neebski Posted January 22, 2018 Share Posted January 22, 2018 Loosing my mind here. I've read all the documentation but it doesn't seem like http val is working through port 81 (port 80 is blocked by my isp). Am I missing something obvious? GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... generating self-signed keys in /config/keys, you can replace these with your own keys if required Generating a 2048 bit RSA private key ...........................................+++ ...............................................................+++ writing new private key to '/config/keys/cert.key' ----- Subject Attribute /C has no known NID, skipped [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................................................................................................................................+.....................................................................+..................................................................................................................+...........................................................................................................................................................................................................+.............................................................+...............................................................................................................................................................................................................................+...................................+......................................................................................+..................................................................+......................................................................................+...............+.....................................+..........................+......................+.........+...............................................................+..................+.........................................+............................++*++* DH parameters successfully created - 2048 bits SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d cloud.mydomain.com -d plex.mydomain.com -d sub.mydomain.com E-mail address entered: [email protected] Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for cloud.mydomain.com http-01 challenge for plex.mydomain.com http-01 challenge for sub.mydomain.com Waiting for verification... Cleaning up challenges Failed authorization procedure. sub.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub.mydomain.com/.well-known/acme-challenge/MEvrkt3fJDynbKusl8MOWChxb2xwXOUIBS2VmP5F0-Y: Timeout, cloud.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/0A9qgBNPVAiABn6234vnTQurk8uK5fnWsqy-L86wvTI: Timeout IMPORTANT NOTES: - The following errors were reported by the server: Domain: sub.mydomain.com Type: connection Detail: Fetching http://sub.mydomain.com/.well-known/acme-challenge/MEvrkt3fJDynbKusl8MOWChxb2xwXOUIBS2VmP5F0-Y: Timeout Domain: cloud.mydomain.com Type: connection Detail: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/0A9qgBNPVAiABn6234vnTQurk8uK5fnWsqy-L86wvTI: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Quote Link to comment
JonathanM Posted January 22, 2018 Share Posted January 22, 2018 2 minutes ago, neebski said: it doesn't seem like http val is working through port 81 (port 80 is blocked by my isp). Am I missing something obvious? Sort of. You stated the problem very well. If port 80 is blocked, you can't use httpval. Period. End of Sentence. You will have to figure out one of the other methods for getting certificates from LE. Quote Link to comment
neebski Posted January 22, 2018 Share Posted January 22, 2018 6 minutes ago, jonathanm said: Sort of. You stated the problem very well. If port 80 is blocked, you can't use httpval. Period. End of Sentence. You will have to figure out one of the other methods for getting certificates from LE. I wrongly assumed by changing the port to 81 on the config that would help. Thanks. Suggestions on alternatives? Quote Link to comment
JonathanM Posted January 22, 2018 Share Posted January 22, 2018 1 hour ago, neebski said: Suggestions on alternatives? Read the last 4 or so pages in this thread. Alternatives are discussed. Quote Link to comment
drumstyx Posted January 22, 2018 Share Posted January 22, 2018 What other reasons might there be for validation to time out OTHER than httpval=false or port blocking? I've absolutely positively confirmed that it's attempting to validate on port 80 (httpval) and that my ISP isn't blocking port 80 (I can access the challenge server root from outside my network when it's attempting). But still timeouts! 443 external is also mapped to 444 internal, which is of course what I put in the docker 443 mapping as well...what else could I possibly be missing? Quote Link to comment
CHBMB Posted January 22, 2018 Share Posted January 22, 2018 4 minutes ago, drumstyx said: What other reasons might there be for validation to time out OTHER than httpval=false or port blocking? I've absolutely positively confirmed that it's attempting to validate on port 80 (httpval) and that my ISP isn't blocking port 80 (I can access the challenge server root from outside my network when it's attempting). But still timeouts! 443 external is also mapped to 444 internal, which is of course what I put in the docker 443 mapping as well...what else could I possibly be missing? Quote Link to comment
