[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

[dodgypast]

Anyone put a seperate pfsense firewall infront of this.

Everything else is working but I can't get traffic forwarded into swag.

 

[Gaius-Baltar]

Unfortunately, I could not find anything until now:

How can I clear the data from swag dashboard?

[JonathanM]

14 hours ago, Gaius-Baltar said:

Unfortunately, I could not find anything until now:

How can I clear the data from swag dashboard?

What is a swag dashboard? I must be missing something here.

[Gaius-Baltar]

4 hours ago, JonathanM said:

What is a swag dashboard? I must be missing something here.

its a dashboard from swag linuxserver.io, its a mod https://www.linuxserver.io/blog/introducing-swag-dashboard you can see fail2ban statistics or visits from where countries (ip adresses) your running applications etc.

Edited October 29, 2023 by Gaius-Baltar

[Viper-694]

Hello,

I'm having trouble with using onlyoffice in nextcloud on my phone and away from home. It works fine on my desktop connected to the same lan as my server. For example when I try to open a spreadsheet in the nextcloud app I get net::err_blocked_by_response. I'm running nextcloud and doncumentserver containers with the SWAG container as the reverse proxy. I'm guessing this is an error in the proxy configs because I recently updated the proxy-conf files that the SWAG logs were saying were out of date and then this problem started. I'm hoping someone can help me out as I really have no idea what anything in the proxy conf files mean. I'll include the three conf files the I recently changed and if anyone can help me understand what, if anything, is wrong that would be much appreciated.

 

Nextcloud proxy-conf:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

        # Disable proxy buffering
        proxy_buffering off;
    }
}

 

Documentserver proxy-conf:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name documentserver.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app documentserver;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

ssl conf:

## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

### Mozilla Recommendations
# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7

ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl *redacted seems like something I shouldn't give out?* > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers *redacted seems like something I shouldn't give out?*
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;

# Optional additional headers
#add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()" always;
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "1; mode=block" always;

[ozymate]

Upgraded Unraid to 6.12.4. Now, swag cannot start. It gives "Execution Error".

 

The reason is "Error starting userland proxy: listen tcp4 0.0.0.0:443: bind: address already in use." When I check with

> netstat -tunlp | grep ":443"

I get

tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      15575/nginx: master

I think, Unraid's own nginx is also listening port 443.

How can I stop Unraid's nginx listening 443?

 

By the way, swag is on a custom docker network named "proxynet" together with all other dockers.

 

I didn't have this problem with Unraid 6.11.5.

 

Thanks.

[alturismo]

8 hours ago, ozymate said:

How can I stop Unraid's nginx listening 443?

 

change the SSL port as its not needed anyway if not in use

 

 

or change the mapping and the router forwarding rule.

 

and yes, 6.11 it was disabled when SSL was disabled, in 6.12 port 443 is also listening even with SSL disabled.

[dunnno]

On 10/29/2023 at 6:35 PM, Gaius-Baltar said:

its a dashboard from swag linuxserver.io, its a mod https://www.linuxserver.io/blog/introducing-swag-dashboard you can see fail2ban statistics or visits from where countries (ip adresses) your running applications etc.

Can you or anybody enlighten me to install it ?

I read the howto, but it's not clear enough for me

As i understand it I have to add a variable into swag config, DOCKER_MODS, and that's all I can catch.

I can't get a hand on adding a "a mapping of 81:81 to swag's docker run command or compose", and also a "rewrite of dashboard.domain.com to your server's IP address". for the latter one, I don't even know if I need to add an A to domain name.

[vw-kombi]

1 hour ago, dunnno said:

Can you or anybody enlighten me to install it ?

I read the howto, but it's not clear enough for me

As i understand it I have to add a variable into swag config, DOCKER_MODS, and that's all I can catch.

I can't get a hand on adding a "a mapping of 81:81 to swag's docker run command or compose", and also a "rewrite of dashboard.domain.com to your server's IP address". for the latter one, I don't even know if I need to add an A to domain name.

 

I did understand all that - but I still could not get it to work - likely as I have no way of doing the dns rewrite on my systems here.

[dunnno]

On 11/7/2023 at 11:58 PM, vw-kombi said:

 

I did understand all that - but I still could not get it to work - likely as I have no way of doing the dns rewrite on my systems here.

