CHBMB Posted February 10, 2018 Share Posted February 10, 2018 It's a router setting, hairpin NAT or NAT reflection is what you're looking for. No idea where it is on your router. Quote Link to comment
joenitro Posted February 10, 2018 Share Posted February 10, 2018 9 hours ago, CHBMB said: You've got http port defined twice, so remove one, and remove HTTPVAL = FALSE (the whole variable) Hi CHBMB, Please could you elaborate on how to remove HTTPVAL = FALSE? I think having it there may be my issue now, but can't see a way to remove that variable? I have removed my "extra" http option like you've recommended to sdoksdlkk but I can't see a way to do so for HTTPVAL? Quote Link to comment
CHBMB Posted February 10, 2018 Share Posted February 10, 2018 Hi CHBMB, Please could you elaborate on how to remove HTTPVAL = FALSE? I think having it there may be my issue now, but can't see a way to remove that variable? I have removed my "extra" http option like you've recommended to sdoksdlkk but I can't see a way to do so for HTTPVAL?Try switching on advanced. Or go to settings docker and turn on authoring mode.Sent from my LG-H815 using Tapatalk Quote Link to comment
torn8o Posted February 10, 2018 Share Posted February 10, 2018 (edited) 14 hours ago, aptalca said: Post your site config. Make sure the ip you defined is correct and valid (no localhost or 127.0.0.1, etc.) upstream backend { server 192.168.1.47:19999; keepalive 64; } server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /htpc; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8989; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:7878/radarr; } location /htpc { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8085/htpc; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } #PLEX location /web { # serve the CSS code proxy_pass http://192.168.1.47:32400; } # Main /plex rewrite location /plex { # proxy request to plex server proxy_pass http://192.168.1.47:32400/web; } location /nextcloud { include /config/nginx/proxy.conf; proxy_pass https://192.168.1.47:444/nextcloud; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } I followed this tutorial. I suspect it is a bit dated with the new images out. Edited February 10, 2018 by torn8o add link to tutorial Quote Link to comment
aptalca Posted February 11, 2018 Share Posted February 11, 2018 6 hours ago, torn8o said: upstream backend { server 192.168.1.47:19999; keepalive 64; } server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /htpc; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8989; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:7878/radarr; } location /htpc { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8085/htpc; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.47:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } #PLEX location /web { # serve the CSS code proxy_pass http://192.168.1.47:32400; } # Main /plex rewrite location /plex { # proxy request to plex server proxy_pass http://192.168.1.47:32400/web; } location /nextcloud { include /config/nginx/proxy.conf; proxy_pass https://192.168.1.47:444/nextcloud; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } I followed this tutorial. I suspect it is a bit dated with the new images out. Hmm, not sure. It's complaining about not being able to reach a host, perhaps the netdata one. Is that container running? Quote Link to comment
moinmoin Posted February 11, 2018 Share Posted February 11, 2018 Hi, I followed the great guide of @CHBMB at https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/ Unfortunately I have a problem with letsencrypt. I am using the file server { listen 443 ssl; server_name nextcloud.whatevermydomainis.com; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://my.inter.nal.ip:444/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } placed in the path /mnt/user/appdata/letsencrypt/nginx/site-confs/nextcloud When I restart the letsencrypt docker I get the following error in the log: nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /config/nginx/site-confs/nextcloud:20nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /config/nginx/site-confs/nextcloud:20 Unfortunately I do not have a clue how to solve this. Could someone be so kind to help me? Cheers! Quote Link to comment
CHBMB Posted February 11, 2018 Share Posted February 11, 2018 Remove line 20 as that's what the error is telling you is causing the issue. 1 Quote Link to comment
joenitro Posted February 11, 2018 Share Posted February 11, 2018 23 hours ago, CHBMB said: Try switching on advanced. Or go to settings docker and turn on authoring mode. Sent from my LG-H815 using Tapatalk God damn it, I feel even more stupid than usual and that's saying something! Thank you. Although it didn't solve my problem, at least I've learnt something. Think my ISP must block port 80 inbound Quote Link to comment
moinmoin Posted February 11, 2018 Share Posted February 11, 2018 (edited) 9 minutes ago, CHBMB said: Remove line 20 as that's what the error is telling you is causing the issue. Wow, thank you so much for such a fast reply esp. on a Sunday!! I commented out ssl_session_cache shared:SSL:10m; and not it does not throw the error anymore P.S. May I suggest to extend your guide in respect to this config file? You do not write that the line proxy_pass https://192.168.0.1:444/; needs to be changed to the internal IP of the unRAID server and the port of Nextcloud chosen above. Edited February 11, 2018 by moinmoin added PS Quote Link to comment