Earache Posted January 23, 2018 Share Posted January 23, 2018 7 hours ago, Diggewuff said: Hey, today I tried to switch my letsencrypt container from Bridge network mode to the new mode in unraid 6.4.0 where I can chose a dedicated IP for the container. So far so good. I've chosen a new ip 192.168.1.20 and changed the mapping of the ports 80 and 443 on my router to that new IP. From then on I wasn't able to reach my domains from WAN anymore. trying to access them from LAN is giving me that error: Furthermore I'm not able to ping any ip dresses on my local network from inside of the container. I already disabled every firewall rule on my Router. Does anyone has an idea? Are you getting this error outside of your network and/or internal? Quote Link to comment
IndianaJoe1216 Posted January 23, 2018 Share Posted January 23, 2018 On 1/12/2018 at 11:57 PM, matthope said: In my case, my internet provider block the port 80 so the HTTPVAL fix wont work. Since TLS-SNI challenge is deactivated and I can't use HTTP challenge, I'm obligated to use the DNS-01 challenge. I've found a way to use it with this docker and cloudflare. You will need those 2 scripts ( here ) and you will need to modify the script /etc/cont-init/50-config inside the docker. docker exec -it [DOCKERNAME] /bin/bash vi /etc/cont-init.d/50-config In the file comment this line : certbot certonly --non-interactive --renew-by-default --standalone --preferred-challenges $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS And add this one : certbot certonly --agree-tos --manual --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook /app/authenticator.sh --manual-cleanup-hook /app/cleanup.sh --rsa-key-size 4096 $EMAILPARAM --no-eff-email $URLS However, this is a one time fix since any modification to the docker is reverted when restarted. @aptalca It would be nice if the DNS-01 challenge could be added definitively to this docker. Has anyone else been able to get this to work. Since Cox blocks port 80 I have no other option except the dns verification option but I'm not sure how I can apply this method with my DNS provider. Quote Link to comment
Brettv Posted January 23, 2018 Share Posted January 23, 2018 Hi All So i am finally back up and running. A trap that i also found myself in was my ISP also changing me to a new static IP address. (i suspect maybe due to all the port 80 hits?) Not sure, but it took me forever to figure this out, as my IP has not changed in years. I installed the nginx docker. Copied over my config files from the letsencrypt config folder Used - docker exec -it letsencrypt /bin/bash/ to get into the letsencrypt container so i could use certbot I then used a certbot command to manually obtain certificates for my domains (similar to what is posted here https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation) Note this method does not use the API, you are required to log into your hosting and manually add in TXT records to your DNS zone editor. Once that was complete, i copied out the 4 files (from the archive folder not the symlinks) and pasted them into my config folder on my cache drive where i could access them. I then created a letsencrypt folder under my nginx/keys folder (so it looks like /nginx/keys/letsencrypt) Then i copied the fullchain.pem and privkey.pem files that were created by certbot there. I then stopped the letsencrypt container, and started the nginx container and it seemed to work / pickup where i had left. This did involve some trial and error, but that is mainly because i am not very familiar with what i am doing. In my case, i will need to manually renew the certs and repeat the same procedure in 3 months, but hopefully by then a solution to TLS is found. Cheers Brett Quote Link to comment
Nem Posted January 23, 2018 Share Posted January 23, 2018 is there a way to put openvpn access server's webgui behind an nginx reverse proxy? Quote Link to comment
Ding Dong Del Posted January 23, 2018 Share Posted January 23, 2018 (edited) 1 hour ago, Nem said: is there a way to put openvpn access server's webgui behind an nginx reverse proxy? Hi Nem, I've been able to do it by using the stream directive in nginx, which uses SNI to direct the ssl stream to the right service. Add the following to your LE's nginx.conf stream { map $ssl_preread_server_name $name { fred.duckdns.org fred; default barney; } upstream barney { #openvpn container server 192.168.2.37:9443; } upstream fred { # upstream nginx virtual hosts such as sonarr, radarr, nzbget, etc. server 192.168.2.37:4430; } server { listen 443 so_keepalive=on; proxy_pass $name; ssl_preread on; } } and then something like this in your LE's site-configs/default #main server block server { listen 4430 ssl default_server; root /config/www; index index.html index.htm index.php; server_name fred.duckdns.org; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location /lidarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.37:8686/lidarr; } location /nzbget/ { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.37:6789; } location /nzbhydra/ { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.37:5075; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.37:7878/radarr; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.37:8989/sonarr; } } The first (stream) block basically uses the requested host name to direct the request to either openvpn, or sends traffic on to nginx (same instance) for processing by your virtual host (note sure if virtual host is the right name here) Ports / ip addresses are relevant for my installation - adjust for your own setup Edited January 23, 2018 by Ding Dong Del Quote Link to comment
