saarg Posted April 29, 2018 Share Posted April 29, 2018 2 hours ago, jon123 said: Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container. It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors. build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC Any ideas? le log (I've attached the full le log here as well). le | 2018-04-29T16:54:15.228690086Z Performing the following challenges: le | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain le | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain le | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini le | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate le | 2018-04-29T16:54:26.534836161Z Waiting for verification... le | 2018-04-29T16:54:30.185131883Z Cleaning up challenges le | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES: le | 2018-04-29T16:54:46.250348556Z - Congratulations! Your certificate and chain have been saved at: le | 2018-04-29T16:54:46.250445899Z /etc/letsencrypt/live/mydomain/fullchain.pem le | 2018-04-29T16:54:46.253021957Z Your key file has been saved at: le | 2018-04-29T16:54:46.253059746Z /etc/letsencrypt/live/mydomain/privkey.pem le | 2018-04-29T16:54:46.253064950Z Your cert will expire on 2018-07-28. To obtain a new or tweaked le | 2018-04-29T16:54:46.253069538Z version of this certificate in the future, simply run certbot le | 2018-04-29T16:54:46.253073599Z again. To non-interactively renew *all* of your certificates, run le | 2018-04-29T16:54:46.253077573Z "certbot renew" le | 2018-04-29T16:54:46.253088918Z - If you like Certbot, please consider supporting our work by: le | 2018-04-29T16:54:46.253097379Z le | 2018-04-29T16:54:46.253101610Z Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate le | 2018-04-29T16:54:46.253106190Z Donating to EFF: https://eff.org/donate-le le | 2018-04-29T16:54:46.253110181Z le | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file. The docker compose file: letsencrypt: image: linuxserver/letsencrypt container_name: le ports: - 443:443 - 80:80 volumes: - /opt/appdata/letsencrypt:/config - /opt/appdata/organizr/www:/fail2ban:ro restart: always depends_on: - tautulli - nzbget - sonarr - radarr - delugevpn environment: - PUID=1002 - PGID=1002 - EMAIL=my@email - URL=myserver - SUBDOMAINS=wildcard - ONLY_SUBDOMAINS=true - VALIDATION=dns - DNSPLUGIN=digitalocean - DHLEVEL=4096 - TZ=America/New_York le.log Please use our forum if you're not using unraid. Quote Link to comment
aptalca Posted April 30, 2018 Share Posted April 30, 2018 6 hours ago, jon123 said: Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container. It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors. build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC Any ideas? le log (I've attached the full le log here as well). le | 2018-04-29T16:54:15.228690086Z Performing the following challenges: le | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain le | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain le | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini le | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate le | 2018-04-29T16:54:26.534836161Z Waiting for verification... le | 2018-04-29T16:54:30.185131883Z Cleaning up challenges le | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES: le | 2018-04-29T16:54:46.250348556Z - Congratulations! Your certificate and chain have been saved at: le | 2018-04-29T16:54:46.250445899Z /etc/letsencrypt/live/mydomain/fullchain.pem le | 2018-04-29T16:54:46.253021957Z Your key file has been saved at: le | 2018-04-29T16:54:46.253059746Z /etc/letsencrypt/live/mydomain/privkey.pem le | 2018-04-29T16:54:46.253064950Z Your cert will expire on 2018-07-28. To obtain a new or tweaked le | 2018-04-29T16:54:46.253069538Z version of this certificate in the future, simply run certbot le | 2018-04-29T16:54:46.253073599Z again. To non-interactively renew *all* of your certificates, run le | 2018-04-29T16:54:46.253077573Z "certbot renew" le | 2018-04-29T16:54:46.253088918Z - If you like Certbot, please consider supporting our work by: le | 2018-04-29T16:54:46.253097379Z le | 2018-04-29T16:54:46.253101610Z Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate le | 2018-04-29T16:54:46.253106190Z Donating to EFF: