Odessa Posted June 5, 2018 Share Posted June 5, 2018 Quote That's why it's not working. Look at line 13 in that file @CHBMB Line 13 totally blank in site-confs/default https://pastebin.com/PknxvEAg Quote Link to comment
CHBMB Posted June 5, 2018 Share Posted June 5, 2018 You say it doesn't work on WAN, have you tried using your mobile phone on mobile data? Could be a problem with your router settings And to confirm, it's working on LAN? Quote Link to comment
Odessa Posted June 5, 2018 Share Posted June 5, 2018 5 minutes ago, CHBMB said: You say it doesn't work on WAN, have you tried using your mobile phone on mobile data? Could be a problem with your router settings And to confirm, it's working on LAN? Yeah same error LAN or WAN. Router settings: Quote Link to comment
CHBMB Posted June 5, 2018 Share Posted June 5, 2018 So it's not working on LAN either? Quote Link to comment
Odessa Posted June 5, 2018 Share Posted June 5, 2018 35 minutes ago, CHBMB said: So it's not working on LAN either? Correct, I cannot access using my duckdns domain on WAN or LAN. Quote Link to comment
CHBMB Posted June 5, 2018 Share Posted June 5, 2018 Correct, I cannot access using my duckdns domain on WAN or LAN. OK, here's the deal, the container is working perfectly, it's grabbed the certs and started nginx, but I think somewhere you've configured Nginx wrong and now it's not working, there's no easy fix for this, what I'd recommend, is reinstalling the container, with new appdata and then editing the nginx default file and try to work out where you've introduced the error. Quote Link to comment
aptalca Posted June 5, 2018 Share Posted June 5, 2018 6 hours ago, Odessa said: @CHBMB Thank you very much, here is my LE run command: https://pastebin.com/sTnfSFkk My LE log: https://pastebin.com/9DawkVww [personal info obfuscated] I see the error regarding port in the log, but 443 does not show as used in my docker mappings. Note I cannot currently access the default web page from outside, I get "ERR_CONNECTION_REFUSED" in browser. Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain Issue 2: are you using ldap for authorization? How is that set up? Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive Quote Link to comment
CHBMB Posted June 5, 2018 Share Posted June 5, 2018 Good pickup on the subdomain redirect, didn't notice that. Quote Link to comment
Magic815 Posted June 5, 2018 Share Posted June 5, 2018 So I'm attempting to get this set up while still using Cloudflare as my DNS. In the docker set up fields, it asks for the following (among other things): - Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything - Validation Type: I've put "dns" without the quotes - dns-plugin: Not sure what to put for this one? Thoughts? Any help is appreciated! Quote Link to comment
CHBMB Posted June 5, 2018 Share Posted June 5, 2018 5 minutes ago, Magic815 said: So I'm attempting to get this set up while still using Cloudflare as my DNS. In the docker set up fields, it asks for the following (among other things): - Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything - Validation Type: I've put "dns" without the quotes - dns-plugin: Not sure what to put for this one? Thoughts? Any help is appreciated! https://github.com/linuxserver/docker-letsencrypt#parameters 1 Quote Link to comment
Aluavin Posted June 5, 2018 Share Posted June 5, 2018 On 6/4/2018 at 2:36 PM, aptalca said: That's just the problem. Acme challenge key is generated on the fly by letsencrypt servers. So you can't really do that with a variable. Manual validation process goes like this: --snipp--- PS. I personally don't think using cloudflare is a workaround. It delivers about 10% of the internet (cdn, proxy) and I bet it is a lot more reliable as a dns provider than any hosting company 20 Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld. Quote Link to comment
aptalca Posted June 6, 2018 Share Posted June 6, 2018 (edited) 3 hours ago, Aluavin said: Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld. As far as validation goes, your server does not need to be reachable from the internet as long as you use dns validation. Your server (the container) will connect to the letsencrypt servers and get a key, post it on cloudflare (or another supported dns provider) and then the letsencrypt servers will connect to the dns server to check the txt record. They won't try and connect to your unraid machine. The only connection from unraid will be outgoing. My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. If you want to use it for local connections but still with third party validation, I guess you can do that as long as your dns directs local clients to the local address when they query for the domain name (pfsense will do it with dns resolver). Edited June 6, 2018 by aptalca 1 Quote Link to comment
SoloLab Posted June 6, 2018 Share Posted June 6, 2018 I'm receiving this error in the letsencrpyt logfile but can't find a solution. nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE) Quote Link to comment
Odessa Posted June 6, 2018 Share Posted June 6, 2018 (edited) 17 hours ago, aptalca said: Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain Issue 2: are you using ldap for authorization? How is that set up? Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive Ok I removed the rule for #1. #2 sorry I couldn't figure out what this means - no reference ldap in my settings #3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the ngix home page externally! I have hope that this could work. Ok, so I know LE is working! But how do I access my dockers? [domain].duckdns.org/ombi gives a 500 error here's my ombi setting in site-conf/default #OMBI CONTAINER location /ombi { auth_request /auth-4; proxy_pass http://192.168.1.146:3579/ombi; include /config/nginx/proxy.conf; } TY! Edited June 6, 2018 by Odessa Quote Link to comment
