aptalca Posted January 18, 2018 Share Posted January 18, 2018 11 hours ago, Taddeusz said: This is true if you are on a provider that doesn't already have a supported API. If you look at the instructions for the acme.sh script to use the automated DNS validation you run it with the --dns <apiscript> parameter and select which api you wish to use (this can easily be a template variable). Prior to running the script, each supported provider API script has environment variables that must be set. All of this could easily be scripted. In the case of supported API's the user would just need to add the required environment variables to their Docker tempate. That's exactly what I did to get mine validated and working with regular nginx container. I don't understand why it's so impossible. It's just not as plug and play and requires the user to look at the acme.sh script's documentation to figure out which api to select and which environment variables they need to add to their docker template. I do understand that from a support perspective it would be more of a burden because it's easier to get wrong. However, the alternative for many people whose ISP's block port 80 DNS validation is the only reasonable option. If I had the time I would be willing to do the modification and do a pull request myself but my time is limited. acme.sh is a 3rd party client. Its dev created a bunch of dns update scripts himself. We don't use that. We use the official letsencrypt client, certbot. With that, you have to supply your own authenticator.sh and cleanup.sh scripts for your dns provider. Here's a dns validation mock up where it requires you to supply your own script: https://github.com/linuxserver/docker-letsencrypt/tree/dns We haven't yet decided whether we will publish it or not Quote Link to comment
surfshack66 Posted January 18, 2018 Share Posted January 18, 2018 13 hours ago, aptalca said: We haven't yet decided whether we will publish it or not Publish it, please I think its fair to include this per https://github.com/linuxserver/docker-letsencrypt/tree/dns "This option is only for advanced users. We will not answer any questions related to this setting. If you need to ask questions, this is not meant for you." I understand it would be a huge support headache, however, the use of forums for support isn't the best either. How many times have people asked the same question because they didn't read or missed an earlier post? I'm certainly at fault for this too. In any case, I don't think its wise to withhold features just because its too hard to support. Quote Link to comment
matthope Posted January 18, 2018 Share Posted January 18, 2018 19 hours ago, aptalca said: acme.sh is a 3rd party client. Its dev created a bunch of dns update scripts himself. We don't use that. We use the official letsencrypt client, certbot. With that, you have to supply your own authenticator.sh and cleanup.sh scripts for your dns provider. Here's a dns validation mock up where it requires you to supply your own script: https://github.com/linuxserver/docker-letsencrypt/tree/dns We haven't yet decided whether we will publish it or not +1 Right now we must go through the docker bash to add/edit the scripts, which is quite painful. Also the modification made to the 50-config script will be deleted whenever the container is updated. I would use this features for sure if it's added. Quote Link to comment
matthope Posted January 18, 2018 Share Posted January 18, 2018 (edited) On 13/01/2018 at 4:40 AM, ebnerjoh said: Ok, it is not working with the temporary workaround. I am getting: Error output from authenticator.sh: Traceback (most recent call last): File "<string>", line 1, in <module> TypeError: 'NoneType' object has no attribute '__getitem__' Traceback (most recent call last): File "<string>", line 1, in <module> TypeError: 'NoneType' object has no attribute '__getitem__' I had this issue me too, but i've slightly modified the script and it's now working for me. The issue is happening when you try to create the txt file for the top domain. authenticator.sh #!/bin/bash # Get your API key from https://www.cloudflare.com/a/account/my-account API_KEY="SOMETHING" EMAIL="SOMETHING" echo "Currently creating a txt entry for $CERTBOT_DOMAIN." # Strip only the top domain to get the zone id DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') # If $CERTBOT_DOMAIN is already the top domain if [ -z "$DOMAIN" ]; then DOMAIN="$CERTBOT_DOMAIN" fi # Get the Cloudflare zone id ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all" ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])") # Create TXT record CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN" RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" \ --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \ | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])") # Save info for cleanup if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN fi echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID # Sleep to make sure the change has time to propagate over to DNS sleep 15 Edited January 19, 2018 by matthope add code Quote Link to comment