https://eff.org/donate-le le | 2018-04-29T16:54:46.253110181Z le | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file. The docker compose file: letsencrypt: image: linuxserver/letsencrypt container_name: le ports: - 443:443 - 80:80 volumes: - /opt/appdata/letsencrypt:/config - /opt/appdata/organizr/www:/fail2ban:ro restart: always depends_on: - tautulli - nzbget - sonarr - radarr - delugevpn environment: - PUID=1002 - PGID=1002 - EMAIL=my@email - URL=myserver - SUBDOMAINS=wildcard - ONLY_SUBDOMAINS=true - VALIDATION=dns - DNSPLUGIN=digitalocean - DHLEVEL=4096 - TZ=America/New_York le.log You can't do only subdomains with wildcard Quote Link to comment
IamSpartacus Posted April 30, 2018 Share Posted April 30, 2018 I'd like to migrate my LE container from using subdomains to using wildcard. Right now I'm doing http validation so I obviously have to switch to DNS validation. How exactly do I go about picking a provider for the DNS plugin config? Does it matter who I choose? Quote Link to comment
adoucette Posted May 1, 2018 Share Posted May 1, 2018 My ISP blocks port 443 and I am struggling to get letsencrypt to work with non-standard ports. I've managed to obtain certificates by using the dns verification (vice 443) and cloudflare (set authentication type to "dns" in docker settings then use mc to change username and api key in letsencrypt/dns-conf/cloudflare.ini) I can forward the docker's port on my edge router from WAN port to the right port on the LAN unRAID server and get to the dockers in http, just not in https. What I'm struggling with is how to access dockers from the WAN if 443 is blocked. For example, if as explained here I set up subdomain.mydomain.com and use the ngnix reverse proxy to point it to my unraid server's IP and docker port, this doesn't work because the traffic is still coming in on 443. Forwarding ports 443 (and 80) on the edge router doesn't seem to help. The guide seems to assume that 443 is not blocked by the ISP (as some of us have to deal with). So, I assume I should be using a non-standard port to come in from the WAN, say port 2345. I should then be able to point my browser from the WAN to https://mydomain.com:2345 How do I set that up in letsencrypt? Thank you for any help, I've spent many hours trying to make this work without success. Quote Link to comment
ijuarez Posted May 1, 2018 Share Posted May 1, 2018 4 minutes ago, adoucette said: My ISP blocks port 443 and I am struggling to get letsencrypt to work with non-standard ports. I've managed to obtain certificates by using the dns verification (vice 443) and cloudflare (set authentication type to "dns" in docker settings then use mc to change username and api key in letsencrypt/dns-conf/cloudflare.ini) I can forward the docker's port on my edge router from WAN port to the right port on the LAN unRAID server and get to the dockers in http, just not in https. What I'm struggling with is how to access dockers from the WAN if 443 is blocked. For example, if as explained here I set up subdomain.mydomain.com and use the ngnix reverse proxy to point it to my unraid server's IP and docker port, this doesn't work because the traffic is still coming in on 443. Forwarding ports 443 (and 80) on the edge router doesn't seem to help. The guide seems to assume that 443 is not blocked by the ISP (as some of us have to deal with). So, I assume I should be using a non-standard port to come in from the WAN, say port 2345. I should then be able to point my browser from the WAN to https://mydomain.com:2345 How do I set that up in letsencrypt? Thank you for any help, I've spent many hours trying to make this work without success. who is your ISP? curious Quote Link to comment
adoucette Posted May 1, 2018 Share Posted May 1, 2018 7 minutes ago, ijuarez said: who is your ISP? curious COX Quote Link to comment
Encino Stan Posted May 1, 2018 Share Posted May 1, 2018 2 hours ago, adoucette said: COX They don't list 443 as blocked. Wonder what else they block without documentation. Internet Ports Blocked or Restricted by Cox https://www.cox.com/residential/support/internet-ports-blocked-or-restricted-by-cox.html Quote Link to comment