Ding Dong Del Posted January 23, 2018 Share Posted January 23, 2018 21 hours ago, aptalca said: Check if there's anything listening on the host Hi @aptalca, I can't get to that installation until the end of the week - from memory there was a docker-proxy process listening on the host on the ports specified in the container config (e.g. :80) from the screenshot above. container is in bridge mode at the moment, and was mapping port 80 (host) to 80 (container) so was thinking that docker-proxy process listening on :80 on the host "didn't look wrong". Quote Link to comment
Nem Posted January 23, 2018 Share Posted January 23, 2018 11 minutes ago, Ding Dong Del said: Hi Nem, I've been able to do it by using the stream directive in nginx, which uses SNI to direct the ssl stream to the right service. Add the following to your LE's nginx.conf ... The first (stream) block basically uses the requested host name to direct the request to either openvpn, or sends traffic on to nginx (same instance) for processing by your virtual host (note sure if virtual host is the right name here) Thanks, I tried it but none of my sites are working now. Most likely due to me not know exactly what needs to be changed. Here's what I changed things to: stream { map $ssl_preread_server_name $name { example.net/ovpn fred; default barney; } upstream barney { #openvpn container server 192.168.187.10:9453; } upstream fred { # upstream nginx virtual hosts such as sonarr, radarr, nzbget, etc. server 192.168.187.10:443; } server { listen 443 so_keepalive=on; proxy_pass $name; ssl_preread on; } } sites-config/default basically looks the same as yours, only difference is the server is listening on 443 My goal is to be able to hit openvpn-as webgui when I go to /ovpn Quote Link to comment
Ding Dong Del Posted January 23, 2018 Share Posted January 23, 2018 1 minute ago, Nem said: My goal is to be able to hit openvpn-as webgui when I go to /ovpn My bad - I left out a key piece! I am using hostnames to get to either openvpn (via a vpn client), or my nginx reverse proxies. so using the example above, I have two duckdns domains set up (fred, and barney) and if I want to get to sonarr e.g. I use: https://fred.duckdns.org/sonarr when I want to connect to my vpn, I point my vpn client at barney.duckdns.org. I've done it this way on purpose so that both the reverse proxy, and openvpn are listening on 443 externally so that if behind a firewall I can still use my vpn. that is a slightly different use case than you described. Quote Link to comment
Nem Posted January 23, 2018 Share Posted January 23, 2018 7 minutes ago, Ding Dong Del said: My bad - I left out a key piece! I am using hostnames to get to either openvpn (via a vpn client), or my nginx reverse proxies. so using the example above, I have two duckdns domains set up (fred, and barney) and if I want to get to sonarr e.g. I use: https://fred.duckdns.org/sonarr when I want to connect to my vpn, I point my vpn client at barney.duckdns.org. I've done it this way on purpose so that both the reverse proxy, and openvpn are listening on 443 externally so that if behind a firewall I can still use my vpn. that is a slightly different use case than you described. I dont mind setting up a subdomain like vpn.site.com, but is there a way to set this up without duckdns? my use case, I think, is similar to yours. When I want to use the vpn or access the webgui I want to access it via vpn.site.com. If I want the rest of my other containers I want to go to www.site.com/whatever Quote Link to comment
Ding Dong Del Posted January 23, 2018 Share Posted January 23, 2018 Just now, Nem said: but is there a way to set this up without duckdns? I only use duckdns because I only have a dynamic IP address through my ISP (both domain names point to the same IP address). You can use your own Dynamic DNS provider or hostname(s) assuming you can set up the relevant DNS entries. Quote Link to comment
Nem Posted January 23, 2018 Share Posted January 23, 2018 22 minutes ago, Ding Dong Del said: I only use duckdns because I only have a dynamic IP address through my ISP (both domain names point to the same IP address). You can use your own Dynamic DNS provider or hostname(s) assuming you can set up the relevant DNS entries. so I dont have hostnames set up, but my domain points to my IP, and I have www and vpn subdomains I changed my nginx.conf to (sites-config/default server also listens on 4430): stream { map $ssl_preread_server_name $name { www.example.net fred; vpn.example.net barney; } upstream barney { #openvpn container server 192.168.187.10:9453; } upstream fred { # upstream nginx virtual hosts such as sonarr, radarr, nzbget, etc. server 192.168.187.10:4430; } server { listen 443 so_keepalive=on; proxy_pass $name; ssl_preread on; } } what Im expecting is that when I go vpn.example.net I get taken to openvpn webgui, but if I go to www.example.net/whatever I get one of my other containers. Correct expectation with the current config? Or is there something I need to change? Quote Link to comment
Ding Dong Del Posted January 23, 2018 Share Posted January 23, 2018 24 minutes ago, Nem said: what Im expecting is that when I go vpn.example.net I get taken to openvpn webgui, but if I go to www.example.net/whatever I get one of my other containers. Correct expectation with the current config? Or is there something I need to change? @Nem - that's pretty much what I get when using my setup. Quote Link to comment
