Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

2 hours ago, fachizel90 said:

Hi my certificates seem to have expired and arent renewing properly. Everything shows an insecure connection error.

 

I managed to find a command that forces a renewal but it failed also. 

 

Please Help.

 

 

We do not support users running manual commands. The readme contains info on how to troubleshoot renewal issues.

 

In your case, either your ip on duckdns is wrong or your port isn't forwarded properly

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

I found this on Ubiquity’s website, not sure what I need from it to make UNMS work? Like I said previously I can get the GUI page but can’t see my devices, that was by editing the UniFi template!

 

Hoping that someone with mor knowledge can help?

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  server_name unms.example.com;

  client_max_body_size 4G;

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8080/;
  }
}

server {
  listen 443 ssl http2;
  server_name unms.example.com;

  ssl_certificate     /etc/letsencrypt/live/unms.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/unms.example.com/privkey.pem;

  ssl on;

  set $upstream 127.0.0.1:8443;

  location / {
    proxy_pass     https://$upstream;
    proxy_redirect https://$upstream https://$server_name;

    proxy_cache off;
    proxy_store off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_read_timeout 36000s;

    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer "";

    client_max_body_size 0;
  }
}

 

I would really appreciate your help:

 

Quote

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=[x]
URL=[x]
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=[x]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of [x] will be requested
E-mail address entered: [x]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

Server ready

 

and I can't access my subdomains since I came back to Unraid after a few weeks. The SSL certificate had to be renewed and it seems to be fine when I check it with an SSL checker. The subdomains won't though, if that is of relevance. I'm not sure if that is good or not.

 

a) Does not being able to access my subdomains has a conneciton to the error(s) I get in the report?

b) How can I fix it?

 

I followed Spaceinvaderone's videos to setting up a reverse proxy with letsencrypt using a wildcard.

 

Thank you all for your input!

 

Edit: Subdomains are accessible again. The LetsEncrypt error persists though.

Edited by dr_drei

6 hours ago, aptalca said:

We do not support users running manual commands. The readme contains info on how to troubleshoot renewal issues.

 

In your case, either your ip on duckdns is wrong or your port isn't forwarded properly

Hi thanks for the reply, It was working fine until the certs expired three months in. I did upgrade my router to a OPNsense firewall. Will revert back to old router and see if that helps with renewing the certs.

6 hours ago, fachizel90 said:

Hi thanks for the reply, It was working fine until the certs expired three months in. I did upgrade my router to a OPNsense firewall. Will revert back to old router and see if that helps with renewing the certs.

 

Or you could simply post your docker run command (in case you didn't. On phone and too lazy to scroll) and a screenshot of the port forwarding in your opnsense firewall.

I just recieved an email from letsencrypt regarding renewal of certificates (e.g. for nextcloud). I followed SpaceInvaderOne's guide for installing LetsEncrypt but i don't recall installing any certificates, let alone renewing them? What do i need to do?

5 hours ago, saarg said:

 

Or you could simply post your docker run command (in case you didn't. On phone and too lazy to scroll) and a screenshot of the port forwarding in your opnsense firewall.

Do you mean the container logs? Apologies I'm not sure where to find the docker run command.

 

Quote

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=duckdns.org
SUBDOMAINS=1231eb,1231,1231cloud,1231collab,1231books,1231sonic
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d 1231eb.duckdns.org -d 1231.duckdns.org -d 1231cloud.duckdns.org -d 1231collab.duckdns.org -d 1231books.duckdns.org -d 1231sonic.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Screenshot of OPNsense port forward

https://imgur.com/bBh90eV

 

 

Thanks Alot

 

1 hour ago, fachizel90 said:

Do you mean the container logs? Apologies I'm not sure where to find the docker run command.

 

 

8 hours ago, jowi said:

I just recieved an email from letsencrypt regarding renewal of certificates (e.g. for nextcloud). I followed SpaceInvaderOne's guide for installing LetsEncrypt but i don't recall installing any certificates, let alone renewing them? What do i need to do?

Looks like logging into the console of the letsencrypt docker and running the command 'certbot renew' did the trick. 

35 minutes ago, jowi said:

Looks like logging into the console of the letsencrypt docker and running the command 'certbot renew' did the trick. 

Or you could have read the instructions in the readme, which talks about renewals.

 

We do not support running manual commands inside the container. You're on your own from this point on

2 minutes ago, aptalca said:

Or you could have read the instructions in the readme, which talks about renewals.

 

We do not support running manual commands inside the container. You're on your own from this point on

i forgot what a great community this is if you are not an autistic bearded linux freak with asperger from the 70s. Damn. well thanks for your ‘help’. 