adoucette Posted May 1, 2018 Share Posted May 1, 2018 4 minutes ago, Encino Stan said: They don't list 443 as blocked. Wonder what else they block without documentation. Internet Ports Blocked or Restricted by Cox https://www.cox.com/residential/support/internet-ports-blocked-or-restricted-by-cox.html Right, but even if forwarded through the router (pfsense) the ports show as closed ("stealth") with an online port scanning tool like GRC shields up. Quote Link to comment
igreulich Posted May 2, 2018 Share Posted May 2, 2018 (edited) Help! I have set this up, to use in conjunction with Nextcloud, Plex, Radarr, blah blah.... I followed this guide. Nextcloud is working-ish; and Letsencrypt is working, as long as I only set the subdomains covered to www. If i make the subdomains www,nextcloud things don't work. Here are the Letsencrypt logs, when it does not work. [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/Los_Angeles URL=greulich.me SUBDOMAINS=www,nextcloud EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=http DNSPLUGIN= [email protected] STAGING= Backwards compatibility check. . . No compatibility action needed 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d www.greulich.me -d nextcloud.greulich.me E-mail address entered: [email protected] http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags. Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for greulich.me http-01 challenge for nextcloud.greulich.me http-01 challenge for www.greulich.me Waiting for verification... Cleaning up challenges Failed authorization procedure. nextcloud.greulich.me (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me IMPORTANT NOTES: - The following errors were reported by the server: Domain: nextcloud.greulich.me Type: None Detail: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Here is my router port forwarding... Here is my '/config/nginx/site-confs/nextcloud' file. server { listen 443 ssl; server_name nextcloud.greulich.me]; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.1.24:10443/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } Here is my '/config/www/nextcloud/config/config.php. <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'oc2mc6z7bo8o', 'passwordsalt' => '[salt]', 'secret' => '[secret]', 'trusted_domains' => array ( 0 => '192.168.1.24:10443', 1 => 'nextcloud.greulich.me', ), 'overwrite.cli.url' => 'https://nextcloud.greulich.me', 'overwritehost' => 'nextcloud.greulich.me', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.1.24:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '[user]', 'dbpassword' => '[password]', 'installed' => true, ); I am completely stumped. Help me Obi Won Kenobi, you're my only hope. Edited May 2, 2018 by igreulich typos Quote Link to comment
aptalca Posted May 2, 2018 Share Posted May 2, 2018 2 hours ago, igreulich said: Help! I have set this up, to use in conjunction with Nextcloud, Plex, Radarr, blah blah.... I followed this guide. Nextcloud is working-ish; and Letsencrypt is working, as long as I only set the subdomains covered to www. If i make the subdomains www,nextcloud things don't work. Here are the Letsencrypt logs, when it does not work. [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/Los_Angeles URL=greulich.me SUBDOMAINS=www,nextcloud EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=http DNSPLUGIN= [email protected] STAGING= Backwards compatibility check. . . No compatibility action needed 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d www.greulich.me -d nextcloud.greulich.me E-mail address entered: [email protected] http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags. Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for greulich.me http-01 challenge for nextcloud.greulich.me http-01 challenge for www.greulich.me Waiting for verification... Cleaning up challenges Failed authorization procedure. nextcloud.greulich.me (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me IMPORTANT NOTES: - The following errors were reported by the server: Domain: nextcloud.greulich.me Type: None Detail: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Here is my router port forwarding... Here is my '/config/nginx/site-confs/nextcloud' file. server { listen 443 ssl; server_name nextcloud.greulich.me]; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.1.24:10443/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } Here