local.bin Posted January 5, 2018 Share Posted January 5, 2018 (edited) 6 hours ago, aptalca said: Could be browser cache (301 redirect from an earlier try). Try in a different browser, or mobile and see if it works It does appear to be working now except for one critical factor I have just noticed. Letencrypt log when starting the docker states it has seen the extra domains but I don't find their keys in the /config/keys directory? As I am referencing the same certs for domain 2 as I am for domain 1 and oddly the new second domain is getting securred with no errors in the browser lock. As well /etc/letsencrypt/live/ only contains a domain1 directory. It seems like doamin2 is using domain1 certs with no errors, but that doesn;t seem right? Have I misunderstood what should be happening. Edit I have my extra domain setup with a variable called EXTRA_DOMAINS and it is set to domain2, www.domain2, cloud.domain2 Log: EXTRA_DOMAINS entered, processing Extra domains processed are: -d domain2 -d www.domain2 -d cloud.domain2 SO Is this correct and I shouldn't expect another directory with the domain2 cert in? Edited January 5, 2018 by local.bin Quote Link to comment
Greygoose Posted January 6, 2018 Share Posted January 6, 2018 (edited) Please advise, i have no hair remaining. Im following this guide https://linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/ Prior to editing the nextcloud config.php and creating the nextcloud file nextcloud worked fine.... lets encrypt looked to be doing its thing (docker stayed open) and when I entered nextcloud.mywebsite.com it would ask to accept certifate then show the letsencrypt page. I also pinged my nextcloud.website.com and it come back with my static ip address. When i goto webbrowser and try https://nextcloud.mywebsite.com i get 502 bad gateway CONFIG.PHP root@unraid:/mnt/cache/appdata/nextcloud/www/nextcloud/config# <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => '254v24v42', 'passwordsalt' => '425v24v42v', 'secret' => '324rt23gwevewg45v', 'trusted_domains' => array ( 0 => '192.168.1.200:446', 1 => 'nextcloud.mywebsite.com', ), 'overwrite.cli.url' => 'https://nextcloud.mywebsite.com', 'overwritehost' => 'nextcloud.mywebsite', 'overwriteprotocol' => 'https', 'dbtype' => 'mysql', 'version' => '12.0.4.3', 'dbname' => 'nextcloud', 'dbhost' => '192.168.1.200:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'Bond', 'dbpassword' => 'SECRETPASSWORD', 'installed' => true, ); --------------------------------------------------------------------------------------- nextcloud root@unraidserver:/mnt/cache/appdata/letsencrypt/nginx/site-confs# server { listen 443 ssl; server_name nextcloud.mywebsite.com; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE$ ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.1.200:444/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } ---------------------------------------------------------------------------------------------------------------------------- EDIT: this is my nextcloud/nginx/site-confs/ default upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.0-fpm.sock; } server { listen 80; server_name _; # enforce https return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name _; ssl_certificate /config/keys/cert.crt; ssl_certificate_key /config/keys/cert.key; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Path to the root of your installation root /config/www/nextcloud/; # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; rewrite ^/.well-known/carddav /remote.php/dav/ permanent; rewrite ^/.well-known/caldav /remote.php/dav/ permanent; # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { deny all; } ^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos M-U Undo M-A Mark Text M-] To Bracket M-↑ Previous ^B Back ^← Prev Word ^A Home ^P Prev Line ^X Exit ^R Read File ^\ Replace ^U Uncut Text ^T To Spell -------------------------------------------------------------------------- This is my namecheap dns Edited January 6, 2018 by Greygoose Quote Link to comment
aptalca Posted January 7, 2018 Share Posted January 7, 2018 On 1/5/2018 at 10:45 AM, testtubetony said: Has anyone gotten this to work with a noip.com domain? Here's the errors i keep getting... [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Sub-domains processed are: -d mydomain.ddns.net E-mail address entered: [email protected] Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. certbot: error: argument --cert-path: No such file or directory Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for ddns.net tls-sni-01 challenge for mydomain.ddns.net Waiting for verification... Cleaning up challenges Failed authorization procedure. ddns.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout IMPORTANT NOTES: - The following errors were reported by the server: Domain: ddns.net Type: connection Detail: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. That was my last attempt. of course i edited out my personal infos... seems just having mydomain.ddns.net isn't enough, and in the noip panel I cant seem to add a www to my domain. any suggestions? EDIT: I got it to start finally. had to change the subdomains only flag. now i have webserver access. is there supposed to be a user interface, or do i have to configure the proxies manually via terminal? Looks like somebody didn't read the instructions. "Url" should be the top level you control. If you're using dynamic dns, your "url" will be "yoursubdomain.ddns.net" You do not control ddns.net and letsencrypt cannot validate it. That's the error. Once you fix your url, your subdomains then will allow your cert to cover www.yoursubdomain.ddns.net and such as well Quote Link to comment