alturismo Posted February 11, 2018 Share Posted February 11, 2018 Hi, i switched also now from apache to letsencrypt, some smaller issues i dont understand. server is used as reverse proxy mainly. 2 sites i dont get proxied like before 1st one is cops config looks like this location ^~ /calibre { auth_basic off; allow all; # Allow all to see content include /config/nginx/proxy.conf; proxy_pass http://192.168.1.2:9090/calibre; } also tried proxy_pass http://192.168.1.2:9090 without the /calibre ... no change all i get is either 404 or file not found error, nothing in the error logs, only access logs showing ... 11.22.33.44 - - [11/Feb/2018:11:05:22 +0100] "GET /favicon.ico HTTP/1.1" 200 430 "https://my.domain.de/calibre/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36" 11.22.33.44 - - [11/Feb/2018:11:05:23 +0100] "GET /calibre/ HTTP/1.1" 404 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36" 11.22.33.44 - - [11/Feb/2018:11:05:23 +0100] "GET /favicon.ico HTTP/1.1" 200 430 "https://my.domain.de/calibre/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36" 11.22.33.44 - - [11/Feb/2018:11:15:16 +0100] "GET /calibre/index.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36" in apache it looked like this <Location /calibre> ProxyPass http://192.168.1.2:9090 retry=0 # retry=0 => avoid 503's when restarting etherpad-lite ProxyPassReverse http://192.168.1.2:9090 SetOutputFilter proxy-html ProxyHTMLURLMap http://192.168.1.2:9090 </Location> RewriteRule ^/calibre$ /calibre/ [R] as the 2nd site is more or less the same error ... For any Tipps thanks ahead Quote Link to comment
CHBMB Posted February 11, 2018 Share Posted February 11, 2018 9 hours ago, moinmoin said: proxy_pass https://192.168.0.1:444/; needs to be changed to the internal IP of the unRAID server and the port of Nextcloud chosen above. I kind of thought it was so obvious it goes without saying...... Quote Link to comment
CHBMB Posted February 11, 2018 Share Posted February 11, 2018 9 hours ago, alturismo said: 1st one is cops config looks like this location ^~ /calibre { auth_basic off; allow all; # Allow all to see content include /config/nginx/proxy.conf; proxy_pass http://192.168.1.2:9090/calibre; } i used.... location ^~/books { proxy_pass http://192.168.0.1:82/; rewrite /books/?(.*) /$1 break; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; } But I could only ever get it to work if I manually put in the trailing slash into the URL. Quote Link to comment
Jessie Posted February 11, 2018 Share Posted February 11, 2018 Prior to the letsencrypt change, the template below worked for small business server. There are 2 lines added to allow emails to be sent to external devices eg phones. After the letsencrypt change I changed the settings in the docker to HTTPVAL = true and redirected external port 80 to 8088 internally. Certificates worked again but no more emails can be received externally to phones etc. On the local network, sbs works normally. Any ideas? I wondered whether redirecting port 80 might have had an effect, but I bypassed the proxy by directing port 443 directly back to the sbs server and blocked port 80 and the emails worked normally. So it has to be an issue with the proxy. listen 443 ssl; server_name remote.mydomanename.com.au; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; # cancelled the following line after upgrade to nextcloud 13 # ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; # the next 2 lines allowed exchange in small business server send emails externally. The rest of this template is otherwise unchanged. proxy_request_buffering off; proxy_buffering off; location / { proxy_pass https://192.168.10.21:443/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } Quote Link to comment
sdoksdlkk Posted February 12, 2018 Share Posted February 12, 2018 On 2/9/2018 at 4:59 PM, CHBMB said: You've got http port defined twice, so remove one, and remove HTTPVAL = FALSE (the whole variable) Pretty sure I've done what you suggested and still not working. Is this correct? Quote Link to comment
aptalca Posted February 12, 2018 Share Posted February 12, 2018 (edited) 3 hours ago, sdoksdlkk said: Pretty sure I've done what you suggested and still not working. Is this correct? You still have HTTPVAL in there. You need to remove that and add VALIDATION instead and set it to http You also need to change network mode to bridge instead of host. It is now trying to bind port 80 but unraid is using it Edited February 12, 2018 by aptalca Quote Link to comment