Brettv Posted January 19, 2018 Share Posted January 19, 2018 Hi All, I have been able to bash into the container and manually obtain certs with certbot and adding the DNS entries manually, as my domain provider doesnt have an API. With the certs that are generated, i copied them into the letsencrypt folder, where the config files point. However, that doesnt seem to be enough, and i must still be missing a step. Restarting the container deletes the certs as expected. Can anyone shed any light on what i might be missing? Quote Link to comment
daniel329 Posted January 19, 2018 Share Posted January 19, 2018 (edited) So I hate to add to the chaos...but I use this docker daily for my business in conjunction with NextCloud.... Basically I read about the problem and issued the fix (HTTPSVAR True & Router 80 to 81 & Router 443 to 444) Upon UnRaid update and reboot I can't even start my container. I've attached images. (I know the email and domain are missing I took them out) The log simply reads: "Error grabbing logs: EOF" I've tried uninstalling and reinstalling the container. Thanks for all you guys do to keep us running. I hope I included enough info. Edited January 19, 2018 by daniel329 Quote Link to comment
daniel329 Posted January 19, 2018 Share Posted January 19, 2018 My second question is: Is it possible to just use the new built-in UnRaid Let's Encrypt and add our own Site-Configs? What would be the advantages of running this in a container? Quote Link to comment
JonathanM Posted January 19, 2018 Share Posted January 19, 2018 8 hours ago, daniel329 said: Upon UnRaid update and reboot I can't even start my container. I've attached images Who is your ISP? Quote Link to comment
saarg Posted January 19, 2018 Share Posted January 19, 2018 @daniel329 Execution error is most likely that one of the ports you specified is used by unraid. Quote Link to comment
daniel329 Posted January 19, 2018 Share Posted January 19, 2018 1 hour ago, jonathanm said: Who is your ISP? Comcast Quote Link to comment
daniel329 Posted January 19, 2018 Share Posted January 19, 2018 1 hour ago, saarg said: @daniel329 Execution error is most likely that one of the ports you specified is used by unraid. I'm not sure how unRaid would be using port 81 or 444. I did, however, notice that my port 443 goes to port 444 for NextCloud - but it was that way before so I'm not sure why it would stop working now? Quote Link to comment
daniel329 Posted January 19, 2018 Share Posted January 19, 2018 To make things even more complicated, I tried to connect to nextcloud from my office using https://domain.duckdns.org/nextcloud - and it worked. Quote Link to comment
aptalca Posted January 19, 2018 Share Posted January 19, 2018 16 hours ago, matthope said: +1 Right now we must go through the docker bash to add/edit the scripts, which is quite painful. Also the modification made to the 50-config script will be deleted whenever the container is updated. I would use this features for sure if it's added. Would you be willing to test that branch? It is currently untested. I can provide instructions, let me know Quote Link to comment
Greygoose Posted January 19, 2018 Share Posted January 19, 2018 (edited) firstly, thanks CHBMB and aptalca for helping me get lets encrypt working. it is now working great with sonar. I have followed this guide https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/ however i am unable to get nextcloud work with letsencrypt. when i put these settings in and try nextcloud.mywebsite.com i get 502 Bad Gateway EDIT. Oh fricking yes.... boom ....... WORKING I posted configs here, had another cuppa 'ive had several' and read through the config file and see i didnt change my unraid ip in nextcloud file under location/proxy pass... that guide above works.... is it simple yes......... will it work if you dont put the correct paths NO....... Edited January 19, 2018 by Greygoose 1 Quote Link to comment
Greygoose Posted January 19, 2018 Share Posted January 19, 2018 Another question... how do i get nextcloud to use the letsencrypt password login aswell as the nextcloud UI login page Quote Link to comment
saarg Posted January 19, 2018 Share Posted January 19, 2018 4 hours ago, daniel329 said: I'm not sure how unRaid would be using port 81 or 444. I did, however, notice that my port 443 goes to port 444 for NextCloud - but it was that way before so I'm not sure why it would stop working now? When I said unraid it also included other dockers. Your problem is that you use port 444 for both nextcloud and letsencrypt. You need to change one of them and then, do not use port 445 as it's used for behind the scenes stuff. Quote Link to comment
400killer Posted January 19, 2018 Share Posted January 19, 2018 (edited) Hey Guys, I upgraded to 6.4.0, and now my letsencrypt is broke as well.Which results in my nextcloud installation being unreachable. This was a working setup on 443 before the update. Then after the update, letsencrypt wouldn't start with an execution error. I then tried the following: 1) I changed the port of the Unraid GUI to 447. all the dockers came up and I could reach nextcloud but not the unraid gui. so I SSH'ed and changed it back. 2) Change the network to give letsencrypt its own IP, and updated the NAT to that IP in pfsense. The docker would come up, but with the same errors shown as below. 