Pls tell me what you've done

[vw-kombi]

On 11/14/2023 at 3:51 AM, dunnno said:

Pls tell me what you've done

 

There is not really much to it - but as I said, I doubt mine would work due to not having a capability to rewrite the DNS to my ip address - as my router cant do it, and I dont have adguard or pihole on the network running - i may try again but I can elaborate on the instructions a bit for you for unraid - you saw the  instructiuon here - 

 

https://github.com/linuxserver/docker-mods/tree/swag-dashboard

 

1 - set an environment variable DOCKER_MODS=linuxserver/mods:swag-dashboard.  Edit the container in unraid, and add the linuxserver/mods:swag-dashboard to the list of DOCKER_MODS.  I use a number of docker mods already for other things, so I get to add it with | to seperate them.  Mine looks like this - note I added mine ages ago for other config things I wanted.  Maybe watch the swag youtube tutorial from IBRACORP for detailes setup of this  :

This is the line :

And mine looks like this as I use cloudflare, maxmind and crowdsec also - note the extra bit on the end for this swag dashboard after the extra | :

linuxserver/mods:universal-docker|linuxserver/mods:swag-cloudflare-real-ip|linuxserver/mods:swag-maxmind|ghcr.io/linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-dashboard

 

2 - Add a mapping of 81:81 to swag's docker run command or compose

This means to edit the swag docker container in unraid, scroll to bottom, click add another path, port, valriable, lable or device, 

Then change config type to port, then set the name and the host port to 81 :

so you then have this at the end of the config :

 

Thats it for the docker container edits to activate all this -  the container will restart (or do it manually), then check the logs for it, and you will see loading the mod :

 

The last bit is the DNS re-write - which is done so that when in your browser you enter dashboard.yourdomain.com, it goes to the IP address of your swag container (in my case as I have an IP address for my container for firewalling etc etc etc.  This is the bit I have not (cannot) do so I cant actually test any of this.  Hope to get that last bit done at some stage.

 

Edit - I have however tested locally with 192.168.1.5:81 and this brings up the dashboard.  .5 is my ip address of the swag container.  As I dont expect to open this out to the world, this is good enough for me :

 

 

 

 

 

 

 

 

Edited November 15, 2023 by vw-kombi

[napalmyourmom]

I recently started having issues with my swag container and I am hoping you all can help.  I try restarting the container and editing the config to recreate the container, but I get the same thing.  Server reboot did not help.  The logs are as follows:

 

/docker-mods: line 109:    25 Bus error               cat <<-'EOF' > /usr/bin/lsiown
#!/bin/bash

MAXDEPTH=("-maxdepth" "0")
OPTIONS=()
while getopts RcfvhHLP OPTION
do
    if [[ "${OPTION}" != "?" && "${OPTION}" != "R" ]]; then
        OPTIONS+=("-${OPTION}")
    fi
    if [[ "${OPTION}" = "R" ]]; then
        MAXDEPTH=()
    fi
done

shift $((OPTIND - 1))
OWNER=$1
IFS=: read -r USER GROUP <<< "${OWNER}"
if [[ -z "${GROUP}" ]]; then
    printf '**** Permissions could not be set. Group is missing or incorrect, expecting user:group. ****\n'
    exit 0
fi

ERROR='**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****\n**** The app may not work properly and we will not provide support for it. ****\n'
PATH=("${@:2}")
/usr/bin/find "${PATH[@]}" "${MAXDEPTH[@]}" \( ! -group "${GROUP}" -o ! -user "${USER}" \) -exec chown "${OPTIONS[@]}" "${USER}":"${GROUP}" {} + || printf "${ERROR}"
EOF

/docker-mods: line 109:    26 Bus error               chmod +x /usr/bin/lsiown
/docker-mods: line 142:    27 Bus error               rm -rf /usr/bin/with-contenv
/docker-mods: line 142:    28 Bus error               cat <<-EOF > /usr/bin/with-contenv
#!/bin/bash
if [[ -f /run/s6/container_environment/UMASK ]] &&
    { [[ "\$(pwdx \$\$)" =~ "/run/s6/legacy-services/" ]] ||
        [[ "\$(pwdx \$\$)" =~ "/run/s6/services/" ]] ||
        [[ "\$(pwdx \$\$)" =~ "/servicedirs/svc-" ]]; }; then
    umask "\$(cat /run/s6/container_environment/UMASK)"
fi
exec /command/with-contenv "\$@"
EOF