aptalca Posted February 12, 2018 Share Posted February 12, 2018 6 hours ago, Jessie said: Prior to the letsencrypt change, the template below worked for small business server. There are 2 lines added to allow emails to be sent to external devices eg phones. After the letsencrypt change I changed the settings in the docker to HTTPVAL = true and redirected external port 80 to 8088 internally. Certificates worked again but no more emails can be received externally to phones etc. On the local network, sbs works normally. Any ideas? I wondered whether redirecting port 80 might have had an effect, but I bypassed the proxy by directing port 443 directly back to the sbs server and blocked port 80 and the emails worked normally. So it has to be an issue with the proxy. listen 443 ssl; server_name remote.mydomanename.com.au; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; # cancelled the following line after upgrade to nextcloud 13 # ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; # the next 2 lines allowed exchange in small business server send emails externally. The rest of this template is otherwise unchanged. proxy_request_buffering off; proxy_buffering off; location / { proxy_pass https://192.168.10.21:443/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } I don't quite follow what changes you made. When you forward port 80 to your unraid server for validation, you don't need to make any changes to your nginx site config. Letsencrypt puts up its own webserver listening on port 80 during validation. Nginx doesn't need to listen on 80 Quote Link to comment
Jessie Posted February 12, 2018 Share Posted February 12, 2018 (edited) Quote proxy_request_buffering off; proxy_buffering off; The 2 lines above made the external emails work. (they are in the template above) Prior to the HTTPVAL modification I had port 80 ported to the sbs server. After the letsencrypt changes, I changed HTTPVAL to true and:- In the router I pointed 443 to the unraid server. I also pointed external port 80 to internal port 8088 in the router. To get the letsencrypt docker to work, I configured http as 8080 and https as 443. I wondered if I might have to redirect 8088 back to 80 to the sbs server. But I don't know how to do that. As an experiment I bypassed the letsencrypt docker and ported 443 back to the sbs server. Emails worked again. I then turned off porting on port 80 to the sbs server. The emails still worked. When I switched back to the letsencrypt docker, I lost external email functionality again. I also can't access remote.mydomain.com.au which is remote access to the sbs server. All of this worked before the letsencrypt changes. In the letsencrypt template http set at 8088 https set at 443 HTTPVAL = true Edited February 12, 2018 by Jessie Additional info Quote Link to comment
alturismo Posted February 12, 2018 Share Posted February 12, 2018 9 hours ago, CHBMB said: i used.... location ^~/books { proxy_pass http://192.168.0.1:82/; rewrite /books/?(.*) /$1 break; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; } But I could only ever get it to work if I manually put in the trailing slash into the URL. thank you, works as described Quote Link to comment
aptalca Posted February 12, 2018 Share Posted February 12, 2018 7 hours ago, Jessie said: The 2 lines above made the external emails work. (they are in the template above) Prior to the HTTPVAL modification I had port 80 ported to the sbs server. After the letsencrypt changes, I changed HTTPVAL to true and:- In the router I pointed 443 to the unraid server. I also pointed external port 80 to internal port 8088 in the router. To get the letsencrypt docker to work, I configured http as 8080 and https as 443. I wondered if I might have to redirect 8088 back to 80 to the sbs server. But I don't know how to do that. As an experiment I bypassed the letsencrypt docker and ported 443 back to the sbs server. Emails worked again. I then turned off porting on port 80 to the sbs server. The emails still worked. When I switched back to the letsencrypt docker, I lost external email functionality again. I also can't access remote.mydomain.com.au which is remote access to the sbs server. All of this worked before the letsencrypt changes. In the letsencrypt template http set at 8088 https set at 443 HTTPVAL = true So what you're saying is, if you forward the ports directly to your sbs server, it works, but if it's proxied through letsencrypt it doesn't? Then you should modify your proxy settings. If I understand correctly, before any changes, port 80 was "ported to the sbs server", I'm assuming that means forwarded to the sbs on the router, so it wasn't reverse proxied when it worked Quote Link to comment
Jessie Posted February 12, 2018 Share Posted February 12, 2018 (edited) 1 hour ago, aptalca said: 1/So what you're saying is, if you forward the ports directly to your sbs server, it works, but if it's proxied through letsencrypt it doesn't? Then you should modify your proxy settings. 2/If I understand correctly, before any changes, port 80 was "ported to the sbs server", I'm assuming that means forwarded to the sbs on the router, so it wasn't reverse proxied when it worked 1/ Correct. However prior to Letsencrypt breaking it worked perfectly using standard settings plus the 2 proxy buffering lines. Now it doesn't and I don't know why. 2/ Correct. In SBS, port 80 is used to get to http://remote.mydomain.com. If it is closed you can still get there via https://remote.mydomain.com through port 443. When going via http port 80, sbs redirects to https on port 443. Now, if I try to go to https://remote.mydomain.com I get an nginx 502 bad gateway error. I'm also running 2 nextcloud dockers through this proxy and they work fine. Edited February 12, 2018 by Jessie Quote Link to comment
Jessie Posted February 12, 2018 Share Posted February 12, 2018 Is the certificate now different? If so maybe sbs doesn't like it. Quote Link to comment
