Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

19 minutes ago, saarg said:

 

Why are you using command line? Sudoku is not used on unraid, so if you are running anything other than unraid, please go to our forum at linuxserver.io to get help. 

Hahaha, sorry, I realize now that this is the wrong forum... Yeah, I'm not using unraid. Thanks for trying to help me though!

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

8 hours ago, RAINMAN said:

I'm a bit confused now that I am trying to add another subdomain.

 

When I look at the certificates for all my domains they are issued to plex.mydomain.com.  Even if the domain is grafana.mydomain.com but its still coming up as valid.  Do I have this setup right?  I would have expected it to be issue for each subdomain?  (Note: I am not using letsencrypt docker for the top level domain.  That is hosted separate) 

 

Second, I was trying to add a subdomain for crashplan and it appears right, but it didn't load the actual VNC content.  It loads the title bar and the certificate is green (but issued to plex.mydomain.com).  

 

To resolve this I had to add the following 2 lines to the /location block.  Maybe it will help someone if they have the same issue.

 


        location / {

                # Added block for websockets
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.0.100:7810;
        }

 

 

Certificates can contain multiple urls. Your browser is likely showing the first one listed. If you click on the details you'll see all of them. If the address didn't match, you wouldn't get the green padlock and would get a warning instead. 

may i ask why some sites dont show properly while they are behind reverse proxies, easy sample unraid webui (just as sample)

 

blob.png.50fe33e4400ab6ef662f8e2c6f5939b9.png

 

may some hints where to start to get all sites properly proxied ?

 

its better here to use site.domain.com instead domain.com/site, but still i have errors like this on several proxied local sites ...

and cant find a real solution ..

It's for one of two or both the below reasons in general.

1. The site you're trying to reverse proxy doesn't have a setup that lends itself to proxying well.

2. LetsEncrypt/Nginx isn't configured properly.

There's no magical formula.

Sent from my LG-H815 using Tapatalk

On 12/15/2017 at 10:10 AM, local.bin said:

 

You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost:

 

Edit jail.local and add the following to the nextcloud or other jail;

  Quote

mta      = sendmail
action   = sendmail-whois[name=nextcloud, dest=<destination email address>]

 

 

Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part;

 

  Quote

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest>

 

Hm, when looking at what I posted I just see the same? 

 

[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=<[email protected]>]

 

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest>

 

Every time I start the docker I get the following message in the log;

 

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d bacnet.duckdns.org
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for duckdns.org
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Timeout

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting. 

16 hours ago, sgt_spike said:

Every time I start the docker I get the following message in the log;

 

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d bacnet.duckdns.org
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for duckdns.org
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Timeout

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting. 

 

It seems you have two issues:

 

1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org

 

2. bacnet is not properly forwarded to your ip and/or container

32 minutes ago, aptalca said:

 

It seems you have two issues:

 

1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org

 

2. bacnet is not properly forwarded to your ip and/or container

for the settings, duckdns.org should be the domain and bacnet should be in the subdomain?

 

to forward bacnet to unraid do I edit the duckdns docker?

2 hours ago, sgt_spike said:

for the settings, duckdns.org should be the domain and bacnet should be in the subdomain?

 

to forward bacnet to unraid do I edit the duckdns docker?

@sgt_spike does duckdns.org have your updated IP when you log into duckdns website?

2 hours ago, blurb2m said:

@sgt_spike does duckdns.org have your updated IP when you log into duckdns website?

Yes it does

Just now, sgt_spike said:

Yes it does

@sgt_spike

My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage.

That is the only 2 edits I have ever made to duckdns docker.

Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container.

In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443

 

So from the outside it looks like:

subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443

 

Hope this helps.

9 minutes ago, blurb2m said:

@sgt_spike

My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage.

That is the only 2 edits I have ever made to duckdns docker.

Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container.

In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443

 

So from the outside it looks like:

subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443

 

Hope this helps.

 

Seems like I get the same errors

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
No subdomains defined
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Capture.PNG

Docker Settings.PNG

@sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet

that should definitely help, if not you do have another issue about a missing variable.

 

hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains

 

change Domain Name: "duckdns.org" (without quotes)

click the button at the bottom that says "Add another Path, Port, Variable or Device"

Config type: Variable

Name: Subdomain(s)

Key: SUBDOMAINS

Value: bacnet

Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud,

 

This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that.