/docker-mods: line 142:    29 Bus error               chmod +x /usr/bin/with-contenv
/docker-mods: line 366:    30 Bus error               cat <<-EOF > /etc/s6-overlay/s6-rc.d/init-adduser/branding
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗ 
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 

   Brought to you by linuxserver.io
───────────────────────────────────────
EOF

/docker-mods: line 22:    31 Bus error               mkdir -p /etc/{cont-init.d,services.d}
/docker-mods: line 22:    32 Bus error               chmod +x /etc/cont-init.d/* /etc/services.d/*/* 2> /dev/null
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-migrations/run: Exec format error
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-envfile/run: Exec format error
s6-rc: warning: unable to start service init-migrations: command exited 126
s6-rc: warning: unable to start service init-envfile: command exited 126
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
/docker-mods: line 20: syntax error: bad substitution
/run/s6/basedir/scripts/rc.init: warning: hook /docker-mods exited 2
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-migrations/run: Exec format error
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-envfile/run: Exec format error
s6-rc: warning: unable to start service init-migrations: command exited 126
s6-rc: warning: unable to start service init-envfile: command exited 126
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
/docker-mods: line 20: syntax error: bad substitution
/run/s6/basedir/scripts/rc.init: warning: hook /docker-mods exited 2
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-migrations/run: Exec format error
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-envfile/run: Exec format error
s6-rc: warning: unable to start service init-migrations: command exited 126
s6-rc: warning: unable to start service init-envfile: command exited 126
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
/docker-mods: line 20: syntax error: bad substitution
/run/s6/basedir/scripts/rc.init: warning: hook /docker-mods exited 2
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-envfile/run: Exec format error
s6-rc-oneshot-run: fatal: unable to exec /etc/s6-overlay/s6-rc.d/init-migrations/run: Exec format error
s6-rc: warning: unable to start service init-migrations: command exited 126
s6-rc: warning: unable to start service init-envfile: command exited 126
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.

 

Any help would be greatly appreciated.

 

[perfect]

I have SWAG running on my Unraid (v6.12.3) for the last few years without an issue.  Recently, I received an e-mail from Let's Encrypt that my Let's Encrypt certificates expire in 7 days.  I wasn't sure why I was suddenly seeing this message.  I restarted the docker (and ultimately the server) and am still getting this message when running "certbot renew" in the SWAG console:

 

root@fb4ff453e394:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/Anasrp.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for Anasrp.duckdns.org and 3 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: Abitwarden.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Abitwarden.duckdns.org/.well-known/acme-challenge/eUOCQd_YPD0oElb3CUNDwdaAaELTmY08jIHlMKi7IK4: 404

  Domain: Anasrp.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Anasrp.duckdns.org/.well-known/acme-challenge/StQ2pSQqV1BM2ecxkSlA-inT3y4nYuKC8gKZpWRtP4k: 404

  Domain: Anextcloud.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Anextcloud.duckdns.org/.well-known/acme-challenge/UIY3Tai7Bxp77hc_s9vGoajYm0CwxgoLT2g58gLOBUw: 404

  Domain: Aoverseerr.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Aoverseerr.duckdns.org/.well-known/acme-challenge/7prnLRprrrzttvcKjCqu5A24DffX5kc9t9R1HzS6J4E: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate Anasrp.duckdns.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/Anasrp.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 

I'm having a hard time understanding these messages.  Are all of my certs failing or just the "Anasrp" cert?  How do I fix this issue and ensure that my reverse proxies are still working?

 

Note - I faced a similar issue a few years ago when the Let's Encrypt certificate was updated and my Unifi router needed to be updated in order to resolve the issue. 

[gottoesplosivo]

Hello I'm trying to add dashboard to my swag docker on UNRAID, I have attached my configuration for the addons.

 

However when I start the container shows this error:

 

[mod-init] Attempting to run Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] linuxserver/mods:swag-dashboard could not be found on lscr.io
[migrations] started 
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done

 

What am I doing wrong?

