ijuarez Posted November 14, 2017 Share Posted November 14, 2017 ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://10.20.1.39:8383/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } /mnt/cache/appdata/letsencrypt/nginx/site-confs# this is where i modified it and it stopped that error for me. kamhighway Advanced Member Members 2 277 posts Report post Posted January 18 Solved File Upload Size Limitation I had been fiddling with the LSIO's letsencrypt container to make it work as a reverse proxy for LSIO's Nextcloud. The reverse proxy works, but file uploads are limited to 10MB. The solution is to edit the file proxy.conf which for me resides in /mnt/cache/appdata/letsencrypt_lsio/nginx. The first line in that file is: client_max_body_size 10m; Change to: I hope this helps 1 Quote Link to comment
Napper198 Posted November 14, 2017 Share Posted November 14, 2017 of course there had to be a 3rd place where I have to change that. Works flawlessly now, thanks @ijuarez Quote Link to comment
Altair Posted November 14, 2017 Share Posted November 14, 2017 (edited) 4 hours ago, aptalca said: Then it's your site config. Without seeing that, we have no idea I found the problem. I was working outside today and realized, that everything works fine from outside my LAN. Turns out, my router ignores the port mapping I've created to map 80 from outside to 84 for let'sencrypt (as 80 is the Unraid GUI). Probably going to change the gui port to 8080 so everything works fine even inside my LAN Edited November 14, 2017 by Altair Typo Quote Link to comment
JPDom1 Posted November 15, 2017 Share Posted November 15, 2017 Hi, I was using Letsencrypt for about 4 months then had to reset my router and remap my ports and with some extra fiddling around (updated to beta version) I broke it all. Currently having to set it all back up again however i cannot get the docker to start and not sure why. I am running latest 6.4.0 beta release rc11i and i did read some letsencrypt SSL renewal stuff but here is my container log. It keeps saying something else is using port 443 but nothing else is and i can change the port to anything it still says 443 is being used. please help? [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d XXX E-mail address entered: XXX Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for XXX Cleaning up challenges Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again. /var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. [s6-finish] sending all processes the KILL signal and exiting. Here is all my current port mappings, binhex-plex binhex-sonarr8989 9897 binhex-radarr7878 plexrequests3001 netdata jackett9117 dolphin8080 openvpn-as943 9444 1194 binhex-teamspeak headphones8282 binhex-rtorrentvpn3000 5000 9080 9443 8118 filezilla7809 7909 binhex-airsonic4040 letsencrypt 81 443 nextcloud 444 mariadb3306 plexpy8181 deluge Sorry they look rough, as you can see i cannot see what is using "443" On a separate note though my nextcloud when i open the gui it loads my UNraid gui however i do not have the option to map a port apart from the 444 that it already has not sure why it is using UNraid Gui port. Ports are mapped correctly on the router and i use no-ip (ddns.net) also checked ports are open Any help will be appreciated. Quote Link to comment
MowMdown Posted November 16, 2017 Share Posted November 16, 2017 (edited) 2 hours ago, JPDom1 said: Sorry they look rough, as you can see i cannot see what is using "443" Unraid uses 80 & 443 on 6.4.0 set lets encrypt to something like 445 then on your router forward port 445 -->(to) 443 Edited November 16, 2017 by MowMdown Quote Link to comment
ijuarez Posted November 16, 2017 Share Posted November 16, 2017 1 hour ago, MowMdown said: Unraid uses 80 & 443 on 6.4.0 set lets encrypt to something like 445 then on your router forward port 445 -->(to) 443 But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around. Quote Link to comment
aptalca Posted November 16, 2017 Share Posted November 16, 2017 15 minutes ago, ijuarez said: But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around. The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host) ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443 Quote Link to comment
JPDom1 Posted November 16, 2017 Share Posted November 16, 2017 @MowMdown - if i left it at 6.3.0 i would have been OK then? Thank you for the info @aptalca & @ijuarez i will go and test it all again tonight after work as i got a error last night on letsencrypt for to many cert renewal attempts. On a side note i had to change the network type from host to Br0 to stop the 443 error(got 2 nic's). will reply once sorted with what i have done. Quote Link to comment
bonienl Posted November 16, 2017 Share Posted November 16, 2017 7 hours ago, aptalca said: The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host) ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443 With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address. 1 Quote Link to comment
JPDom1 Posted November 16, 2017 Share Posted November 16, 2017 1 minute ago, bonienl said: With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address. Correct me if i am wrong here @bonienl. Are you saying i can assign a different IP to Letsencrypt and not worry about the port problems? for example my UNraid runs on 192.168.1.2 and i can assign 192.168.1.3 for letsencrypt? is this in the "edit" template of the docker then? Quote Link to comment