7 hours ago, blurb2m said:

@sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet

that should definitely help, if not you do have another issue about a missing variable.

 

hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains

 

change Domain Name: "duckdns.org" (without quotes)

click the button at the bottom that says "Add another Path, Port, Variable or Device"

Config type: Variable

Name: Subdomain(s)

Key: SUBDOMAINS

Value: bacnet

Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud,

 

This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that.

 

Don't do that. That is incorrect

7 hours ago, aptalca said:

 

Don't do that. That is incorrect

 

Don't do what?  What's incorrect?

7 hours ago, blurb2m said:

@sgt_spike Did the above help?

 

No I got the same error message.  I feel like I have something missing.  I just don't know

2 hours ago, sgt_spike said:

 

Don't do what?  What's incorrect?

 

No I got the same error message.  I feel like I have something missing.  I just don't know

 

Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org

 

Did you reboot the router after you set the port forward? Maybe you have to

1 hour ago, aptalca said:

 

Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org

 

Did you reboot the router after you set the port forward? Maybe you have to

 

Did as you suggest.  Got the same error.  I was looking around and opened to the "don'teditthisfile.conf" and noticed it never updateds when I changed the docker settings.  I removed the docker and re-installed it.  

 

Do I need to supply a pw along with the email address in order to gain access to my duckdns.org account?

Im going nuts over here.  I have had plex up and running perfectly for months.  Now something has changed and I am not sure if its a cert thing or not.  Last night my friend couldnt reach my server, but I could reach it from my phone not on wifi and at my work computer. Plex also showed that it was accessible from outside my network.  Now it shows that the remote connection is no longer accessible.  I can access it outside my network. and when I try to connect I get a NET::ERR_CERT_COMMON_NAME_INVALID error.  Im not sure if this has to do with my reverse proxy or plex or something else.  I updated and restarted my edgerouter x, I checked updates on plex and the letsencrypt docker.  I checked to make sure requests were going through the firewall and they were as they always have been.  I am not sure where the problem lies.  Anyone else having this issue?

 

 

    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.5:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.5:32400/web;
    }

 

This is the plex related section of my default file for nginx

Is anyone using Lidarr?  It works, but the icons don't display:

 

# Lidarr
	location /lidarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://172.32.12.69:8686/lidarr/;
	}

 

screenshot_70.thumb.jpg.03537acc6ed89c9d45b344e0b31fabf4.jpg

12 hours ago, DZMM said:

Is anyone using Lidarr?  It works, but the icons don't display:

 


# Lidarr
	location /lidarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://172.32.12.69:8686/lidarr/;
	}

 

screenshot_70.thumb.jpg.03537acc6ed89c9d45b344e0b31fabf4.jpg

 

This works for me. 

	# LIDARR CONTAINER
	location ^~ /lidarr {
		#auth_request /auth-admin;
    	proxy_pass http://192.168.1.34:8686/lidarr;
		include /config/nginx/proxy.conf;		
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	

Try and remove your trailing / on the proxy_pass line

Edited by GilbN

8 hours ago, GilbN said:

 

This works for me. 


	# LIDARR CONTAINER
	location ^~ /lidarr {
		#auth_request /auth-admin;
    	proxy_pass http://192.168.1.34:8686/lidarr;
		include /config/nginx/proxy.conf;		
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	

Try and remove your trailing / on the proxy_pass line

Thank you - that did the trick.  Out of interest, what do your extra lines do?

Is there a way to use this with Cloudflare without manually stop the proxy? tls-sni-01 challenge keep failing until I turn off the proxy.

Lets encypt Log

 



| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.jacksparrow1234.com -d nextcloud.greygooseman.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for jacksparrow1234.com
tls-sni-01 challenge for www.jacksparrow1234.com
tls-sni-01 challenge for nextcloud.jacksparrow1234.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local", www.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.jacksparrow1234.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalid
from 452.149.238.180:443. Received 1 certificate(s), first
certificate had names "mediaserver, mediaserver.local"

Domain: www.jacksparrow1234.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalid
from 212.159.138.140:443. Received 1 certificate(s), first
certificate had names "mediaserver, mediaserver.local"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

8 hours ago, Greygoose said:

Lets encypt Log

 

 

 

 

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.