.103:9091";
        }
  
                 if ($host ~* ^([a-z0-9-\.]+)\.mydomain.tld$) {
                        set $subdomain $1;
                }


                location / {
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";

                    if ($subdomain) {
                        proxy_pass $proxy_url;
                    }
                }

                if ($subdomain = "pms") {
                        rewrite ^/$ $1/web;
                }

                if ($subdomain = "down") {
                        rewrite ^/$ $1/transmission;
                }

This has worked on other servers no problem, although I'm not used to running things in a docker, and haven't used unRAID in almost a year.

Edited by sethrd

Share this post


Link to post

You can edit the nginx.conf but don't overwrite it with a config from another server or you'll break it. Nginx package from the ubuntu repo has very different defaults than this container which is alpine based, and uses s6 as the supervisor.

What you posted is just a snippet of the site config. And not related to the error you're getting.

Share this post


Link to post

Got it. Removed my custom stuff, and added most of my config to the site-confs/default file and the errors are no longer showing. Still working on getting some of the proxy_pass working, mainly for plex access. Thanks aptalca!

Share this post


Link to post
5 hours ago, aptalca said:

 

I tried to read through and figure out what the implications are, but it goes beyond me.  It seems like if I own my domain yyyyy.com, I can get the wildcard certificate for *.yyyyy.com.  Is that right?  or am I totally off base? 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.