4 minutes ago, jowi said:

i forgot what a great community this is if you are not an autistic bearded linux freak with asperger from the 70s. Damn. well thanks for your ‘help’. 

RTFM is universal; applies to people of all ages, genders and medical conditions. 

8 minutes ago, jowi said:

i forgot what a great community this is if you are not an autistic bearded linux freak with asperger from the 70s. Damn. well thanks for your ‘help’. 

 

a linux freak with Asperger.....I have not met one yet.. put that on my bucket list.

Hi all.
Anybody able to help out with this issue?
I added a new subdomain [I've successfully set up several others so far], and started getting this:

dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
An unexpected error occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 316, in connect
conn = self._new_conn()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e)

urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))


During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

cloudflare.ini hasn't been touched, but I re-verified the login / api info and it's still correct...

any ideas?

I'm having issues getting a few dockers set up.

 

Booksonic is a strange one, here is my config

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name booksonic.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_booksonic booksonic;
        proxy_pass http://$upstream_booksonic:4040;
    }
}

Which gives me this when I actually try and navigate to it

lsJZpck.png

 

Clicking on the link actually brings me to where I want to be

rhOpgak.png

 

the webUI for the docker has it set to http://10.0.0.10:4040/booksonic which gets redirected like it should, but how to set up the equivalent with nginx or a DNS config I don't know.

 

Then we have gotify, which doesn't work at all. I just get a bad gateway.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name gotify.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_gotify gotify;
        proxy_pass http://$upstream_gotify:1400;
    }
}

6ETb5Dd.png

 

This is regular docker container, not one that was setup for unraid. Not sure if that means there's something to set up that I don't know about.

 

18 hours ago, newillusions said:

Hi all.
Anybody able to help out with this issue?
I added a new subdomain [I've successfully set up several others so far], and started getting this:


dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
An unexpected error occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 316, in connect
conn = self._new_conn()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e)

urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))


During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

cloudflare.ini hasn't been touched, but I re-verified the login / api info and it's still correct...

any ideas?

Update: this was solved on discord. Pihole / dns settings were preventing outgoing connection to letsencrypt servers

8 hours ago, aptalca said:

Update: this was solved on discord. Pihole / dns settings were preventing outgoing connection to letsencrypt servers

Hi aptalca

 

How was this resolved in the end as i'm currently struggling with the same thing... id like to use pihole for the entirety of my network...

1 hour ago, MrGamecase said:

Hi aptalca

 

How was this resolved in the end as i'm currently struggling with the same thing... id like to use pihole for the entirety of my network...

Just make sure your unraid server isn't using the pihole DNS.

Hi all,

is there a way to include:

Latest NGINX Plus (no extra build steps required) or latest NGINX open source built with the --with-stream configuration flag

 

i want to Reverse Proxy a Teamspeak.

 

MFG

Bengele

Just make sure your unraid server isn't using the pihole DNS.
Or at least check the query log.
If the pihole is correctly configured, everything on the network goes over the pihole.

So may the letsencrypt servers are blacklisted.

Sent from my MI 6 using Tapatalk

1 hour ago, Toobie said:

Or at least check the query log.
If the pihole is correctly configured, everything on the network goes over the pihole.

So may the letsencrypt servers are blacklisted.

Sent from my MI 6 using Tapatalk
 

I believe the issue is actually when you run PiHole as a container with it's own IP, there are docker security features that stop docker macvlan IP's communicating with each other. So when you have Letencrypt on it's own net and Pihole on it's own ip, if unraid it setup to check pihole for dns, letsencrypt is able to talk to pihole.

 

I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.

I believe the issue is actually when you run PiHole as a container with it's own IP, there are docker security features that stop docker macvlan IP's communicating with each other. So when you have Letencrypt on it's own net and Pihole on it's own ip, if unraid it setup to check pihole for dns, letsencrypt is able to talk to pihole.
 
I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.
Sorry my fault.
I'm running pihole on a pi and predicted that it should be run dedicated.

Sent from my MI 6 using Tapatalk

26 minutes ago, Toobie said:

Sorry my fault.
I'm running pihole on a pi and predicted that it should be run dedicated.

Sent from my MI 6 using Tapatalk
 

Yea no worries - I've always ran PiHole/Adguard on a dedicated Pi aswell so never had this issue.

31 minutes ago, j0nnymoe said:

I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.

I have six pihole containers running, acting as the local DNS server for their designated network.

This runs flawless (though I am not using letsencrypt)

 

image.png.bfb497be841e3c691718bcd53d1ba6aa.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.