benpete22 Posted December 17, 2017 Share Posted December 17, 2017 19 minutes ago, saarg said: Why are you using command line? Sudoku is not used on unraid, so if you are running anything other than unraid, please go to our forum at linuxserver.io to get help. Hahaha, sorry, I realize now that this is the wrong forum... Yeah, I'm not using unraid. Thanks for trying to help me though! Quote Link to comment
aptalca Posted December 18, 2017 Share Posted December 18, 2017 8 hours ago, RAINMAN said: I'm a bit confused now that I am trying to add another subdomain. When I look at the certificates for all my domains they are issued to plex.mydomain.com. Even if the domain is grafana.mydomain.com but its still coming up as valid. Do I have this setup right? I would have expected it to be issue for each subdomain? (Note: I am not using letsencrypt docker for the top level domain. That is hosted separate) Second, I was trying to add a subdomain for crashplan and it appears right, but it didn't load the actual VNC content. It loads the title bar and the certificate is green (but issued to plex.mydomain.com). To resolve this I had to add the following 2 lines to the /location block. Maybe it will help someone if they have the same issue. location / { # Added block for websockets proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.0.100:7810; } Certificates can contain multiple urls. Your browser is likely showing the first one listed. If you click on the details you'll see all of them. If the address didn't match, you wouldn't get the green padlock and would get a warning instead. Quote Link to comment
alturismo Posted December 18, 2017 Share Posted December 18, 2017 may i ask why some sites dont show properly while they are behind reverse proxies, easy sample unraid webui (just as sample) may some hints where to start to get all sites properly proxied ? its better here to use site.domain.com instead domain.com/site, but still i have errors like this on several proxied local sites ... and cant find a real solution .. Quote Link to comment
CHBMB Posted December 18, 2017 Share Posted December 18, 2017 It's for one of two or both the below reasons in general.1. The site you're trying to reverse proxy doesn't have a setup that lends itself to proxying well.2. LetsEncrypt/Nginx isn't configured properly.There's no magical formula.Sent from my LG-H815 using Tapatalk Quote Link to comment
GilbN Posted December 18, 2017 Share Posted December 18, 2017 On 12/15/2017 at 10:10 AM, local.bin said: You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost: Edit jail.local and add the following to the nextcloud or other jail; Quote mta = sendmailaction = sendmail-whois[name=nextcloud, dest=<destination email address>] Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part; Quote Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest> Hm, when looking at what I posted I just see the same? [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log mta = sendmail action = sendmail-whois[name=letsencrypt, dest=<[email protected]>] Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest> Quote Link to comment
sgt_spike Posted December 20, 2017 Share Posted December 20, 2017 Every time I start the docker I get the following message in the log; Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d bacnet.duckdns.orgE-mail address entered: [email protected]Generating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for duckdns.orgtls-sni-01 challenge for bacnet.duckdns.orgWaiting for verification...Cleaning up challengesIMPORTANT NOTES:Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout- The following errors were reported by the server:Domain: duckdns.orgType: connectionDetail: TimeoutDomain: bacnet.duckdns.orgType: connectionDetail: TimeoutTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
aptalca Posted December 21, 2017 Share Posted December 21, 2017 16 hours ago, sgt_spike said: Every time I start the docker I get the following message in the log; Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d bacnet.duckdns.orgE-mail address entered: [email protected]Generating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for duckdns.orgtls-sni-01 challenge for bacnet.duckdns.orgWaiting for verification...Cleaning up challengesIMPORTANT NOTES:Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout- The following errors were reported by the server:Domain: duckdns.orgType: connectionDetail: TimeoutDomain: bacnet.duckdns.orgType: connectionDetail: TimeoutTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. It seems you have two issues: 1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org 2. bacnet is not properly forwarded to your ip and/or container Quote Link to comment
sgt_spike Posted December 21, 2017 Share Posted December 21, 2017 32 minutes ago, aptalca said: It seems you have two issues: 1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org 2. bacnet is not properly forwarded to your ip and/or container for the settings, duckdns.org should be the domain and bacnet should be in the subdomain? to forward bacnet to unraid do I edit the duckdns docker? Quote Link to comment
blurb2m Posted December 21, 2017 Share Posted December 21, 2017 2 hours ago, sgt_spike said: for the settings, duckdns.org should be the domain and bacnet should be in the subdomain? to forward bacnet to unraid do I edit the duckdns docker? @sgt_spike does duckdns.org have your updated IP when you log into duckdns website? Quote Link to comment
sgt_spike Posted December 21, 2017 Share Posted December 21, 2017 2 hours ago, blurb2m said: @sgt_spike does duckdns.org have your updated IP when you log into duckdns website? Yes it does Quote Link to comment
blurb2m Posted December 21, 2017 Share Posted December 21, 2017 Just now, sgt_spike said: Yes it does @sgt_spike My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage. That is the only 2 edits I have ever made to duckdns docker. Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container. In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443 So from the outside it looks like: subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443 Hope this helps. Quote Link to comment
sgt_spike Posted December 21, 2017 Share Posted December 21, 2017 9 minutes ago, blurb2m said: @sgt_spike My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage. That is the only 2 edits I have ever made to duckdns docker. Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container. In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443 So from the outside it looks like: subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443 Hope this helps. Seems like I get the same errors [cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentNo subdomains definedE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for bacnet.duckdns.orgWaiting for verification...Cleaning up challengesFailed authorization procedure. bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: TimeoutIMPORTANT NOTES:- The following errors were reported by the server:Domain: bacnet.duckdns.orgType: connectionDetail: TimeoutTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
