wreave Posted February 4, 2018 Share Posted February 4, 2018 So I am trying to switch the validation from HTTP to TLS-SNI but I am getting an error Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container I have made sure all my ports are lined up as well. Not sure what I am missing here. Any help is greatly appreciated. Quote Link to comment
CHBMB Posted February 4, 2018 Share Posted February 4, 2018 (edited) TLS-SNI currently isn't supported, LE have disabled it. It's included in the container only in case they reenable it at a later date. https://github.com/linuxserver/docker-letsencrypt#parameters Edited February 4, 2018 by CHBMB Quote Link to comment
wreave Posted February 4, 2018 Share Posted February 4, 2018 6 minutes ago, CHBMB said: TLS-SNI currently isn't supported, LE have disabled it. It's included in the container only in case they reenable it at a later date. https://github.com/linuxserver/docker-letsencrypt#parameters Ooooooh, I get it now. That makes sense thank you. Quote Link to comment
DieFalse Posted February 4, 2018 Share Posted February 4, 2018 I have run into a strange problem. HTTPS works perfectly however now nginx is ignoring port 80 no matter what. going to port 80 with proper mapping and all reports connection refused. Is there somewhere in the nginx config that controls regular http access? Quote Link to comment
CHBMB Posted February 4, 2018 Share Posted February 4, 2018 Yes, in the "default" file, if you want nginx to respond on port 80, you have to configure the nginx server to do so. Response to the http challenge isn't done from nginx, completely separate process. Quote Link to comment
DieFalse Posted February 4, 2018 Share Posted February 4, 2018 3 minutes ago, CHBMB said: Yes, in the "default" file, if you want nginx to respond on port 80, you have to configure the nginx server to do so. Response to the http challenge isn't done from nginx, completely separate process. Got ya... I must have broke something then. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Quote Link to comment
CHBMB Posted February 4, 2018 Share Posted February 4, 2018 2 minutes ago, fmp4m said: Got ya... I must have broke something then. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: That suggests you haven't even got to the nginx part yet, that's the LE challenge...... Quote Link to comment
DieFalse Posted February 4, 2018 Share Posted February 4, 2018 1 minute ago, CHBMB said: That suggests you haven't even got to the nginx part yet, that's the LE challenge...... Yea, I got that part after you said it was a separate process. I don't know what broke, Its on port 80 and 443 with forwarding. I checked by moving the mapping of another process to port 80 and 443 and its not blocked by isp. Maybe I need to hose it. strange. Quote Link to comment
DieFalse Posted February 4, 2018 Share Posted February 4, 2018 (edited) 28 minutes ago, fmp4m said: Yea, I got that part after you said it was a separate process. I don't know what broke, Its on port 80 and 443 with forwarding. I checked by moving the mapping of another process to port 80 and 443 and its not blocked by isp. Maybe I need to hose it. strange. Yep.. I broke something. After getting the LE challenge fixed and server up, no response on http or https. [cont-init.d] 50-config: exited 0.[cont-init.d] done.[services.d] starting services[services.d] done.Server ready *** Found it. default had the old ports in it. updated and all is back online. Edited February 4, 2018 by fmp4m Quote Link to comment
Invincible Posted February 4, 2018 Share Posted February 4, 2018 2 hours ago, CHBMB said: That's fine as long as your firewall/router is forwarding 443 externally to 442 on your Unraid box. It doesn't sound like that's what is causing the error though. It used to work with the settings I had before which is why i'm not sure why it would just stop working overnight. Quote Link to comment
aptalca Posted February 4, 2018 Share Posted February 4, 2018 4 hours ago, Invincible said: The latest update (from last night) seems to have broken something for me. I haven't changed any of the settings however i noticed there was a new "Validation" option in the docker settings which is set to HTTP. I also noticed that the HTTPVAL setting was missing from the show more settings tab. Any ideas what would have broken the config for me? Here are the logs: [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Backwards compatibility check. . . 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d ******.duckdns.org E-mail address entered: ********** Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ******.duckdns.org Waiting for verification... Cleaning up challenges Failed authorization procedure. ******.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://******.duckdns.org/.well-known/acme-challenge/MKKaK-NvviGlS4ME6FlQ5uTBojzr8WHznM36sgR8Ujo: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" IMPORTANT NOTES: - The following errors were reported by the server: Domain: ******.duckdns.org Type: unauthorized Detail: Invalid response from http://******.duckdns.org/.well-known/acme-challenge/MKKaK-NvviGlS4ME6FlQ5uTBojzr8WHznM36sgR8Ujo: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="*********" -e "URL"="duckdns.org" -e "SUBDOMAINS"="******" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "VALIDATION"="http" -e "DNSPLUGIN"="" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt 2dab690e979f92d6a66c2a7506fbb121324e105cd195d576fa5c141d067d0952 The second screenshot looks like your router is forwarding port 80 to port 80 on unraid for tcp, and port 81 to 81 on unraid for udp. What you need is to forward port 80 to port 81 for tcp. Right now, letsencrypt servers are connecting to your unraid web gui Quote Link to comment
aptalca Posted February 4, 2018 Share Posted February 4, 2018 11 hours ago, WannabeMKII said: Ah ha, adding "tls-sni" = "true" has got me back up and running! Port 80 is still appearing as closed though? Now just to get nzbhydra2 actually loading properly. Superb news though and really appreciate the constant help from everyone, absolutely legendary! This container does not recognize "tls-sni" = "true", so something else you did must have fixed it. Quote Link to comment
