ijuarez Posted September 11, 2018 Share Posted September 11, 2018 6 hours ago, Glenn said: I haven't really learned the ins and outs of the modes yet, so I just went off of what the guides i was using had. sorry for the late reply, so you have 2 network cards and have them set to bond? Quote Link to comment
wblondel Posted September 11, 2018 Share Posted September 11, 2018 (edited) Hello, First of all, thank you for your work ! I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port. This is the error that I get : Quote Failed authorization procedure. 2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://2566335.xyz/.well-known/acme-challenge/okr2q6AOqCJKPZWCYQfd-4r9MPKAhl9D3hmc7X5OlDk: Timeout during connect (likely firewall problem), www.2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://www.2566335.xyz/.well-known/acme-challenge/IXluIrRlEw5xsmD7gjqaXM3iZgN8Rv7uxYF3jYHMd4o: Timeout during connect (likely firewall problem) Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200. I made the appropriate port forwarding in my router. Quote Service Name | Source Target | Port Range | Local IP | Local Port | Protocol unRAID WebGUI | | 16500 | 192.168.1.110 | 80 | TCP HTTP Lets Encrypt | | 80 | 192.168.1.110 | 18100 | TCP HTTPS Lets Encrypt | | 443 | 192.168.1.110 | 18200 | TCP My DNS configuration: Quote Name / Host / Alias | TTL | Type | Priority | Data / Value / Answer / Destination @ | 300 | A | | 176.131.3.8 nextcloud | 300 | CNAME | | @ www | 300 | CNAME | | @ I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before. Could you help me please? Thank you Edited September 11, 2018 by wblondel Quote Link to comment
Glenn Posted September 11, 2018 Share Posted September 11, 2018 my motherboard has two nics Quote Link to comment
aptalca Posted September 11, 2018 Share Posted September 11, 2018 43 minutes ago, wblondel said: Hello, First of all, thank you for your work ! I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port. This is the error that I get : Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200. I made the appropriate port forwarding in my router. My DNS configuration: I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before. Could you help me please? Thank you Try restarting your router Quote Link to comment
wblondel Posted September 11, 2018 Share Posted September 11, 2018 20 minutes ago, aptalca said: Try restarting your router Sometimes the simplest thing just works! Thank you aha! Quote Link to comment
ijuarez Posted September 11, 2018 Share Posted September 11, 2018 my motherboard has two nics Did you mean to bond them ( nic teaming)?Not and expert at bonding but I do know the the switch has to be able to do link aggrigation other wise it's a wast of time. Sent from my BND-L34 using Tapatalk Quote Link to comment
halorrr Posted September 11, 2018 Share Posted September 11, 2018 So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker Quote ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/New_York URL=duckdns.org SUBDOMAINS=REDACTEDDUCKDNSDOMAIN EXTRA_DOMAINS= ONLY_SUBDOMAINS=true DHLEVEL=2048 VALIDATION=http DNSPLUGIN= [email protected] STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d REDACTEDDUCKDNSDOMAIN.duckdns.org E-mail address entered: [email protected] http validation is selected Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for unraidcerberus.duckdns.org Waiting for verification... Cleaning up challenges Failed authorization procedure. REDACTEDDUCKDNSDOMAIN.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" IMPORTANT NOTES: - The following errors were reported by the server: Domain: REDACTEDDUCKDNSDOMAIN.duckdns.org Type: unauthorized Detail: Invalid response from http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container My unraid network settings: My LetsEncrypt docker settings: My port forwarding in my router: Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try? Quote Link to comment
aptalca Posted September 11, 2018 Share Posted September 11, 2018 1 hour ago, halorrr said: So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker My unraid network settings: My LetsEncrypt docker settings: My port forwarding in my router: Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try? Your port forwarding is incorrect. You need to forward outside port 80 to host's 180 Quote Link to comment
halorrr Posted September 11, 2018 Share Posted September 11, 2018 3 hours ago, aptalca said: Your port forwarding is incorrect. You need to forward outside port 80 to host's 180 Ahhhhh I see, I misunderstood the settings in my router and thought that was the case with how I had it set. Internal to external port forwarding is under "Virtual Servers" in my router. All working now though! Quote Link to comment
halorrr Posted September 11, 2018 Share Posted September 11, 2018 Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error: nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36 Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it: # make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url server { listen 443 ssl; server_name sonarr.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } location ^~ /api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ? Quote Link to comment
dstanley Posted September 11, 2018 Share Posted September 11, 2018 17 minutes ago, halorrr said: Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error: nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36 Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it: # make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url server { listen 443 ssl; server_name sonarr.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } location ^~ /api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ? There should be one more } at the end of this config file to close the server section. Quote Link to comment
aptalca Posted September 11, 2018 Share Posted September 11, 2018 14 minutes ago, dstanley said: There should be one more } at the end of this config file to close the server section. Yup, that was my mistake. It's fixed in the next update Quote Link to comment
halorrr Posted September 11, 2018 Share Posted September 11, 2018 (edited) Perfect! Thanks for all your help! Any idea on if there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com? EDIT: Nevermind found it in the defaut file in the site-confs folder. Edited September 11, 2018 by halorrr Quote Link to comment