bonienl Posted November 16, 2017 Share Posted November 16, 2017 First you need to change the network type to br0 (or eth0), the new type is automatically detected and added when the docker service is started. Once a custom network is selected, the option appears to set a fixed IP address for this specific container. 1 1 Quote Link to comment
ijuarez Posted November 16, 2017 Share Posted November 16, 2017 4 hours ago, bonienl said: With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address. That's nice, just wondering what prompted unraid to make the gui on 443? Quote Link to comment
MowMdown Posted November 16, 2017 Share Posted November 16, 2017 (edited) 2 minutes ago, ijuarez said: That's nice, just wondering what prompted unraid to make the gui on 443? To use HTTPS for security and Let’s Encrypt has also been baked if for added authentication (or something to that effect) Edited November 16, 2017 by MowMdown 1 1 Quote Link to comment
JPDom1 Posted November 16, 2017 Share Posted November 16, 2017 3 hours ago, bonienl said: First you need to change the network type to br0 (or eth0), the new type is automatically detected and added when the docker service is started. Once a custom network is selected, the option appears to set a fixed IP address for this specific container. This explains why the container started when i switched from "host" to "br0" thank you. Quote Link to comment
aptalca Posted November 16, 2017 Share Posted November 16, 2017 8 hours ago, MowMdown said: To use HTTPS for security and Let’s Encrypt has also been baked if for added authentication (or something to that effect) Are you sure letsencrypt is added to unraid gui? Or is it just a self cert? Quote Link to comment
MowMdown Posted November 17, 2017 Share Posted November 17, 2017 23 hours ago, aptalca said: Are you sure letsencrypt is added to unraid gui? Or is it just a self cert? The cert for https. Quote Link to comment
JPDom1 Posted November 18, 2017 Share Posted November 18, 2017 I got it all back up and running now. Thank you to everyone who advised me where to go the 6.4.0 update surely messed up my LE docker. This is where i am now with my settings for anyone else who has issues Settings - Identification - SSL Certificate settings Use SSL - Auto HTTP - 8080 HTTPS - 400 now access uunRAID GUI with serverrname:8080 in the settings when you expand the SSL section it reads this line below so i put my cert in but not sure if it makes a difference. "A Lets Encrypt or other user-generated SSL certificate, must be stored in the file /boot/config/ssl/csrts/certificate_bundle.pem. nginx will prefer ths certificate if present." I run 2 NIC's so my LE docker runs as Host with port 80 & 443 with those ports also forwarded on my router. I did try and run the container with br0 setting for network type however it only assigns the IP when the container runs and it did not stay running for long enough to get the cert and with my stup** vodafone router i have to map ports to an IP or device so it basically just did not work for me. Should work if you have a decent router unlike me. Finally i switched from NO-IP to DUCKDNS and i had to manually update my IP as DUCKDNS did not so to do that just use this URL. https://www.duckdns.org/update/domainname/token Quote Link to comment
peter_sm Posted November 19, 2017 Share Posted November 19, 2017 (edited) On 2017-11-07 at 10:30 PM, GilbN said: I'm having some trouble with this. My jail.local in /config looks like this # This is the custom version of the jail.conf for fail2ban # Feel free to modify this and add additional filters # Then you can drop the new filter conf files into the fail2ban-filters # folder and restart the container [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 [ssh] enabled = false [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log mta = sendmail action = sendmail-whois[name=letsencrypt, dest=<[email protected]>] [nginx-badbots] enabled = true port = http,https filter = nginx-badbots logpath = /config/log/nginx/access.log maxretry = 2 [nginx-botsearch] enabled = true port = http,https filter = nginx-botsearch logpath = /config/log/nginx/access.log And in config/action.d I copied the sendmail-whois.conf to sendmail-whois.local # Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here is more information about <ip> :\n `/usr/bin/whois <ip> || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest> [Init] # Default name of the chain # name = default But I get this in fail2ban.log 2017-11-07 22:16:42,999 fail2ban.jail [310]: INFO Jail 'nginx-http-auth' started 2017-11-07 22:16:43,001 fail2ban.jail [310]: INFO Jail 'nginx-botsearch' started 2017-11-07 22:16:43,002 fail2ban.jail [310]: INFO Jail 'nginx-badbots' started 2017-11-07 22:16:43,009 fail2ban.utils [310]: ERROR printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n` Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"` From: Fail2Ban <fail2ban> To: <email@gmail.com>\n Hi,\n The jail letsencrypt has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- stderr: 2017-11-07 22:16:43,009 fail2ban.utils [310]: ERROR -- stderr: '/bin/sh: syntax error: unexpected end of file' 2017-11-07 22:16:43,009 fail2ban.utils [310]: ERROR printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n` Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"` From: Fail2Ban <fail2ban> To: <email@gmail.com>\n Hi,\n The jail letsencrypt has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- returned 2 2017-11-07 22:16:43,010 fail2ban.actions [310]: ERROR Failed to start jail 'nginx-http-auth' action 'sendmail-whois': Error starting action Jail('nginx-http-auth')/sendmail-whois It's like it skips the .local file and uses the sendmail-whois.conf file??? I event completely removed the container and deleted the image and /config folder, but this still happens. When I bash into the container and do this: sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auMYEMAILADDRESS -apMYPASSWORD <mail.txt it works just fine. Anyone know whats wrong? I have the same in my logfile! any solution on this? Edited November 19, 2017 by peter_sm Quote Link to comment