Invincible Posted February 4, 2018 Share Posted February 4, 2018 8 minutes ago, aptalca said: The second screenshot looks like your router is forwarding port 80 to port 80 on unraid for tcp, and port 81 to 81 on unraid for udp. What you need is to forward port 80 to port 81 for tcp. Right now, letsencrypt servers are connecting to your unraid web gui Looks like there was a separate section on my router to configure this. That seemed to fix it, thanks! Quote Link to comment
statecowboy Posted February 5, 2018 Share Posted February 5, 2018 (edited) Hi guys, I am getting the following error: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: INSERTDOMAINHERE.com,www.INSERTDOMAINHERE.com: see https://letsencrypt.org/docs/rate-limits/ Please see the logfiles in /var/log/letsencrypt for more details. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container. Some background. I had just done something on my unraid server and saw a notification that there was an update available for the letsencrypt docker. I updated and this is the error I received. Any ideas? I will be checking DNS to make sure nothing is wrong there, but it's highly unlikely as everything was working just fine before updating the docker. Maybe also worth noting is I validate via http (and the flag is set to true). UPDATE - I don't know why but deleting my docker an reinstalling fixed it. Edited February 5, 2018 by statecowboy Quote Link to comment
Sensei73 Posted February 6, 2018 Share Posted February 6, 2018 Hi there, i've using this docker for a while in unraid and it works perfectly. Thanks for that! I wanted to move it to a raspberry pi, and I found you already have a GitHub with all necessary, but you did not publish an image on docker hub, could you this? Thanks in advance. Quote Link to comment
sparklyballs Posted February 6, 2018 Share Posted February 6, 2018 @Sensei73 we have a separate repo for arm images refer to our main list here for available images list on the right is for armxx images and any ending --aarch64 are for aarch64 only Quote Link to comment
Sensei73 Posted February 6, 2018 Share Posted February 6, 2018 (edited) @sparklyballs thanks for the quick answer! Found it! I will have to clone it and change it to 32 bits, rip 2 powered!! thanks! edit: not so easy! you used a custom image! edit2: never mind you have a 32 bits image also! You are perfect! Edited February 6, 2018 by Sensei73 Quote Link to comment
IamSpartacus Posted February 7, 2018 Share Posted February 7, 2018 (edited) So I just updated my container by removing the HTTPVAL variable and replacing it with VALIDATION=http. Nothing else changed (already was forwarding 80 to get HTTPVAL working). Now I'm getting the following for all my certs: Type: unauthorized Detail: The key authorization file from the server did not match this challenge Edited February 7, 2018 by IamSpartacus Quote Link to comment
aptalca Posted February 7, 2018 Share Posted February 7, 2018 54 minutes ago, IamSpartacus said: So I just updated my container by removing the HTTPVAL variable and replacing it with VALIDATION=http. Nothing else changed (already was forwarding 80 to get HTTPVAL working). Now I'm getting the following for all my certs: Type: unauthorized Detail: The key authorization file from the server did not match this challenge Full log? Quote Link to comment
IamSpartacus Posted February 7, 2018 Share Posted February 7, 2018 5 minutes ago, aptalca said: Full log? PM'd. Quote Link to comment
sdoksdlkk Posted February 10, 2018 Share Posted February 10, 2018 I've been pulling my hair out this week reading through this whole thread and trying what was suggested and its just not working. Perhaps I'm just not grasping it for some silly reason? Any help would be appreciated. Thanks! Here's screenshots of what my configurations and errors look like. Quote Link to comment
CHBMB Posted February 10, 2018 Share Posted February 10, 2018 You've got http port defined twice, so remove one, and remove HTTPVAL = FALSE (the whole variable) Quote Link to comment
torn8o Posted February 10, 2018 Share Posted February 10, 2018 I did get letsencrypt working and all. is this the right place to find out whats wrong with nginx server? possibly a tutorial on how to set it up with sonarr etc? I get error on the upstream *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: XX.XX.XX.XX Quote Link to comment
aptalca Posted February 10, 2018 Share Posted February 10, 2018 4 hours ago, torn8o said: I did get letsencrypt working and all. is this the right place to find out whats wrong with nginx server? possibly a tutorial on how to set it up with sonarr etc? I get error on the upstream *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: XX.XX.XX.XX Post your site config. Make sure the ip you defined is correct and valid (no localhost or 127.0.0.1, etc.) Quote Link to comment
ebnerjoh Posted February 10, 2018 Share Posted February 10, 2018 Hi, I have a special question regarding letsencrypt together with nextcloud. I have a Static IP with a Domain for letsencrpyt. This IP I am mapping on my Router to letsencrypt. Letsencrpyt is then proxying to the nextcloud container. If I now setup the Nextcloud-App on my internal client to the domain, then everything works fine and I am not getting any (certificate)-error. The big disadvantage is that any traffic from the client to nexcloud (via letsencrypt) is going via the Router instead directly. The router is a USG from Unifi with enabled IDS/IPS which limits the troughput to 80Mbit/s which is more then enough for the internet but not for the internal Gigabit Connection. So If I transfer big files via nextcloud the Router will hit his maximum throughbut. I could use internaly the IP Adress of the nextcloud container, but then I will always get an Security Warning... Any other ideas? Br, Johannes Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.