3) That's when I changed it back to the same ip as the server with port 447 (updated pfsense too). And I still get the same error in log... I looked through the last 5-6 pages, and tied some of the stuff noted, and I just can't get it to work again. I would like to get it up and running again and use the SSL certs for the unraid web gui too. Please Advise?!! Where I am currently: Changed letsencrypt to port 447 (HTTPS), and left it at port 81 (HTTP, my ISP locks port 80). I use pfsense for routing, and updated the NAT from 443 to 447 with. And I still cant get this to install my certs to work. Please see my configs and logs, to see if you can help. Automatic Firewall Rules created from NAT Unraid Docker tab: Docker GUI Config Letsencrypt Log: Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d nextcloud.XXXXXXX.XXXXXXXX.comE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.IMPORTANT NOTES:- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Letsencrypt Config: server { listen 443 ssl; server_name nextcloud.XXXXX.XXXXXXXX.com; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.2.71:444/; proxy_max_temp_file_size 16000m; include /config/nginx/proxy.conf; } } Nextcloud Config: <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'XXXXXXXXXXX', 'passwordsalt' => 'XXXXXXXXXXXXX', 'secret' => 'XXXXXXXXXXXXXXXXXXX', 'trusted_domains' => array ( 0 => '192.168.2.71:444', 1 => 'nextcloud.XXXXXXXXX.XXXXXXXXX.com', ), 'overwrite.cli.url' => 'https://nextcloud.XXXXXXXX.XXXXXXX.com', 'overwritehost' => 'nextcloud.XXXXX.XXXXXXXXXX.com', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '12.0.4.3', 'dbname' => 'nextcloud', 'dbhost' => '192.168.2.71:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'XXXXXXXX', 'dbpassword' => 'XXXXXXXXXXX', 'installed' => true, 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpsecure' => 'ssl', 'mail_from_address' => 'XXXXXXXX', 'mail_domain' => 'gmail.com', 'mail_smtphost' => 'smtp.gmail.com', 'mail_smtpport' => '465', 'mail_smtpauth' => 1, 'mail_smtpname' => '[email protected]', 'mail_smtppassword' => 'XXXXXXX', 'loglevel' => 0, 'updater.release.channel' => 'stable', 'maintenance' => false, 'theme' => '', ); Thanks in advance! Edited January 19, 2018 by 400killer Quote Link to comment
johnomaz Posted January 19, 2018 Share Posted January 19, 2018 This helped me too. I changed my server port away from 80 a while ago so I just had to change the setting to true. So happy to have it working again. Many thanks! On 1/17/2018 at 5:09 PM, [email protected] said: exact same problem here too, after updating the letsencrypt container. the solution is posted a couple posts below. tl:dr = letsencrypt changed something (auth method over port 443 disabled) 1. you have to make sure now that tcp port 80 is forwarded on your router (internet gateway) to your unraid server (be aware that unraid uses default tcp 80 for its webinterface, so map tcp port 80 extern to something else intern like tcp 81) 2. edit/update the container settings > edit letsencrypt in the unraid docker tab and set the http port to 81 or whatever to used for your portmapping on your router. 3. also change the variable HTTPVAL from false to true, its found in " show more settings" HTTPVAL: true Flag to switch validation method to HTTP (over port 80) if set to 'true' Quote Link to comment
aptalca Posted January 20, 2018 Share Posted January 20, 2018 7 hours ago, 400killer said: Hey Guys, I upgraded to 6.4.0, and now my letsencrypt is broke as well.Which results in my nextcloud installation being unreachable. This was a working setup on 443 before the update. Then after the update, letsencrypt wouldn't start with an execution error. I then tried the following: 1) I changed the port of the Unraid GUI to 447. all the dockers came up and I could reach nextcloud but not the unraid gui. so I SSH'ed and changed it back. 2) Change the network to give letsencrypt its own IP, and updated the NAT to that IP in pfsense. The docker would come up, but with the same errors shown as below. 3) That's when I changed it back to the same ip as the server with port 447 (updated pfsense too). And I still get the same error in log... I looked through the last 5-6 pages, and tied some of the stuff noted, and I just can't get it to work again. I would like to get it up and running again and use the SSL certs for the unraid web gui too. Please Advise?!! Where I am currently: Changed letsencrypt to port 447 (HTTPS), and left it at port 81 (HTTP, my ISP locks port 80). I use pfsense for routing, and updated the NAT from 443 to 447 with. And I still cant get this to install my certs to work. Please see my configs and logs, to see if you can help. Automatic Firewall Rules created from NAT Unraid Docker tab: Docker GUI Config Letsencrypt Log: Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d nextcloud.XXXXXXX.XXXXXXXX.comE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.IMPORTANT NOTES:- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Letsencrypt Config: server { listen 443 ssl; server_name nextcloud.XXXXX.XXXXXXXX.com; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.2.71:444/; proxy_max_temp_file_size 16000m; include /config/nginx/proxy.conf; } } Nextcloud Config: <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'XXXXXXXXXXX', 'passwordsalt' => 'XXXXXXXXXXXXX', 'secret' => 'XXXXXXXXXXXXXXXXXXX', 'trusted_domains' => array ( 0 => '192.168.2.71:444', 1 => 'nextcloud.XXXXXXXXX.XXXXXXXXX.com', ), 'overwrite.cli.url' => 'https://nextcloud.XXXXXXXX.XXXXXXX.com', 'overwritehost' => 'nextcloud.XXXXX.XXXXXXXXXX.com', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '12.0.4.3', 'dbname' => 'nextcloud', 'dbhost' => '192.168.2.71:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'XXXXXXXX', 'dbpassword' => 'XXXXXXXXXXX', 'installed' => true, 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpsecure' => 'ssl', 'mail_from_address' => 'XXXXXXXX', 'mail_domain' => 'gmail.com', 'mail_smtphost' => 'smtp.gmail.com', 'mail_smtpport' => '465', 'mail_smtpauth' => 1, 'mail_smtpname' => '[email protected]', 'mail_smtppassword' => 'XXXXXXX', 'loglevel' => 0, 'updater.release.channel' => 'stable', 'maintenance' => false, 'theme' => '', ); Thanks in advance! Read the last few pages again because you set the HTTPVAL to false Quote Link to comment