is my '/config/www/nextcloud/config/config.php. <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'oc2mc6z7bo8o', 'passwordsalt' => '[salt]', 'secret' => '[secret]', 'trusted_domains' => array ( 0 => '192.168.1.24:10443', 1 => 'nextcloud.greulich.me', ), 'overwrite.cli.url' => 'https://nextcloud.greulich.me', 'overwritehost' => 'nextcloud.greulich.me', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.1.24:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '[user]', 'dbpassword' => '[password]', 'installed' => true, ); I am completely stumped. Help me Obi Won Kenobi, you're my only hope. Create a cname for nextcloud on your dns provider Quote Link to comment
igreulich Posted May 2, 2018 Share Posted May 2, 2018 14 hours ago, aptalca said: Create a cname for nextcloud on your dns provider Derp, totally correct. I completely forgot about that part. Thanks! Quote Link to comment
poldim Posted May 2, 2018 Share Posted May 2, 2018 Anyone have any ideas why my LE docker cannot ping the unraid IP? I've got LE bound to a custom IP of 10.1.1.8 while my unraid is 10.1.1.10. Certs went through fine, but cannot successfully ping the unraid IP: Trying to RP to my homeassistant docker and getting a `failed (113: Host is unreachable) while connecting to upstream` error docker exec -it letsencrypt /bin/bash root@e01490db42ac:/$ curl http://10.1.1.10:8123/ curl: (7) Failed to connect to 10.1.1.10 port 8123: Host is unreachable root@e01490db42ac:/$ ping 10.1.1.10 PING 10.1.1.10 (10.1.1.10): 56 data bytes ^C --- 10.1.1.10 ping statistics --- 14 packets transmitted, 0 packets received, 100% packet loss root@e01490db42ac:/$ ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: seq=0 ttl=64 time=0.475 ms 64 bytes from 10.1.1.1: seq=1 ttl=64 time=0.383 ms 64 bytes from 10.1.1.1: seq=2 ttl=64 time=0.391 ms 64 bytes from 10.1.1.1: seq=3 ttl=64 time=0.378 ms ^C --- 10.1.1.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.378/0.406/0.475 ms root@e01490db42ac:/$ ping 10.1.1.8 PING 10.1.1.8 (10.1.1.8): 56 data bytes 64 bytes from 10.1.1.8: seq=0 ttl=64 time=0.072 ms 64 bytes from 10.1.1.8: seq=1 ttl=64 time=0.063 ms ^C --- 10.1.1.8 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.063/0.067/0.072 ms Quote Link to comment
saarg Posted May 2, 2018 Share Posted May 2, 2018 55 minutes ago, poldim said: Anyone have any ideas why my LE docker cannot ping the unraid IP? I've got LE bound to a custom IP of 10.1.1.8 while my unraid is 10.1.1.10. Certs went through fine, but cannot successfully ping the unraid IP: Trying to RP to my homeassistant docker and getting a `failed (113: Host is unreachable) while connecting to upstream` error docker exec -it letsencrypt /bin/bash root@e01490db42ac:/$ curl http://10.1.1.10:8123/ curl: (7) Failed to connect to 10.1.1.10 port 8123: Host is unreachable root@e01490db42ac:/$ ping 10.1.1.10 PING 10.1.1.10 (10.1.1.10): 56 data bytes ^C --- 10.1.1.10 ping statistics --- 14 packets transmitted, 0 packets received, 100% packet loss root@e01490db42ac:/$ ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: seq=0 ttl=64 time=0.475 ms 64 bytes from 10.1.1.1: seq=1 ttl=64 time=0.383 ms 64 bytes from 10.1.1.1: seq=2 ttl=64 time=0.391 ms 64 bytes from 10.1.1.1: seq=3 ttl=64 time=0.378 ms ^C --- 10.1.1.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.378/0.406/0.475 ms root@e01490db42ac:/$ ping 10.1.1.8 PING 10.1.1.8 (10.1.1.8): 56 data bytes 64 bytes from 10.1.1.8: seq=0 ttl=64 time=0.072 ms 64 bytes from 10.1.1.8: seq=1 ttl=64 time=0.063 ms ^C --- 10.1.1.8 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.063/0.067/0.072 ms It's a security mechanism in docker. You will need to route it in your router to get it working. Quote Link to comment
endiz Posted May 3, 2018 Share Posted May 3, 2018 (edited) Anyone have any guides to get fail2ban working with nzbget, radarr and sonarr? I use the built in http auth of each app, but i'm OK with disabling the built-in mechanisms and utilizing nginx for all authentication so it integrates nicely with fail2ban. Thanks Edited May 3, 2018 by endiz Quote Link to comment
