[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

managed to get this from the logs, I understand about the registration error, but not sure on the other errors

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ******.duckdns.org
E-mail address entered: *******@gmail.com
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP
Please see the logfiles in /var/log/letsencrypt for more details.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Link to comment

Edit: I'm a dumbass - port 443 wasn't forwarded....... :$

 

I too am having issues with this docker.  I've removed it and reinstalled it several times (including removing the appdata folder for letsencrypt).  I've tried different ports.  I'm getting the following error:

 

Failed authorization procedure. technologiq.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

I've double checked and made sure my port forwarding (Ubiquiti ER3) is working correctly.  It appears that NGINX isn't even starting up to respond to the request in the first place.   

 

Any ideas?

 

Edited by technologiq
Link to comment
  • 2 weeks later...

Hello All!

 

New to the community but not new to unRAID. I am currently trying to setup Letsencrypt and keep running into this error every time it goes thru. Its seems as though the folders are not getting created. Here is what I receive just before the docker shuts down:

 

GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a 2048 bit RSA private key
...........+++
.....................+++
writing new private key to '/config/keys/cert.key'
-----
Subject Attribute /C has no known NID, skipped
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time


DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ***********.ddns.net
E-mail address entered: ******.*******@outlook.com
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP
Please see the logfiles in /var/log/letsencrypt for more details.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

When I attempt to go look at the log files listed as /var/log/letsencrypt/letsencrypt.log, the /var/log/letsencrypt folder does not seem to exist......

Edited by unraid_countryboy
Link to comment
Hello All!

 

New to the community but not new to unRAID. I am currently trying to setup Letsencrypt and keep running into this error every time it goes thru. Its seems as though the folders are not getting created. Here is what I receive just before the docker shuts down:

 

GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a 2048 bit RSA private key
...........+++
.....................+++
writing new private key to '/config/keys/cert.key'
-----
Subject Attribute /C has no known NID, skipped
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time



DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ***********.ddns.net
E-mail address entered: ******.*******@outlook.com
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP
Please see the logfiles in /var/log/letsencrypt for more details.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

When I attempt to go look at the log files listed as /var/log/letsencrypt/letsencrypt.log, the /var/log/letsencrypt folder does not seem to exist......

The certs weren't generated properly (could be a port forwarding or a dns issue) them you tried it too many times unsuccessfully and now letsencrypt servers are throttling you.

 

Try putting in your custom domain (including your custom subdomain) as the url, and enter a subdomain like www, don't set only subdomains to true. Sometimes when you change the subdomains around you can get around the throttling issue.

 

You still have to fix the dns or port issue.

 

If that doesn't work, you'll have to wait until letsencrypt accepts requests from you again

 

Link to comment

I've got this working for plrx, ombi and calibre-web from external locations, but on my home network I can't access mydomain.com/plex - is this normal or am I missing something fundamental?  

 

In my pfsense router I've forwarded all WAN traffic to 443 to unRAID, and I'm guessing I need to find a way to forward local traffic to my mydomain.com/plex to unraid as well?

 

Thanks in advance

 

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#	listen 80;
#	server_name _;
#	return 301 https://$host$request_uri;
#}

# main server block
server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'XXXXXXXX';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;

	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php7-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php7-fpm:
		#fastcgi_pass unix:/var/run/php7-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
	
#calibre-web

            location /books {
                proxy_bind              $server_addr;
                proxy_pass              http://172.30.12.2:8086;
                proxy_set_header        Host            $http_host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Scheme        $scheme;
                proxy_set_header        X-Script-Name   /books;
        }

#PLEX

	location /web {
		# serve the CSS code
		proxy_pass http://172.30.12.2:32400;
	}

	# Main /plex rewrite
	location /plex {
		# proxy request to plex server
		proxy_pass http://172.30.12.2:32400/web;
	}
	
#Ombi
	
	location /plexrequest {
		include /config/nginx/proxy.conf;
		proxy_pass http://172.30.12.97:3579/plexrequest;
	}	

 

Link to comment
3 hours ago, jonathanm said:

Well, that was easy when you know where to look!!!

 

I followed the link and used Method 2 for Split DNS by adding a host override for my domain in DNS Resolver pointing the domain to my unRAID box's IP.  Works much better than it did via my BT HH5 router, which used to send the request out to the internet and then receive it back, to send out again...now it's super-fast as loading locally.  If only every webpage was this fast!

 

Thanks @jonathanm - another reason to love the control of pfsense

Link to comment

Hi guys,

 

I keep seeing these errors during cert renewal even though the certs are renewed successfully.

