CHBMB Posted August 9, 2017 Share Posted August 9, 2017 AFAIK only port 443 is requiredSent from my LG-H815 using Tapatalk Quote Link to comment
surfshack66 Posted August 9, 2017 Share Posted August 9, 2017 59 minutes ago, CHBMB said: AFAIK only port 443 is required Sent from my LG-H815 using Tapatalk Ok. I know this is beyond the scope of support for this docker, so any help would be appreciated. I have a domain with namecheap and an A record pointing to my IP address. Would having a URL redirect record https://mydomain.com suffice? Reason I'm asking is because I'm getting a "connection refused" error and even though my ISP blocks port 80, I thought redirecting to https would force port 443 (which is open on my server) Quote Link to comment
CHBMB Posted August 9, 2017 Share Posted August 9, 2017 Is it open on your firewall/router and forwarded to your server?Sent from my LG-H815 using Tapatalk Quote Link to comment
surfshack66 Posted August 9, 2017 Share Posted August 9, 2017 6 minutes ago, CHBMB said: Is it open on your firewall/router and forwarded to your server? Sent from my LG-H815 using Tapatalk Yes, port 443 is open and forwarded to server. Quote Link to comment
CHBMB Posted August 9, 2017 Share Posted August 9, 2017 Post some logsSent from my LG-H815 using Tapatalk Quote Link to comment
H2OKing Posted August 10, 2017 Share Posted August 10, 2017 On 6/19/2017 at 3:40 PM, poldim said: I discovered that my problem was appending the URL with the final destination. IE: proxy_pass https://192.168.2.100:32400/web/index.html; does not work, but removing "/web/index.html" makes it happy: proxy_pass https://192.168.2.100:8443; I've now got access to both my unifi and plex interface on my phone while on 4G. BUT, I'm still unable to connect while connected to the WIFI in the house. Are there some kind of additional settings in nginx to allow it to route the connection between VLANs? My wifi is on a separate VLAN but I have no issues hitting the direct IP of the interfaces. When trying to access the subdomain.domain.com I get the following error: ERR_EMPTY_RESPONSE or ERR_CONNECTION_TIMED_OUT how did you get unifi to pass? i've tried with no luck? same with plexpy upstream backend { server 10.1.40.6:19999; keepalive 64; } server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /plex; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://10.1.40.6:8989/sonarr; } location /unifi { include /config/nginx/proxy.conf; proxy_pass http://10.1.40.6:8443; } location /sabnzb { include /config/nginx/proxy.conf; proxy_pass http://10.1.40.6:8082/sabnzb; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://10.1.40.6:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } #PLEX location /web { # serve the CSS code proxy_pass http://10.1.40.6:32400; } # Main /plex rewrite location /plex { # proxy request to plex server proxy_pass http://10.1.40.6:32400/web; } location /plexpy { include /config/nginx/proxy.conf; proxy_pass https://10.1.40.6:8181; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } Quote Link to comment
CHBMB Posted August 10, 2017 Share Posted August 10, 2017 I mean it's up to you, but why the hell would you want something like Unifi which interfaces directly with your firewall accessible from WAN?As you can tell I'm a big fan of keeping any network management stuff like router, firewall, access points very much inaccessible from WAN.Sent from my LG-H815 using Tapatalk Quote Link to comment
H2OKing Posted August 10, 2017 Share Posted August 10, 2017 I mean it's up to you, but why the hell would you want something like Unifi which interfaces directly with your firewall accessible from WAN?As you can tell I'm a big fan of keeping any network management stuff like router, firewall, access points very much inaccessible from WAN.Sent from my LG-H815 using TapatalkIt's really an OCD thing. I was trying to get rid of the self a signed Certs so that error goes away when you first sign in. I do have their cloud system enabled two axis from the wan side. Was trying to do something like this But I do see your pointSent from my iPhone using Tapatalk Quote Link to comment
surfshack66 Posted August 10, 2017 Share Posted August 10, 2017 Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Sub-domains processed are: -d sub1.domain.com -d sub2.domain.com E-mail address entered: Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. certbot: error: argument --cert-path: No such file or directory Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for domain.com tls-sni-01 challenge for sub1.domain.com tls-sni-01 challenge for sub2.domain.com Waiting for verification... Performing the following challenges: tls-sni-01 challenge for domain.com tls-sni-01 challenge for sub1.domain.com tls-sni-01 challenge for sub2.domain.com Waiting for verification... Cleaning up challenges Failed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub1.domain.com Type: connection Detail: Connection refused Domain: sub2.domain.com Type: connection Detail: Connection refused To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
aptalca Posted August 10, 2017 Share Posted August 10, 2017 Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d sub1.domain.com -d sub2.domain.comE-mail address entered: Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [sUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Performing the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Cleaning up challengesFailed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refusedIMPORTANT NOTES:- The following errors were reported by the server:Domain: sub1.domain.comType: connectionDetail: Connection refusedDomain: sub2.domain.comType: connectionDetail: Connection refusedTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Assuming the ip is correct, your router seems to be not forwarding the request on port 443 to the container properly Quote Link to comment
surfshack66 Posted August 10, 2017 Share Posted August 10, 2017 11 minutes ago, aptalca said: 2 hours ago, surfshack66 said: Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d sub1.domain.com -d sub2.domain.comE-mail address entered: Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [sUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Performing the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Cleaning up challengesFailed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refusedIMPORTANT NOTES:- The following errors were reported by the server:Domain: sub1.domain.comType: connectionDetail: Connection refusedDomain: sub2.domain.comType: connectionDetail: Connection refusedTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Assuming the ip is correct, your router seems to be not forwarding the request on port 443 to the container properly I thought so too but I just checked my firewall logs. Quote Link to comment