Nomar1245 Posted May 3, 2018 Share Posted May 3, 2018 I was able to get LetsEncrypt to work with DuckDNS but it only works when I enter www.[myduckdnsdomain].duckdns.org, or https://www.[myduckdnsdomain].duckdns.org. If I enter just [myduckdnsdomain].duckdns.org it loads but says Your Connection is not valid. If I try https://[myduckdnsdomain].duckdns.org it loads a page that says my connection is not private. I've searched but can't find any answers. If I'm honest I'm not even sure what I should be searching for. Quote Link to comment
aptalca Posted May 4, 2018 Share Posted May 4, 2018 6 hours ago, Nomar1245 said: I was able to get LetsEncrypt to work with DuckDNS but it only works when I enter www.[myduckdnsdomain].duckdns.org, or https://www.[myduckdnsdomain].duckdns.org. If I enter just [myduckdnsdomain].duckdns.org it loads but says Your Connection is not valid. If I try https://[myduckdnsdomain].duckdns.org it loads a page that says my connection is not private. I've searched but can't find any answers. If I'm honest I'm not even sure what I should be searching for. Post your docker run command (or a screenshot of your settings) Quote Link to comment
aptalca Posted May 4, 2018 Share Posted May 4, 2018 10 hours ago, endiz said: Anyone have any guides to get fail2ban working with nzbget, radarr and sonarr? I use the built in http auth of each app, but i'm OK with disabling the built-in mechanisms and utilizing nginx for all authentication so it integrates nicely with fail2ban. Thanks If you use nginx auth via htpasswd, the fail2ban filter for that is already active Quote Link to comment
Nomar1245 Posted May 4, 2018 Share Posted May 4, 2018 7 hours ago, aptalca said: Post your docker run command (or a screenshot of your settings) Quote Link to comment
aptalca Posted May 5, 2018 Share Posted May 5, 2018 18 hours ago, Nomar1245 said: You set only_subdomains to true Quote Link to comment
Nomar1245 Posted May 5, 2018 Share Posted May 5, 2018 (edited) Thanks for the help.I was under the impression that only_subdomains was needed because I was using duckdns.org. However, after I removed my existing container, recreated it with the same settings, except for changing only_subdomains to false, I am having the same problem. Update: It's working So, I setup my docker using a guide that took me 90% of the way, but the last 10% is what I needed. After replying to aptalca, I stepped back and looked at everything I was doing and decided to work through on my own, one step at a time, and the culprit ended up being a bad default file. I should have known better. Thank you for the help. Edited May 5, 2018 by Nomar1245 Humility Quote Link to comment
Blaze9 Posted May 10, 2018 Share Posted May 10, 2018 (edited) Is there a way we can upgrade nginx to 1.3.x? Home assistant needs websocket support for reverse proxy to work. Even if the docker itself isn't updated, is there a way I can update the image I have downloaded? I've tried apk add --no-cache --update nginx but nginx -v still says 1.12.x Thanks! Edited May 10, 2018 by Blaze9 Quote Link to comment
aptalca Posted May 11, 2018 Share Posted May 11, 2018 2 hours ago, Blaze9 said: Is there a way we can upgrade nginx to 1.3.x? Home assistant needs websocket support for reverse proxy to work. Even if the docker itself isn't updated, is there a way I can update the image I have downloaded? I've tried apk add --no-cache --update nginx but nginx -v still says 1.12.x Thanks! That's the latest version in the repo Quote Link to comment
mathgoy Posted May 15, 2018 Share Posted May 15, 2018 (edited) Hi all, Like many others I am struggling with Letsencrypt and NextCloud. I spent a lot of time following numerous tutorials but none of them could make it work. What is installed: duckdns nextcloud letsencrypt What does work: Local access to nextcloud through an unsecured connection by using my unraid local address: 192.168.1.206:442 (I have to add an exception in my browser so it will connect) Remote access to nextcloud through an unsecured connection by using my duckdns address XXXXX.duckdns.org:442 (I have to add an exception in my browser so it will connect) Looks like duckdns works as well as port forwarding on port 442 Letsencrypt works I guess, here is the log: Processing /etc/letsencrypt/renewal/XXXX.duckdns.org.