CyberMew Posted September 12, 2018 Share Posted September 12, 2018 On 9/11/2018 at 1:45 AM, aptalca said: Post what you have. Either pastebin or screenshots where necessary. And also, are you going to https://ombi.domain.com ? Yes I'm going to that url (where domain is my own domain). Currently I'm trying this: server { listen 80; server_name _; rewrite ^ https://$host$request_uri? permanent; } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; # Replace domain.com with my own domain server_name ombi.domain.com; # Removed just in case this is sensitive ssl_certificate LOCATION_REDACTED; ssl_certificate_key LOCATION_REDACTED; ssl_dhparam LOCATION_REDACTED; ssl_ciphers 'CIPHER_REDACTED'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000"; client_max_body_size 0; location / { auth_basic off; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.1.55:12345; } } Quote Link to comment
surfshack66 Posted September 13, 2018 Share Posted September 13, 2018 Can we run this docker in a custom bridge mode with a fixed IP address, i.e. not host? Quote Link to comment
aptalca Posted September 13, 2018 Share Posted September 13, 2018 11 hours ago, CyberMew said: Yes I'm going to that url (where domain is my own domain). Currently I'm trying this: server { listen 80; server_name _; rewrite ^ https://$host$request_uri? permanent; } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; # Replace domain.com with my own domain server_name ombi.domain.com; # Removed just in case this is sensitive ssl_certificate LOCATION_REDACTED; ssl_certificate_key LOCATION_REDACTED; ssl_dhparam LOCATION_REDACTED; ssl_ciphers 'CIPHER_REDACTED'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000"; client_max_body_size 0; location / { auth_basic off; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.1.55:12345; } } Try removing the auth basic lines Quote Link to comment
aptalca Posted September 13, 2018 Share Posted September 13, 2018 4 hours ago, surfshack66 said: Can we run this docker in a custom bridge mode with a fixed IP address, i.e. not host? You're not supposed to run it in host mode. Either bridge or custom bridge. I recommend "user defined bridge" Quote Link to comment
surfshack66 Posted September 13, 2018 Share Posted September 13, 2018 8 hours ago, aptalca said: You're not supposed to run it in host mode. Either bridge or custom bridge. I recommend "user defined bridge" Thanks. Just wanted to double check because I didn't see it defined explicitly on https://hub.docker.com/r/linuxserver/letsencrypt/ Quote Link to comment
archedraft Posted September 13, 2018 Share Posted September 13, 2018 Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel? I currently have Blue Iris and Stunnel working together (meaning I can port forward my stunnel port in my router and stunnel will redirect to the Blue Iris port, thus giving https). I was hoping to setup Let's Encrypt to work with Stunnel in order to use Let's Encrypts 443 port and close the Stunnel port to the world. I have Let's Encrypt successfully working with Nextcloud. The next cloud config file is "letsencrypt\nginx\site-confs\nextcloud". I was thinking that all I would have to do is copy the nextcloud config and rename it as follows: "letsencrypt\nginx\site-confs\blueiris" and I changed the new blue iris config to as follows: server { listen 443 ssl; server_name fake.archedraft.server.name.org; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location /stunnel { proxy_pass https://192.168.1.105:8998/stunnel/; include /config/nginx/proxy.conf; } } When I restart the Let's Encrypt Docker and attempt to connect to https://fake.archedraft.server.name.org/stunnel - I revived the following message in my browser: 404 Not Found nginx/1.14.0 Any ideas on what I am screwing up? Quote Link to comment
CyberMew Posted September 13, 2018 Share Posted September 13, 2018 13 hours ago, aptalca said: Try removing the auth basic lines Removed, restarted docker, same issue, very weird Quote Link to comment
ffhelllskjdje Posted September 13, 2018 Share Posted September 13, 2018 (edited) On 8/13/2018 at 6:52 AM, CHBMB said: Namecheaps API isn't compatible with DNS Auth, I changed my DNS provider to Cloudflare and used their DNS plugin. Sent from my Mi A1 using Tapatalk Wish i would have read this before I just switched over to them. So is that still true? There's no way to use namecheap with letsencrypt? I was getting Detail: DNS problem: SERVFAIL looking up A for in my letsencrypt log....is that because of namecheap? I'm in the process of moving nameservers over to cloudfare. Ugh, everything was working perfectly before too. Glutton for punishment Edited September 13, 2018 by ffhelllskjdje Quote Link to comment
CHBMB Posted September 13, 2018 Share Posted September 13, 2018 It was true a month ago. In reality it's only a five minute job to change the DNS to cloudflare. No massive drama 1 Quote Link to comment
ijuarez Posted September 13, 2018 Share Posted September 13, 2018 It was true a month ago. In reality it's only a five minute job to change the DNS to cloudflare. No massive dramaI like drama!Sent from my BND-L34 using Tapatalk Quote Link to comment
archedraft Posted September 13, 2018 Share Posted September 13, 2018 (edited) 7 hours ago, archedraft said: Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel? For anyone wondering the answer is yes! I had to edit my let's encrypt config and made "blueiris" a sub domain. As soon as I changed that it started working immediately. I was also able to close my stunnel port forwarding rule in my router! Let's Encrypt is pretty cool stuff. 😎 server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name blueiris.random.server.name.org; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { include /config/nginx/proxy.conf; proxy_pass https://192.168.1.100:8777; # NOTE: Port 8777 is the stunnel port number and not the blue iris http port number } } Edited September 13, 2018 by archedraft 2 Quote Link to comment
CyberMew Posted September 15, 2018 Share Posted September 15, 2018 Finally got mine to work, I had a previous 443 port forward rule pointing to another computer, no wonder connection was refused. However for some reason one of my subdomain cert is showing up as invalid, but no issues for the other 4 subdomains. Anyone has any idea why? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.