aptalca Posted June 6, 2018 Share Posted June 6, 2018 (edited) 34 minutes ago, Odessa said: Ok I removed the rule for #1. #2 sorry I couldn't figure out what this means - no reference ldap in my settings #3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the ngix home page externally! I have hope that this could work. Ok, so I know LE is working! But how do I access my dockers? [domain].duckdns.org/ombi gives a 500 error here's my ombi setting in site-conf/default #OMBI CONTAINER location /ombi { auth_request /auth-4; proxy_pass http://192.168.1.146:3579/ombi; include /config/nginx/proxy.conf; } TY! What are you trying to accomplish with the auth_request line? What is /auth-4 referring to? Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy Edited June 6, 2018 by aptalca Quote Link to comment
Odessa Posted June 6, 2018 Share Posted June 6, 2018 20 minutes ago, aptalca said: What are you trying to accomplish with the auth_request line? What is /auth-4 referring to? Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error: location /ombi { return 301 $scheme://$host/ombi/; } location /ombi/ { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ombi ombi; proxy_pass http://$upstream_ombi:3579; } if ($http_referer ~* /ombi/) { rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent; } Quote Link to comment
aptalca Posted June 6, 2018 Share Posted June 6, 2018 8 minutes ago, Odessa said: Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error: location /ombi { return 301 $scheme://$host/ombi/; } location /ombi/ { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ombi ombi; proxy_pass http://$upstream_ombi:3579; } if ($http_referer ~* /ombi/) { rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent; } Did you put both letsencrypt and ombi on the same custom network as described in the readme? Are you using the default default site config, which has the include statement inside the server block for the proxy-confs? If you modified that part, delete the default site config and restart. After that navigate to https://yourdomain/ombi Quote Link to comment
dalben Posted June 6, 2018 Share Posted June 6, 2018 On 6/2/2018 at 9:09 PM, aptalca said: I use unifi, but only for APs. The router is pfsense OK, thanks. Looking back, the initial problems I had setting up this container look like they were because of this need to restart the USG router to get the port forwarding working again. Also explains why it "magically" started working for me. I imagine the router upgraded itself and rebooted. Quote Link to comment
Odessa Posted June 7, 2018 Share Posted June 7, 2018 21 hours ago, aptalca said: Did you put both letsencrypt and ombi on the same custom network as described in the readme? tbh this is way over my head. How would you explain this to someone who isn't a networking expert? Quote If you are using unraid, create a custom network in command line, then go to docker service settings (under advanced) and set the option "Preserve user defined networks:" to "Yes". Then in each container setting, do one of the following: 2) Unraid 6.5.1 or later - in the network type dropdown, select "Custom : [networkname]". You would have to do the above for the letsencrypt container as well, so they are all on the same custom network. I am looking in docker advanced view, tools, network settings... I don't see any of these options. thanks Quote Link to comment
aptalca Posted June 7, 2018 Share Posted June 7, 2018 1 hour ago, Odessa said: tbh this is way over my head. How would you explain this to someone who isn't a networking expert? I am looking in docker advanced view, tools, network settings... I don't see any of these options. thanks Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24 The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. I recommend reading the entire document first, before attempting changes so you understand all the steps first. Quote Link to comment
Aluavin Posted June 7, 2018 Share Posted June 7, 2018 (edited) On 6/6/2018 at 2:01 AM, aptalca said: My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. 3 The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address. However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me. Edited June 7, 2018 by Aluavin Quote Link to comment
aptalca Posted June 7, 2018 Share Posted June 7, 2018 31 minutes ago, Aluavin said: The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address. However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me. Ok, I get it now. But how is cloudflare sketchy if you're only going to use it to set the A record to a local ip that will only work inside your lan? You don't have to move your domain anywhere. You just point your nameservers on your domain host to cloudflare's nameservers. Quote Link to comment
Odessa Posted June 9, 2018 Share Posted June 9, 2018 On 6/6/2018 at 10:12 PM, aptalca said: Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24 The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. I recommend reading the entire document first, before attempting changes so you understand all the steps first. OMG it worked, thank you @aptalca. I will make a donation. I must say it is extremely difficult for a docker newbie to figure out. No other docker approached this level of troubleshooting. Thanks for walking me through. I may create a user friendly guide. Quote Link to comment
Heciruam Posted June 10, 2018 Share Posted June 10, 2018 (edited) Hello guys. I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it. When I try to change the ports I get this error message: /usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use. The command failed. What am I doing wrong? (I am running on Unraid 6.5.0) Edited June 10, 2018 by Heciruam Quote Link to comment
aptalca Posted June 10, 2018 Share Posted June 10, 2018 1 hour ago, Heciruam said: Hello guys. I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it. When I try to change the ports I get this error message: /usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use. The command failed. What am I doing wrong? (I am running on Unraid 6.5.0) It says that port 445 is in use by something else. Pick a different port 2 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.