[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

So I am trying to switch the validation from HTTP to TLS-SNI but I am getting an error

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

I have made sure all my ports are lined up as well.

image.thumb.png.639820de7285f5c6f61755461a913978.png

image.thumb.png.42fefbb7831afc0b5140bc59e7d4573a.png

image.thumb.png.b022a1a2f9dd632f833764fa864dae2f.png

 

Not sure what I am missing here.

 

Any help is greatly appreciated.

Link to comment
3 minutes ago, CHBMB said:

Yes, in the "default" file, if you want nginx to respond on port 80, you have to configure the nginx server to do so.

 

Response to the http challenge isn't done from nginx, completely separate process.

 

 

Got ya... I must have broke something then.

 

(http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain ::

Link to comment
2 minutes ago, fmp4m said:

 

 

Got ya... I must have broke something then.

 

(http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain ::

 

That suggests you haven't even got to the nginx part yet, that's the LE challenge......

Link to comment
1 minute ago, CHBMB said:

 

That suggests you haven't even got to the nginx part yet, that's the LE challenge......

 

Yea,  I got that part after you said it was a separate process.  I don't know what broke,   Its on port 80 and 443 with forwarding.  I checked by moving the mapping of another process to port 80 and 443 and its not blocked by isp.    Maybe I need to hose it.   strange.

Link to comment
28 minutes ago, fmp4m said:

 

Yea,  I got that part after you said it was a separate process.  I don't know what broke,   Its on port 80 and 443 with forwarding.  I checked by moving the mapping of another process to port 80 and 443 and its not blocked by isp.    Maybe I need to hose it.   strange.

 

Yep.. I broke something.  After getting the LE challenge fixed and server up,   no response on http or https.

 

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

*** Found it.  default had the old ports in it.    updated and all is back online.

Edited by fmp4m
Link to comment
2 hours ago, CHBMB said:

 

That's fine as long as your firewall/router is forwarding 443 externally to 442 on your Unraid box.

 

It doesn't sound like that's what is causing the error though.

It used to work with the settings I had before which is why i'm not sure why it would just stop working overnight.

Link to comment
4 hours ago, Invincible said:

The latest update (from last night) seems to have broken something for me.

I haven't changed any of the settings however i noticed there was a new "Validation" option in the docker settings which is set to HTTP.

I also noticed that the HTTPVAL setting was missing from the show more settings tab.

 

Any ideas what would have broken the config for me?

Here are the logs:

 



[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Backwards compatibility check. . .
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ******.duckdns.org
E-mail address entered: **********
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ******.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ******.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://******.duckdns.org/.well-known/acme-challenge/MKKaK-NvviGlS4ME6FlQ5uTBojzr8WHznM36sgR8Ujo: "<html>

<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ******.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://******.duckdns.org/.well-known/acme-challenge/MKKaK-NvviGlS4ME6FlQ5uTBojzr8WHznM36sgR8Ujo:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="*********" -e "URL"="duckdns.org" -e "SUBDOMAINS"="******" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "VALIDATION"="http" -e "DNSPLUGIN"="" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
2dab690e979f92d6a66c2a7506fbb121324e105cd195d576fa5c141d067d0952

 

image.png.109f66b63c8a21cd4f569d671a1c5281.png

 

image.png.57d6546676f07304bf73596ace9cc7bb.png

 

 

 

 

 

The second screenshot looks like your router is forwarding port 80 to port 80 on unraid for tcp, and port 81 to 81 on unraid for udp. What you need is to forward port 80 to port 81 for tcp. Right now, letsencrypt servers are connecting to your unraid web gui

Link to comment
11 hours ago, WannabeMKII said:

 

Ah ha, adding "tls-sni" = "true" has got me back up and running!

 

Port 80 is still appearing as closed though?

 

Now just to get nzbhydra2 actually loading properly.

 

Superb news though and really appreciate the constant help from everyone, absolutely legendary!

 

This container does not recognize "tls-sni" = "true", so something else you did must have fixed it.

Link to comment
8 minutes ago, aptalca said:

 

The second screenshot looks like your router is forwarding port 80 to port 80 on unraid for tcp, and port 81 to 81 on unraid for udp. What you need is to forward port 80 to port 81 for tcp. Right now, letsencrypt servers are connecting to your unraid web gui

 

Looks like there was a separate section on my router to configure this. That seemed to fix it, thanks!

Link to comment

Hi guys, I am getting the following error:

 

There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: INSERTDOMAINHERE.com,www.INSERTDOMAINHERE.com: see https://letsencrypt.org/docs/rate-limits/

 

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container.

 

Some background.  I had just done something on my unraid server and saw a notification that there was an update available for the letsencrypt docker.  I updated and this is the error I received.  Any ideas?  I will be checking DNS to make sure nothing is wrong there, but it's highly unlikely as everything was working just fine before updating the docker.  

 

Maybe also worth noting is I validate via http (and the flag is set to true).

 

UPDATE - I don't know why but deleting my docker an reinstalling fixed it.

Edited by statecowboy
Link to comment

So I just updated my container by removing the HTTPVAL variable and replacing it with VALIDATION=http.  Nothing else changed (already was forwarding 80 to get HTTPVAL working).  Now I'm getting the following for all my certs:

 

   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge

 

Edited by IamSpartacus
Link to comment
54 minutes ago, IamSpartacus said:

So I just updated my container by removing the HTTPVAL variable and replacing it with VALIDATION=http.  Nothing else changed (already was forwarding 80 to get HTTPVAL working).  Now I'm getting the following for all my certs:

 


   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge

 

 

Full log?

Link to comment

I did get letsencrypt working and all. is this the right place to find out whats wrong with nginx server? possibly a tutorial on how to set it up with sonarr etc? I get error on the upstream

*1 connect() failed (113: Host is unreachable) while connecting to upstream, client: XX.XX.XX.XX 

Link to comment
4 hours ago, torn8o said:

I did get letsencrypt working and all. is this the right place to find out whats wrong with nginx server? possibly a tutorial on how to set it up with sonarr etc? I get error on the upstream

*1 connect() failed (113: Host is unreachable) while connecting to upstream, client: XX.XX.XX.XX 

 

Post your site config. Make sure the ip you defined is correct and valid (no localhost or 127.0.0.1, etc.)

Link to comment

Hi,

 

I have a special question regarding letsencrypt together with nextcloud.

 

I have a Static IP with a Domain for letsencrpyt.

This IP I am mapping on my Router to letsencrypt.

Letsencrpyt is then proxying to the nextcloud container.

 

If I now setup the Nextcloud-App on my internal client to the domain, then everything works fine and I am not getting any (certificate)-error. 

The big disadvantage is that any traffic from the client to nexcloud (via letsencrypt) is going via the Router instead directly. The router is a USG from Unifi with enabled IDS/IPS which limits the troughput to 80Mbit/s which is more then enough for the internet but not for the internal Gigabit Connection. So If I transfer big files via nextcloud the Router will hit his maximum throughbut.

 

I could use internaly the IP Adress of the nextcloud container, but then I will always get an Security Warning...

 

Any other ideas?

 

Br,

Johannes

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.