Invincible Posted January 23, 2018 Share Posted January 23, 2018 (edited) Going to mydomain.duckdns.org seems to take me to the unraid webgui instead of going through lets encrypt. I've been playing around with the settings as mentioned in the last few pages but i can't seem to get this working. I changed most of it back to what i had before. Here's what it is right now. I feel like it has to do with Unraid's HTTP port being set to 80 by default but i've tried changing that to 8008 and that didn't work either. Edited January 23, 2018 by Invincible Added pictures of current settings Quote Link to comment
aptalca Posted January 23, 2018 Share Posted January 23, 2018 11 hours ago, Nem said: is there a way to put openvpn access server's webgui behind an nginx reverse proxy? I would strongly recommend against that for security reasons. VPN is considered pretty secure because it uses a certificate to authenticate. The web gui on the other hand only uses a password that can be brute forced. Once hacked, they can create their own cert through the web gui to get into your LAN Once you create the user cert, you shouldn't need to access the web gui remotely. If you really need to, you can vpn in, and then access the gui Quote Link to comment
Micaiah12 Posted January 23, 2018 Share Posted January 23, 2018 Hey guys I got mine finally working, however it's giving me NET::ERR_CERT_COMMON_NAME_INVALID when I am accessing the website from chrome. Is LE giving me a bad cert? Quote ErrorWarningSystemArrayLogin [s6-init] making user provided files available at /var/run/s6/etc...exited 0.[s6-init] ensuring user provided files have correct perms...exited 0.[fix-attrs.d] applying ownership & permissions fixes...[fix-attrs.d] done.[cont-init.d] executing container initialization scripts...[cont-init.d] 10-adduser: executing...-------------------------------------_ ()| | ___ _ __| | / __| | | / \| | \__ \ | | | () ||_| |___/ |_| \__/Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d www.xxxxxx.duckdns.orgE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificateObtaining a new certificatePerforming the following challenges:http-01 challenge for xxxx.duckdns.orghttp-01 challenge for www.xxxxx.duckdns.orgWaiting for verification...Performing the following challenges:http-01 challenge for xxxx.duckdns.orghttp-01 challenge for www.xxxxxx.duckdns.orgWaiting for verification...Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/xxxxx.duckdns.org/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/xxxxx.duckdns.org/privkey.pemYour cert will expire on 2018-04-23. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le[cont-init.d] 50-config: exited 0.[cont-init.d] done.[services.d] starting services[services.d] done.Server readynginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_sizenginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size[cont-init.d] 50-config: exited 0.[cont-init.d] done.[services.d] starting services[services.d] done.Server readynginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_sizenginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size Quote Link to comment
GeXman.dk Posted January 23, 2018 Share Posted January 23, 2018 Does any one know if this has been implementede to the docker?https://community.letsencrypt.org/t/certbot-0-21-0-release/50725 Quote Link to comment
Nem Posted January 23, 2018 Share Posted January 23, 2018 11 hours ago, Ding Dong Del said: @Nem - that's pretty much what I get when using my setup. @Ding Dong Del Ive finally managed to get ovpn-as webgui running through a reverse proxy by just using a subdomain and another server block in the config. But Im also intrigued by your use of the same port for both https and vpn traffic. I'm wondering why you chose to use hostnames/streams/subdomains to redirect traffic instead of using the port share feature of ovpn? Quote Link to comment
Nem Posted January 24, 2018 Share Posted January 24, 2018 2 hours ago, aptalca said: I would strongly recommend against that for security reasons. VPN is considered pretty secure because it uses a certificate to authenticate. The web gui on the other hand only uses a password that can be brute forced. Once hacked, they can create their own cert through the web gui to get into your LAN Once you create the user cert, you shouldn't need to access the web gui remotely. If you really need to, you can vpn in, and then access the gui @aptalca I'm pretty new to using VPNs so to clarify: (assuming I'm using a weak admin password for ovpnas) if someone brute forces my password and gets into the webgui theres a section where they can upload their own SSL certificate, but isn't that certificate only used for the web interface, not the actual VPN connection? How would my LAN be compromised in that case? Or do you mean they can now change my server config and redirect traffic? I guess all of this can be prevented anyway with a strong password for the admin account...? Quote Link to comment
aptalca Posted January 24, 2018 Share Posted January 24, 2018 5 hours ago, Micaiah12 said: Hey guys I got mine finally working, however it's giving me NET::ERR_CERT_COMMON_NAME_INVALID when I am accessing the website from chrome. Is LE giving me a bad cert? Are you accessing the site at https://xxxx.duckdns.org? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.