DZMM Posted November 21, 2017 Share Posted November 21, 2017 Has anyone got this working with organizr? Quote Link to comment
Muff Posted November 24, 2017 Share Posted November 24, 2017 Hi, I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed. When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on: root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt" Generating a signed certificate... missing --load-certificate root@Muff:/# I don't know where I can find "--load-certificate". And this is the log from the container: ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 4096 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d secret.duckdns.org E-mail address entered: [email protected] <-------------------------------------------------> <-------------------------------------------------> cronjob running on Thu Nov 23 16:23:28 CET 2017 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Running pre-hook command: s6-svc -d /var/run/s6/services/nginx Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111 Error output from s6-svc: s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for secret.duckdns.org Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping. Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: Error output from s6-svc: s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: secret.duckdns.org Type: connection Detail: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P). Thank you! Quote Link to comment
sirkuz Posted November 25, 2017 Share Posted November 25, 2017 On 11/16/2017 at 5:43 AM, bonienl said: With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address. This feature alone makes 6.4 so worth the wait. As soon as its released I am upgrading my second license just for the heck of it so I have two pro versions for my live and my test machines. Quote Link to comment
aptalca Posted November 25, 2017 Share Posted November 25, 2017 13 hours ago, Muff said: Hi, I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed. When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on: root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt" Generating a signed certificate... missing --load-certificate root@Muff:/# I don't know where I can find "--load-certificate". And this is the log from the container: ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 4096 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d secret.duckdns.org E-mail address entered: [email protected] <-------------------------------------------------> <-------------------------------------------------> cronjob running on Thu Nov 23 16:23:28 CET 2017 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Running pre-hook command: s6-svc -d /var/run/s6/services/nginx Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111 Error output from s6-svc: s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for secret.duckdns.org Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping. Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: Error output from s6-svc: s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: secret.duckdns.org Type: connection Detail: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P). Thank you! Looks like you didn't forward the port on your router Quote Link to comment
steve1977 Posted November 25, 2017 Share Posted November 25, 2017 Thanks for developing this docker. I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult. I have not succeeded yet to set up the docker. Few issues: * Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working * I cannot access the UI. Log shows me two error message: certbot: error: argument --cert-path: No such file or directory Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout [s6-finish] sending all processes the KILL signal and exiting. I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this? Quote Link to comment
sparklyballs Posted November 25, 2017 Share Posted November 25, 2017 7 minutes ago, steve1977 said: Thanks for developing this docker. I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult. I have not succeeded yet to set up the docker. Few issues: * Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working * I cannot access the UI. Log shows me two error message: certbot: error: argument --cert-path: No such file or directory Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout [s6-finish] sending all processes the KILL signal and exiting. I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this? you have multiple issues to resolve here in no particular order resolve the webui and container port clash ensure your dynamic dns address is updated otherwise the domain name won't resolve to your ip sort out port forwarding as without this nothing will function Quote Link to comment
steve1977 Posted November 25, 2017 Share Posted November 25, 2017 Thanks, that's quite of an issue... Any pointers on the first two issues? And maybe also any thoughts whether there is a tool around that allows me to check whether port forwarding is even possible with my ISP (and if so what ports). Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.