blurb2m Posted December 21, 2017 Share Posted December 21, 2017 @sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet that should definitely help, if not you do have another issue about a missing variable. hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains change Domain Name: "duckdns.org" (without quotes) click the button at the bottom that says "Add another Path, Port, Variable or Device" Config type: Variable Name: Subdomain(s) Key: SUBDOMAINS Value: bacnet Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud, This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that. Quote Link to comment
blurb2m Posted December 22, 2017 Share Posted December 22, 2017 @sgt_spike Did the above help? Quote Link to comment
aptalca Posted December 22, 2017 Share Posted December 22, 2017 7 hours ago, blurb2m said: @sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet that should definitely help, if not you do have another issue about a missing variable. hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains change Domain Name: "duckdns.org" (without quotes) click the button at the bottom that says "Add another Path, Port, Variable or Device" Config type: Variable Name: Subdomain(s) Key: SUBDOMAINS Value: bacnet Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud, This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that. Don't do that. That is incorrect Quote Link to comment
sgt_spike Posted December 22, 2017 Share Posted December 22, 2017 7 hours ago, aptalca said: Don't do that. That is incorrect Don't do what? What's incorrect? 7 hours ago, blurb2m said: @sgt_spike Did the above help? No I got the same error message. I feel like I have something missing. I just don't know Quote Link to comment
aptalca Posted December 22, 2017 Share Posted December 22, 2017 2 hours ago, sgt_spike said: Don't do what? What's incorrect? No I got the same error message. I feel like I have something missing. I just don't know Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org Did you reboot the router after you set the port forward? Maybe you have to Quote Link to comment
sgt_spike Posted December 22, 2017 Share Posted December 22, 2017 1 hour ago, aptalca said: Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org Did you reboot the router after you set the port forward? Maybe you have to Did as you suggest. Got the same error. I was looking around and opened to the "don'teditthisfile.conf" and noticed it never updateds when I changed the docker settings. I removed the docker and re-installed it. Do I need to supply a pw along with the email address in order to gain access to my duckdns.org account? Quote Link to comment
Diode663 Posted December 23, 2017 Share Posted December 23, 2017 Im going nuts over here. I have had plex up and running perfectly for months. Now something has changed and I am not sure if its a cert thing or not. Last night my friend couldnt reach my server, but I could reach it from my phone not on wifi and at my work computer. Plex also showed that it was accessible from outside my network. Now it shows that the remote connection is no longer accessible. I can access it outside my network. and when I try to connect I get a NET::ERR_CERT_COMMON_NAME_INVALID error. Im not sure if this has to do with my reverse proxy or plex or something else. I updated and restarted my edgerouter x, I checked updates on plex and the letsencrypt docker. I checked to make sure requests were going through the firewall and they were as they always have been. I am not sure where the problem lies. Anyone else having this issue? #PLEX location /web { # serve the CSS code proxy_pass http://192.168.1.5:32400; } # Main /plex rewrite location /plex { # proxy request to plex server proxy_pass http://192.168.1.5:32400/web; } This is the plex related section of my default file for nginx Quote Link to comment
DZMM Posted December 23, 2017 Share Posted December 23, 2017 Is anyone using Lidarr? It works, but the icons don't display: # Lidarr location /lidarr { include /config/nginx/proxy.conf; proxy_pass http://172.32.12.69:8686/lidarr/; } Quote Link to comment
GilbN Posted December 24, 2017 Share Posted December 24, 2017 (edited) 12 hours ago, DZMM said: Is anyone using Lidarr? It works, but the icons don't display: # Lidarr location /lidarr { include /config/nginx/proxy.conf; proxy_pass http://172.32.12.69:8686/lidarr/; } This works for me. # LIDARR CONTAINER location ^~ /lidarr { #auth_request /auth-admin; proxy_pass http://192.168.1.34:8686/lidarr; include /config/nginx/proxy.conf; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } Try and remove your trailing / on the proxy_pass line Edited December 24, 2017 by GilbN 1 Quote Link to comment
DZMM Posted December 24, 2017 Share Posted December 24, 2017 8 hours ago, GilbN said: This works for me. # LIDARR CONTAINER location ^~ /lidarr { #auth_request /auth-admin; proxy_pass http://192.168.1.34:8686/lidarr; include /config/nginx/proxy.conf; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } Try and remove your trailing / on the proxy_pass line Thank you - that did the trick. Out of interest, what do your extra lines do? Quote Link to comment
joshuaavalon Posted December 28, 2017 Share Posted December 28, 2017 Is there a way to use this with Cloudflare without manually stop the proxy? tls-sni-01 challenge keep failing until I turn off the proxy. Quote Link to comment
Greygoose Posted December 29, 2017 Share Posted December 29, 2017 Lets encypt Log | |___| (_) ___| / __| | |/ _ \| \__ \ | | (_) ||_|___/ |_|\___/|_|Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d www.jacksparrow1234.com -d nextcloud.greygooseman.comE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for jacksparrow1234.comtls-sni-01 challenge for www.jacksparrow1234.comtls-sni-01 challenge for nextcloud.jacksparrow1234.comWaiting for verification...Cleaning up challengesFailed authorization procedure. nextcloud.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local", www.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local"IMPORTANT NOTES:- The following errors were reported by the server:Domain: nextcloud.jacksparrow1234.comType: unauthorizedDetail: Incorrect validation certificate for tls-sni-01 challenge.Requested9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalidfrom 452.149.238.180:443. Received 1 certificate(s), firstcertificate had names "mediaserver, mediaserver.local"Domain: www.jacksparrow1234.comType: unauthorizedDetail: Incorrect validation certificate for tls-sni-01 challenge.Requestedb032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalidfrom 212.159.138.140:443. Received 1 certificate(s), firstcertificate had names "mediaserver, mediaserver.local"To fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
GilbN Posted December 29, 2017 Share Posted December 29, 2017 8 hours ago, Greygoose said: Lets encypt Log To fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.