Edited November 30, 2023 by gottoesplosivo

[nraygun]

I have MaxMind setup for geoIP info but it doesn't seem to be updating its database weekly.

 

In the container I see in /etc/crontabs/root a single line that appears to update certificate as follows

8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

The line above also shows if I do a crontab -l in the console.

 

Do I need to edit this file to include the line from /config/crontabs/root that runs the weekly update of the database? Or maybe I need to replace the whole existing /etc/crontabs/root with the file that's in /config/crontabs/root so it catches all of the other periodic jobs.

0       3       *       *       6       run-parts /etc/periodic/weekly

Or do the scripts in /config/crontabs get processed somewhere else?

Edited December 28, 2023 by nraygun

[nraygun]

On 12/25/2023 at 7:47 PM, nraygun said:

I have MaxMind setup for geoIP info but it doesn't seem to be updating its database weekly.

 

In the container I see in /etc/crontabs/root a single line that appears to update certificate as follows

8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

The line above also shows if I do a crontab -l in the console.

 

Do I need to edit this file to include the line from /config/crontabs/root that runs the weekly update of the database? Or maybe I need to replace the whole existing /etc/crontabs/root with the file that's in /config/crontabs/root so it catches all of the other periodic jobs.

0       3       *       *       6       run-parts /etc/periodic/weekly

Or do the scripts in /config/crontabs get processed somewhere else?

Per a Discord and Reddit post, it appears a patch for this is in the works.

[GradwellZA]

Hi guys,

 

Hopefully you can help me. I had unRAID running on a HP MicroServer for a few years with no issues. However I've recently upgraded to a Dell R720 so I could increase my storage and install a Nvidia Tesla P4 for Hardware transcoding in Plex. However Im running into an issue that I did not experience on the HP. For some reason UnRAID refuses to use ports that I assign to docker containers. It uses its own and ignores the ports I enter in the container configs.

 

Any ideas where I might me going wrong?

My main issue at the moment is that I am running Audiobookshelf UnRAID App for my audiobooks and I have assigned its port as 13378 but it ignores that and uses port 80, I am also using SWAG App from the unRAID App Store and that too is ignoring my assigned ports I entered during its installation from port 80 to port 8001.

 

Edited January 9 by GradwellZA
Misspelt Audiobookshelf

[alturismo]

6 hours ago, GradwellZA said:

Any ideas where I might me going wrong?

 

 

when using custom br0 all port mappings are obsolete as not needed anymore as all dockers running on their own LAN IP and wont conflicht anyhow ... was all the time like this.

 

[ZosoPage1963]

HI,

recently, I have been noticing that all of my dockers that run through SWAG, stop working occasionally.  What I am seeing is that the proxy-confs are updated, and I must update the configuration file in that folder to get the appropriate docker to connect correctly to the net through the reverse proxy.  That never used to be the case.  Is there something that I am missing that will allow the containers to use the reverse proxy even if the conf files are not the current ones?  Hope that makes sense.

[diehardbattery]

Just recently I noticed that my services using swag stopped working.  Upon checking the logs I found what you see in the screenshots.  Using WinSCP, I checked the keys folder, and the permissions appear to be correct.  I have not changed anything so I dont know what caused this.

[LyrradMoor]

Swag giving me the following error which means sonarr, radarr, nextcloud & bitwarden are not working

 

Any ideas for me please?

 

 

Requesting a certificate for ******** and 3 more domains
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

[crusemm]

Reverse Proxy issues following GPU replacement

Yesterday I replaced the GPU in my Unraid server. When I started up again, Some of my dockers would not start. After a reboot, the docker service would not start. Following the SIO Docker troubleshooting video, I was able to restore the majority of my dockers. I have the following dockers installed: binhex-krusader; binhex-prowlarr; binhex-radarr; binhex-sabnzbd; binhex-sonarr; bitwardenrs; CodeProject.AI_ServerGPU; DiskSpeed; duckdns; Heimdall; immich; mariadb; netdata; nextcloud; overseerr; pihole-template; Plex-Media-Server; postgresql14; redis; swag; syncthing; tautulli; telegraf

Of those dockers, I have bitwarden, nextcloud, overseer, and blueiris set up behind a reverse proxy running in Swag.

