Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

I've followed Spaceinvaderone's video for setting up SWAG, but the docker container is giving an error:

Requesting a certificate for <mySubDomain>.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: <mySubDomain>.duckdns.org
Type: unauthorized
Detail: Invalid response from http://<mySubDomain>.duckdns.org/.well-known/acme-challenge/U9o-N70woR3z5jnFl0cEVPWd711PJT8SAqRPiZLYAXc [<My IP>]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

 

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

On 11/9/2020 at 10:59 PM, LifeBasher said:

Hi,

im trying to get swag to reverse proxy to my vm in unraid. i used spaceinvader video to set it up at start but now when im trying to send to the vm, the log give me this... any one has any idea? i mean it work great when im using it on docker but i cant get it to send it to my vm

Thanks for any help

P.S. I actually want to send it to a vm for nextcloud instead of using a docker for it.

 

2020/11/10 00:45:08 [error] 431#431: *63 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 66.70.148.95, server: myServer.*, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.8.13:443/favicon.ico", host: "myHost", referrer: "https://myHost/"

Did you ever get this figured out? I'm also trying to pass through Ubuntu VM running Nextcloud. 

  • 2 weeks later...
On 9/7/2021 at 12:58 PM, stottle said:

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

The error turned out to be a mismatch in ports between the two routers (mixing which was internal vs. external).

 

Also, to the earlier person who mentioned still getting "insecure" messages due to having staging set to `true` - thanks, I hit that as well.

On 5/6/2021 at 4:38 PM, tetrapod said:

I had the same issue and I think, if I remember correctly, that Spaceinwader's video didn't mention that you had to turn of proxy for the subdomain CNAME record. Maybe this worked differently before at Cloudflare? But when I turn on "proxied" for any CNAME that URL will no longer point to my server, it will point to a cloudflare server. How this proxy via Cloudflare is supposed to work I do not know.
I can keep "proxied" on for my A records though

Anyone ever get to the bottom of this ? :)

 

I searched this thread and generally online for an answer to this, but I don't see it or I missed it.  I've been running swag to front end a couple of dozen containers for a year or so and it has worked great.  I tried adding another one today and I went to ssh into it to modify the config file and I'm getting an error that the target actively refused it.  I've made no changes to my network, and I've restarted the container and even rebooted Unraid but I'm still getting the same error.  

 

Any ideas on what I might be missing?

 

NVM - Needed more coffee. I remembered I ssh into Unraid and then go to the appdata from there rather than ssh into the swag container IP.

Edited by BurntOC

Ain't nobody got time to troll thru 228! pages of messages to figure out how to use swag with zerossl on unraid.  Looks like linuxserver.io even spends precious little describing what is needed for zerossl.

I did find that the github link for docker-swag has a little info though!.

There has got to be a better way to support it than this forum.

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

1 hour ago, altyne said:

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

On 9/24/2021 at 4:01 PM, altyne said:

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

Like many people here I followed spaceinvader one guide to give online access to nextcloud using a domain name. I followed his guide to the letter and everything seems to be working fine other than my router not supporting NAT reflection.

 

This means that I can only access my nextcloud GUI via my domain name using a VPN or when I'm away from home. which is fine by me, EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

This problem is only with nextcloud, I can access sonarr with both my domain and my local ip depending on if I'm connected to my local network or not.

Edited by sloob

On 9/25/2021 at 4:19 PM, altyne said:

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

 

It working for me right now,  what I did; was disabled the firewall settings built in in my router and upnp options.

 

Well, looks like this thread is like a rant and nobody cares to read for 228 pages long. what I bummer. 

 

What I observed from SpaceInvaderOne guides are still good but most are outdated unless he updated in the comment section. For others content, you can follow but you should be cautious because settings will likely not compatible with latest version. Some tips and gotcha I'd observed, you can get the instruction inside cnf/config files in comments section.  And also read author documentations/wiki guides on how to configure.

 

Unraid server (particularly docker) just present the configuration in the screen and eventually submitted into command line. You can read author's guide or clicking the question mark in the top right screen below your username; to see some valid values and tips.

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

32 minutes ago, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

I'm having this untrusted certificate issue with nextcloud. Just started today for me as well.

23 hours ago, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

Same for me here.

On 9/30/2021 at 5:24 PM, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

Nevermind, looks like it's fixed with the latest client update recently deployed

 

Cheers

On 10/2/2021 at 11:00 AM, Omri said:

Nevermind

"Solved" the issue by moving to zerosssl

Solved for me too after switching to zerossl

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

On 10/2/2021 at 1:02 PM, Carlos said:

Nevermind, looks like it's fixed with the latest client update recently deployed

 

Cheers

for me it is not solved
I have still the problem with nextcloud and joplin.

How can I remove the "DST Root CA X3" ?

I had my Swag docker still failing with the Letsencrypt cert renewal.  My issue renewing was caused with Cloudflare proxing the traffic.   I turned off Proxying for my A and CNAME records (under the DNS tab in Cloudflare).  I then restarted docker and it came right.  I could then go back to Cloudflare and turned the Proxying back on.  Hope this may help someone else

On 10/5/2021 at 8:51 AM, dfox1787 said:

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

restored a backup all working now. thanks for the help.....

Edited by dfox1787

Hi! I'm trying to host my own git server, using Gitea combined with SWAG, I followed @SpaceInvaderOne's guide on how to add reverse proxies for select applications, I think I did it right, as I get to an error page, saying Error 403 Permission Denied; SWAG redirects the traffic "correctly", but I can't figure out what I configured wrongly. Could someone help me? app.iniis Gitea's own config.

gitea.subdomain.conf

On 9/25/2021 at 2:23 PM, sloob said:

EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

I have the same issue, where my router doesn't allow NAT loopback or hairpinning. To access nextcloud on my home network, type the localhost:444, which then redirects it to the nextcloud.mydomain.com (like you indicated). After that first redirect I change the "nextcloud.mydomain.com" with "localhost:444" in the url and it works.

Edited by bat2o

On 10/7/2021 at 10:24 AM, Konfitüre said:

for me it is not solved
I have still the problem with nextcloud and joplin.

How can I remove the "DST Root CA X3" ?

Same issue
Somebody you can help?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.