JonathanM Posted August 10, 2017 Share Posted August 10, 2017 5 minutes ago, surfshack66 said: I thought so too but I just checked my firewall logs. There's your problem. Change 42236 to 443 and it will fire right up. Quote Link to comment
surfshack66 Posted August 10, 2017 Share Posted August 10, 2017 1 minute ago, jonathanm said: There's your problem. Change 42236 to 443 and it will fire right up. No thats not my NAT rule. Thats my permit inbound traffic rule. The source IP (lets encrypt) is accessing my webserver. The rule allows IPs originating from North America. Quote Link to comment
JonathanM Posted August 10, 2017 Share Posted August 10, 2017 1 minute ago, surfshack66 said: No thats not my NAT rule. Thats my permit inbound traffic rule. The source IP (lets encrypt) is accessing my webserver. The rule allows IPs originating from North America. Ahh, my bad. If you stop letsencrypt and fire up a different container on the same internal port and IP, can you access it from outside your firewall on <externalip>:443? Quote Link to comment
surfshack66 Posted August 10, 2017 Share Posted August 10, 2017 (edited) 1 hour ago, jonathanm said: Ahh, my bad. If you stop letsencrypt and fire up a different container on the same internal port and IP, can you access it from outside your firewall on <externalip>:443? Yes I can. I stopped letsencrypt and started an nginx container. When the letsencrypt container is started "canyouseeme.org" does not connect to 443, but the nginx container does connect. Edited August 10, 2017 by surfshack66 Quote Link to comment
CHBMB Posted August 10, 2017 Share Posted August 10, 2017 If canyouseeme.org thinks the port is closed, it's closed, whether the container can see the outside world or not is immaterial. Also I'd get rid of that URL redirect in namecheap. Quote Link to comment
H2OKing Posted August 10, 2017 Share Posted August 10, 2017 @chbmb On my config, does it look like I have PlexPy setup right? For some reason it's not passing. Plex and SabNZB works Sent from my iPhone using Tapatalk Quote Link to comment
surfshack66 Posted August 10, 2017 Share Posted August 10, 2017 53 minutes ago, CHBMB said: If canyouseeme.org thinks the port is closed, it's closed, whether the container can see the outside world or not is immaterial. Also I'd get rid of that URL redirect in namecheap. Its odd that the port is open when the nginx container is started but closed when the letsencrypt container is started. I'm at a loss. Also, I removed the URL redirect but then received a different error from letsencrypt below. FYI - Port 80 is definitely blocked by my ISP, so the domain won't reach my IP then. Failed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for sub1.domain.com, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for sub2.domain.com IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub1.domain.com Type: connection Detail: DNS problem: NXDOMAIN looking up A for sub1.domain.com Domain: sub2.domain.com Type: connection Detail: DNS problem: NXDOMAIN looking up A for sub2.domain.com Quote Link to comment
CHBMB Posted August 10, 2017 Share Posted August 10, 2017 Get rid of the URL redirect, not necessary. If your DNS isn't forwarding properly and LE can't authenticate then nginx won't work. Quote Link to comment
itsdandandan Posted August 11, 2017 Share Posted August 11, 2017 I'm having some trouble getting some of my subdomains to work and not sure how I get the subdomain validation to work. Here's the logs from the container. This is for a separate server to my unRAID box, as you can probably tell I'm setting up Exchange. I can see it's because it returns a self signed cert which isn't trusted but how do you get around this? ErrorWarningSystemArrayLogin [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Sub-domains processed are: -d www.example.com -d owa.example.com E-mail address entered: [email protected] Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Congratulations! You have successfully revoked the certificate that was located at /config/etc/letsencrypt/live/example.com/fullchain.pem ------------------------------------------------------------------------------- Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for example.com tls-sni-01 challenge for www.example.com tls-sni-01 challenge for owa.example.com Waiting for verification... Cleaning up challenges Failed authorization procedure. owa.example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 70bc3ea9bdbbebb547c5b6291867e1af.68ceb6d13597d02bd0af560fd307b3d8.acme.invalid from 210.54.38.248:443. Received 1 certificate(s), first certificate had names "autodiscover.example.com, owa.example.com" IMPORTANT NOTES: - The following errors were reported by the server: Domain: owa.example.com Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 70bc3ea9bdbbebb547c5b6291867e1af.68ceb6d13597d02bd0af560fd307b3d8.acme.invalid from 210.54.38.248:443. Received 1 certificate(s), first certificate had names "autodiscover.example.com, owa.example.com" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
CHBMB Posted August 11, 2017 Share Posted August 11, 2017 You need to setup the subdomain with your nameserver. Looks like that hasn't been done correctly from your logs. Sent from my LG-H815 using Tapatalk Quote Link to comment
H2OKing Posted August 15, 2017 Share Posted August 15, 2017 Question. When going to a sub-domain ex: sub.domain.comShould it auto load take you to https://sub.domain.comIf so mine is not putting in https://Sent from my iPhone using Tapatalk Quote Link to comment
CHBMB Posted August 15, 2017 Share Posted August 15, 2017 Only if that's how you configure the default file in nginx. Quote Link to comment
H2OKing Posted August 15, 2017 Share Posted August 15, 2017 Only if that's how you configure the default file in nginx.Disregard for some reason wants to work now. I did find something. I guess there is a limit on how many certificates are handed out. I nuke the docket too many times and won’t work with a sub. How it reads I have to wait 1 week and try again Quote Link to comment
Lebowski Posted August 17, 2017 Share Posted August 17, 2017 Hi All, just started using this docker, I have an issue that the docker closes with in 2-3 secs of it starting. I am following all the instructions from https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ Its really strange and I cant work out what the issue is. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.