 

cronjob running on Mon Sep 4 16:07:17 AEST 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.XXX.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: s6-svc -d /var/run/s6/services/nginx
Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111
Error output from s6-svc:
s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.XXX.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:

 

Has anyone encountered these before and what's the resolution please?

 

Cheers.

Edited by doremi
More info added.
Link to comment
Hi guys,
 
I keep seeing these errors during cert renewal even though the certs are renewed successfully.
 
cronjob running on Mon Sep 4 16:07:17 AEST 2017Running certbot renewSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------Processing /etc/letsencrypt/renewal/www.XXX.com.conf-------------------------------------------------------------------------------Cert is due for renewal, auto-renewing...Running pre-hook command: s6-svc -d /var/run/s6/services/nginxHook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111Error output from s6-svc:s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory-------------------------------------------------------------------------------new certificate deployed without reload, fullchain is/etc/letsencrypt/live/www.XXX.com/fullchain.pem-------------------------------------------------------------------------------Congratulations, all renewals succeeded. The following certs have been renewed:

 
Has anyone encountered these before and what's the resolution please?
 
Cheers.

That's harmless.

It's trying to reload nginx after cert renewal but failing, because nginx is not running yet, since the renewal script is running during container start. Nginx will be started later with the new certs loaded.

If the script was running via cron at 2am, nginx would have been running, and would have been reloaded properly.

Either way everything works fine.
  • Upvote 1
Link to comment

Every time this updates itself, it fails to load as I don't have a www subdomain. The only way I can then get it to work is to edit the container and remove the subdomains section. Nothing in my setup changed so I'm assuming something in the way the docker works changed.

 

How can I get around this?

Link to comment
Every time this updates itself, it fails to load as I don't have a www subdomain. The only way I can then get it to work is to edit the container and remove the subdomains section. Nothing in my setup changed so I'm assuming something in the way the docker works changed.
 
How can I get around this?
If you remove the subdomains field in the container settings, that change should persist through updates. If it doesn't, it's an unraid gui issue.
Link to comment

I'm kind of stuck. I'm using this container's nginx to proxy some things (including directories), and then using another url to reverse proxy again. When I do this, I get an auth prompt. Accessing the DDNS url directly, there's no auth prompt. Reversing proxying from my other server's url does.

 

Is this a fail2ban thing? I tried disabling fail2ban completely to no avail, and there's no lines in my config (on either server) that would prompt for authentication.

 

EDIT: Nevermind, I was pointing it to http instead of https in the second server's proxy config. Whoops!

Edited by Crash
Link to comment

If I want to continue using this container for reverse proxy, combined with the new RC with LetsEncrypt support, I'm going to need to use my second NIC and assign all my Docker containers their own IPs in order to not have a port 443 conflict, right? I'm having some trouble visualizing how best to move forward...

Link to comment
If I want to continue using this container for reverse proxy, combined with the new RC with LetsEncrypt support, I'm going to need to use my second NIC and assign all my Docker containers their own IPs in order to not have a port 443 conflict, right? I'm having some trouble visualizing how best to move forward...
If the unraid rc truly requires port 443, then you would only need a new ip with port 443 open for the letsencrypt container, not the rest of the containers.

I believe the new unraid rc uses a limetech hosted ddns and gets the certs for the addresses on their server (everyone gets a randomized unique string added to limetech's address). The certs would not be for your own domain, but the custom domain limetech assigns you. Theoretically they should be able to let you use a different port for the connection between their server and yours, although I'm not sure if that's implemented.
Link to comment
19 hours ago, kaiguy said:

If I want to continue using this container for reverse proxy, combined with the new RC with LetsEncrypt support, I'm going to need to use my second NIC and assign all my Docker containers their own IPs in order to not have a port 443 conflict, right? I'm having some trouble visualizing how best to move forward...

 

Seeing the same issue on rc8q;

 

Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (~): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use
Error: failed to start containers: letsencrypt

Link to comment
2 hours ago, upthetoon said:

 

Seeing the same issue on rc8q;

 

Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (~): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use
Error: failed to start containers: letsencrypt

 

Your issue is that unraid gui is using port 443

 

See if you can turn off https in unraid settings. Then you should be fine

Link to comment
14 hours ago, aptalca said:

 

Your issue is that unraid gui is using port 443

 

See if you can turn off https in unraid settings. Then you should be fine

 

I couldn't see an obvious way to turn off https in unraid. I changed the secure port number in unraid which I don't think is a long term solution but has done the trick for now!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.