deadnote Posted February 12, 2018 Share Posted February 12, 2018 Hi I need some help to make the LE docker image works. I created a subdomain on duckdns.org. Dns propagation is fine (tested on https://dnschecker.org) When I start the docker, everything is fine, the command finished successfully. But in logs I have these errors : Failed authorization procedure. xxx.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout IMPORTANT NOTES: - The following errors were reported by the server: Domain: xxx.duckdns.org Type: connection Detail: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Can someone tell me what I'm doing wrong ? Thanks ! Here are my docker configuration and my port forwarding. Quote Link to comment
saarg Posted February 12, 2018 Share Posted February 12, 2018 33 minutes ago, deadnote said: Hi I need some help to make the LE docker image works. I created a subdomain on duckdns.org. Dns propagation is fine (tested on https://dnschecker.org) When I start the docker, everything is fine, the command finished successfully. But in logs I have these errors : Failed authorization procedure. xxx.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout IMPORTANT NOTES: - The following errors were reported by the server: Domain: xxx.duckdns.org Type: connection Detail: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Can someone tell me what I'm doing wrong ? Thanks ! Here are my docker configuration and my port forwarding. Your Wan port forward is wrong for port 80. Change it from 81 to 80. 1 Quote Link to comment
deadnote Posted February 13, 2018 Share Posted February 13, 2018 13 hours ago, saarg said: Your Wan port forward is wrong for port 80. Change it from 81 to 80. Yes ! Thanks for your help ! Quote Link to comment
NyHoK Posted February 14, 2018 Share Posted February 14, 2018 I seem to get the following problem when trying to create the letsencrypt docker. Am I missing something? Unraid Docker log: [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Backwards compatibility check. . . 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d ******** E-mail address entered: ******** Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None An unexpected error occurred: ValueError: Requesting acme-v01.api.letsencrypt.org/directory: Host is unreachable Please see the logfiles in /var/log/letsencrypt for more details. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container var/log/letsencrypt/letsencrypt.log: root@c919d7ca660d:/$ cat /var/log/letsencrypt/letsencrypt.log 2018-02-14 10:06:53,961:DEBUG:certbot.main:certbot version: 0.21.1 2018-02-14 10:06:53,961:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--non-interactive', '--standalone', '--preferred-challenges', 'http', '--rsa-key-size', '4096', '-m', '******', '--no-eff-email', '--agree-tos', '-d', '******'] 2018-02-14 10:06:53,961:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-cloudxns,PluginEntryPoint#dns-digitalocean,PluginEntryPoint#dns-dnsimple,PluginEntryPoint#dns-dnsmadeeasy,PluginEntryPoint#dns-google,PluginEntryPoint#dns-luadns,PluginEntryPoint#dns-nsone,PluginEntryPoint#dns-rfc2136,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2018-02-14 10:06:53,976:DEBUG:certbot.log:Root logging level set at 20 2018-02-14 10:06:53,977:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-02-14 10:06:53,977:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None 2018-02-14 10:06:54,053:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone Description: Spin up a temporary webserver Interfaces: IAuthenticator, IPlugin Entry point: standalone = certbot.plugins.standalone:Authenticator Initialized: <certbot.plugins.standalone.Authenticator object at 0x1550cfbb8310> Prep: True 2018-02-14 10:06:54,054:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x1550cfbb8310> and installer None 2018-02-14 10:06:54,054:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None 2018-02-14 10:06:55,343:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. 2018-02-14 10:06:55,346:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2018-02-14 10:06:58,465:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> sys.exit(main()) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1240, in main return config.func(config, plugins) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1104, in certonly le_client = _init_le_client(config, auth, installer) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 632, in _init_le_client acc, acme = _determine_account(config) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 511, in _determine_account config, account_storage, tos_cb=_tos_cb) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 163, in register acme = acme_from_config_key(config, key) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 45, in acme_from_config_key return acme_client.Client(config.server, key=key, net=net) File "/usr/lib/python2.7/site-packages/acme/client.py", line 72, in __init__ self.net.get(directory).json()) File "/usr/lib/python2.7/site-packages/acme/client.py", line 681, in get self._send_request('GET', url, **kwargs), content_type=content_type) File "/usr/lib/python2.7/site-packages/acme/client.py", line 653, in _send_request raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg)) ValueError: Requesting acme-v01.api.letsencrypt.org/directory: Host is unreachable 2018-02-14 10:06:58,465:ERROR:certbot.log:An unexpected error occurred: Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.