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/XXXX.duckdns.org/fullchain.pem expires on 2018-08-13 (skipped) No renewals were attempted. No hooks were run. ------------------------------------------------------------------------------- [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready What does not work: Local secured access to next cloud Remote secure acess to next cloud What is my configuration: letsencrypt\nginx\site-confs\default upstream backend { server 192.168.1.206:19999; keepalive 64; } server { listen 443 ssl; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name XXXX.duckdns.org; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /htpc; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.206:8989/sonarr; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.206:7878/radarr; } location /htpc { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.206:8085/htpc; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.206:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } #PLEX location /web { # serve the CSS code proxy_pass http://192.168.1.206:32400; } # Main /plex rewrite location /plex { # proxy request to plex server proxy_pass http://192.168.1.206:32400/web; } location /nextcloud { include /config/nginx/proxy.conf; proxy_pass https://192.168.1.206:442/nextcloud; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } nextcloud config.php <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'oc4xjllsleky', 'passwordsalt' => 'AePwbt7LYPhHr9QW/xhQEHG3Upk+XC', 'secret' => 'eg8adPotUPdkAphDtJKC0abNfglncPMdGPYlx5ujkwWRhZBf', 'trusted_domains' => array ( 0 => '192.168.1.206:442', 1 => 'XXXXX.duckdns.org', ), 'overwrite.cli.url' => 'https://192.168.1.206:442', 'dbtype' => 'mysql', 'version' => '13.0.1.1', 'dbname' => 'nextcloud', 'dbhost' => '192.168.1.206:3305', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'xXxXxXxX', 'dbpassword' => 'xXxXxX', 'installed' => true, ); And attached, the docker configuration of both Letsencrypt and Nextcloud There must be something stupid I did but I can't put my finger on it. Thanks a lot for your help! Edited May 15, 2018 by mathgoy Quote Link to comment
noja Posted May 15, 2018 Share Posted May 15, 2018 2 hours ago, mathgoy said: Like many others I am struggling with Letsencrypt and NextCloud. I spent a lot of time following numerous tutorials but none of them could make it work. You know, I had a hell of a time trying to make it work myself at first. Eventually I decided give it a whirl using a subdomain (ie nextcloud.domain.com as opposed to domain.com/nextcloud). Turns out the subdomain was easier to implement and for me - easier to remember my url address. As an added benefit, its apparently also more secure! So, just to make it better for yourself, its worth it to review your installation from the ground up. Just go back one more time and follow Linuxserver's excellent step-by-step process on this very topic: https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/ As I don't use DuckDNS I had to make sure that subdomains were possible, and apparently they are! So try this for your subdomain setup: Good luck! Quote Link to comment
Jessie Posted May 15, 2018 Share Posted May 15, 2018 How can I reverse proxy my Small business server through the letsencrypt docker without adding the letsencrypt certificates. ie I want to be able to connect to https://remote.mydomain.com.au I want this to pass straight through the letsencrypt dockers reverse proxy to the sbs server. The SBS server will provide self signed certs rather than letsencrypt certs. The config file is shown below. I have hashed out what I think would be needed to pass straight in and out again. It doesn't work of course, which is why I am posting here. server { listen 443 ssl; server_name remote.mydomain.com.au; # root /config/www; # index index.html index.htm index.php; ###SSL Certificates # ssl_certificate /config/keys/letsencrypt/fullchain.pem; # ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### # ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### # ssl_prefer_server_ciphers on; # ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; # add_header Front-End-Https on; # client_max_body_size 0; # proxy_request_buffering off; # proxy_buffering off; location / { proxy_pass https://192.168.10.27:443/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.