I have swag, bitwarden, nextcloud, overseer, and blueiris all on the same network custom: br0

I can access overseer locally, but nothing else. and I cannot access anything from the reverse proxy.

d

plexunraid-diagnostics-20240226-2030.zip

[Unrayed]

I'm having an issue whereby my certs are no longer auto-renewing. I had the cron set for 20:30 each night to check and renew if necessary, but for whatever reason, it recently stopped using the specified cron time and is now using the default 2:08am time (a time that my server is powered off.)

 

Appdata/swag/crontabs/root:

30 20 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

 

cronjob running on Mon Nov 20 20:30:00 GMT 2023
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mydomain/fullchain.pem expires on 2024-01-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Tue Jan  2 02:08:00 GMT 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mydomain/fullchain.pem expires on 2024-03-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

^^^ You can see here that things USED to run normally for me at 20:30, but more recently it's back to 02:08 and the cron time specified above isn't being used.

 

Has anyone ANY idea how to fix this? I really don't want to wait for cert expiry reminder emails and then have to manually renew them with certbot.

 

Would appreciate any help, thanks

Edited March 7 by Unrayed

[capt.shitface]

On 11/30/2023 at 8:17 AM, perfect said:

I have SWAG running on my Unraid (v6.12.3) for the last few years without an issue.  Recently, I received an e-mail from Let's Encrypt that my Let's Encrypt certificates expire in 7 days.  I wasn't sure why I was suddenly seeing this message.  I restarted the docker (and ultimately the server) and am still getting this message when running "certbot renew" in the SWAG console:

 

root@fb4ff453e394:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/Anasrp.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for Anasrp.duckdns.org and 3 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: Abitwarden.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Abitwarden.duckdns.org/.well-known/acme-challenge/eUOCQd_YPD0oElb3CUNDwdaAaELTmY08jIHlMKi7IK4: 404

  Domain: Anasrp.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Anasrp.duckdns.org/.well-known/acme-challenge/StQ2pSQqV1BM2ecxkSlA-inT3y4nYuKC8gKZpWRtP4k: 404

  Domain: Anextcloud.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Anextcloud.duckdns.org/.well-known/acme-challenge/UIY3Tai7Bxp77hc_s9vGoajYm0CwxgoLT2g58gLOBUw: 404

  Domain: Aoverseerr.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Aoverseerr.duckdns.org/.well-known/acme-challenge/7prnLRprrrzttvcKjCqu5A24DffX5kc9t9R1HzS6J4E: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate Anasrp.duckdns.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/Anasrp.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 

I'm having a hard time understanding these messages.  Are all of my certs failing or just the "Anasrp" cert?  How do I fix this issue and ensure that my reverse proxies are still working?

 

Note - I faced a similar issue a few years ago when the Let's Encrypt certificate was updated and my Unifi router needed to be updated in order to resolve the issue. 

Looks like you try to renew certificates for domains that you dont own. eg nextcloud.duckdns.org right?

  Domain: Anextcloud.duckdns.org
  Type:   unauthorized
  Detail: 98.156.3.173: Invalid response from http://Anextcloud.duckdns.org/.well-known/acme-challenge/UIY3Tai7Bxp77hc_s9vGoajYm0CwxgoLT2g58gLOBUw: 404

 

 

[Unrayed]

On 3/7/2024 at 6:03 PM, Unrayed said:

I'm having an issue whereby my certs are no longer auto-renewing. I had the cron set for 20:30 each night to check and renew if necessary, but for whatever reason, it recently stopped using the specified cron time and is now using the default 2:08am time (a time that my server is powered off.)

 

Appdata/swag/crontabs/root:

30 20 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

 

cronjob running on Mon Nov 20 20:30:00 GMT 2023
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mydomain/fullchain.pem expires on 2024-01-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Tue Jan  2 02:08:00 GMT 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mydomain/fullchain.pem expires on 2024-03-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

^^^ You can see here that things USED to run normally for me at 20:30, but more recently it's back to 02:08 and the cron time specified above isn't being used.

 

Has anyone ANY idea how to fix this? I really don't want to wait for cert expiry reminder emails and then have to manually renew them with certbot.

 

Would appreciate any help, thanks

Just on this, I don't seem to have a le-renew.sh file in my Swag files anywhere in appdata/swag....is this normal or has something maybe been lost from my installation?