400killer Posted January 20, 2018 Share Posted January 20, 2018 1 hour ago, aptalca said: Read the last few pages again because you set the HTTPVAL to false Yes, I have it set that way, as my ISP blocks port 80. So I cant get the cert verified that way. That's why it was false, and was set that way before the update. I changed it to true, and you can see from the log below it was not able to verify the cert. Additionally I looked at the Dynamic DNS server in pfsense, and it shows my DNS does have the correct IP. Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d nextcloud.XXXXXX.XXXXXXXX.comE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:http-01 challenge for XXXXXX.XXXXXXXX.comhttp-01 challenge for nextcloud.XXXXXXX.XXXXXXXXX.comWaiting for verification...Cleaning up challengesFailed authorization procedure.XXXXXXXX.XXXXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXXXX.XXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs: Timeout, nextcloud.XXXXXXXXXXX.XXXXXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nextcloud.XXXXXXX.XXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4: TimeoutIMPORTANT NOTES:- The following errors were reported by the server:Domain: XXXXX.XXXXXXX.comType: connectionDetail: Fetchinghttp://XXXXXXX.XXXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs:TimeoutDomain: nextcloud.XXXXXXXX.XXXXXXXX.comType: connectionDetail: Fetchinghttp://nextcloud.XXXXXXXX.XXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4:TimeoutTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A/AAAA record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the containerFailed authorization procedure. XXXXXX.XXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXXXX.XXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs: Timeout, nextcloud.XXXXXX.XXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nextcloud.XXXXXX.XXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4: TimeoutIMPORTANT NOTES:- The following errors were reported by the server:Domain: XXXXXX.XXXXXXXX.comType: connectionDetail: Fetchinghttp://XXXXXX.XXXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs:TimeoutDomain: nextcloud.XXXXX.XXXXXXXX.comType: connectionDetail: Fetchinghttp://nextcloud.XXXXXXXX.XXXXXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4:TimeoutTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A/AAAA record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Quote Link to comment
saarg Posted January 20, 2018 Share Posted January 20, 2018 If your ISP closed port 80, you need to use DNS validation. Look at the last pages to get an idea about how to do it. Quote Link to comment
fr0stbyt3 Posted January 20, 2018 Share Posted January 20, 2018 I am one of the unlucky few who has a provider that blocks access to port 80. I ended up giving up on this docker and going with reverse proxy inside IIS. I already had a Windows VM running on unraid. I can do a write-up if anyone is interested. Quote Link to comment
Earache Posted January 20, 2018 Share Posted January 20, 2018 I'm trying to do this via the Nginx container and adding certbot to it but I'm stuck adding the cert to Nginx. Anyone have a guide on how to do it this way (I believe people were doing it this way before). Quote Link to comment
Earache Posted January 21, 2018 Share Posted January 21, 2018 On 2018-01-19 at 9:15 AM, aptalca said: Would you be willing to test that branch? It is currently untested. I can provide instructions, let me know I would be willing to test it as the current container doesn’t work for me. I can’t find an answer to the question of does my ISP block port 80. Quote Link to comment
strike Posted January 21, 2018 Share Posted January 21, 2018 So I finally got around to updating this container. I've been following this thread and expected the container to throw errors and not start until I added the HTTPVAL variable. But it didn't, it started fine with no errors. But maybe this is because my cert is not yet due for renewal? It says so in the log anyway. Or am I missing something here? ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d subdomain.domain.com E-mail address entered: [email protected] <-------------------------------------------------> <-------------------------------------------------> cronjob running on Sun Jan 21 04:48:45 CET 2018 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/subdomain.domain.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/subdomain.domain.com/fullchain.pem (skipped) No renewals were attempted. No hooks were run. ------------------------------------------------------------------------------- [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.