aptalca Posted January 7, 2018 Share Posted January 7, 2018 On 1/5/2018 at 2:37 PM, local.bin said: It does appear to be working now except for one critical factor I have just noticed. Letencrypt log when starting the docker states it has seen the extra domains but I don't find their keys in the /config/keys directory? As I am referencing the same certs for domain 2 as I am for domain 1 and oddly the new second domain is getting securred with no errors in the browser lock. As well /etc/letsencrypt/live/ only contains a domain1 directory. It seems like doamin2 is using domain1 certs with no errors, but that doesn;t seem right? Have I misunderstood what should be happening. Edit I have my extra domain setup with a variable called EXTRA_DOMAINS and it is set to domain2, www.domain2, cloud.domain2 Log: EXTRA_DOMAINS entered, processing Extra domains processed are: -d domain2 -d www.domain2 -d cloud.domain2 SO Is this correct and I shouldn't expect another directory with the domain2 cert in? This container only generates one cert, which covers all the domains and subdomains you select 1 Quote Link to comment
noties Posted January 9, 2018 Share Posted January 9, 2018 On 12/18/2017 at 9:32 AM, GilbN said: Hm, when looking at what I posted I just see the same? GilbN (and others), I'm not sure if you got this working or not, but I'm going to post this here to help others that may be struggling as much as I did with letsencrypt/fail2ban and email notifications. Here are my working configs and steps for letsencrypt/fail2ban and email notifications using gmail. Copy sendmail-whois.conf to sendmail-whois.local copy sendmail-common.conf to sendmail-common.local Make changes to both .local files outlined below. Edit jail.local with changes outlined below. sendmail-common.local (if you don't care about fail2ban start notifications, I think you can skip this) actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname> Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The jail <name> has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' [email protected] -apPASSWORD <dest> Only need to change the last line. Replace the UPPERCASE with your username and password. Leave all else. sendmail-whois.local actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname> Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here is more information about <ip> :\n `/usr/bin/whois <ip> || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' [email protected] -apPASSWORD <dest> Same thing... Only need to change the last line of the actionban. Insert your username and password where the UPPERCASE is. jail.local [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log ignoreip = 10.1.1.0/24 mta = sendmail action = sendmail-whois[name=letsencrypt, [email protected]] iptables-multiport[name=letsencrypt, port="http,https", protocol=tcp] ignoreip is my local home subnet. mta - set it to sendmail action - If you want fail2ban to notify AND add a block to iptables, you need both actions. I couldn't get it to block and send an email without adding both actions. These settings finally worked for me. 1 Quote Link to comment
GilbN Posted January 10, 2018 Share Posted January 10, 2018 18 hours ago, noties said: GilbN (and others), I'm not sure if you got this working or not, but I'm going to post this here to help others that may be struggling as much as I did with letsencrypt/fail2ban and email notifications. Here are my working configs and steps for letsencrypt/fail2ban and email notifications using gmail. Copy sendmail-whois.conf to sendmail-whois.local copy sendmail-common.conf to sendmail-common.local Make changes to both .local files outlined below. Edit jail.local with changes outlined below. sendmail-common.local (if you don't care about fail2ban start notifications, I think you can skip this) actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname> Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The jail <name> has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' [email protected] -apPASSWORD <dest> Only need to change the last line. Replace the UPPERCASE with your username and password. Leave all else. sendmail-whois.local actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname> Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here is more information about <ip> :\n `/usr/bin/whois <ip> || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' [email protected] -apPASSWORD <dest> Same thing... Only need to change the last line of the actionban. Insert your username and password where the UPPERCASE is. jail.local [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log ignoreip = 10.1.1.0/24 mta = sendmail action = sendmail-whois[name=letsencrypt, [email protected]] iptables-multiport[name=letsencrypt, port="http,https", protocol=tcp] ignoreip is my local home subnet. mta - set it to sendmail action - If you want fail2ban to notify AND add a block to iptables, you need both actions. I couldn't get it to block and send an email without adding both actions. These settings finally worked for me. Thanks, will try this! Quote Link to comment
GilbN Posted January 10, 2018 Share Posted January 10, 2018 @noties I've added what you've posted and the it works but it doesn't seem to actually ban the IP. It logs that the IP is banned but I can still access the site (using LTE on mobile). If I remove the mta/action/iptables-multiport lines it bans like normal. Did you test that access is blocked? Quote Link to comment
noties Posted January 10, 2018 Share Posted January 10, 2018 1 minute ago, GilbN said: @noties I've added what you've posted and the it works but it doesn't seem to actually ban the IP. It logs that the IP is banned but I can still access the site (using LTE on mobile). If I remove the mta/action/iptables-multiport lines it bans like normal. Did you test that access is blocked? Yes, I tested. I couldn't get a ban to work without adding the iptables-multiport. Are you restarting the docker every time you make a change to jail.local? I found strange behavior unless I restarted the docker. I can test again and report. Quote Link to comment
GilbN Posted January 10, 2018 Share Posted January 10, 2018 1 minute ago, noties said: Yes, I tested. I couldn't get a ban to work without adding the iptables-multiport. Are you restarting the docker every time you make a change to jail.local? I found strange behavior unless I restarted the docker. I can test again and report. Yeah, restarting after every edit Quote Link to comment
noties Posted January 10, 2018 Share Posted January 10, 2018 2 hours ago, GilbN said: Yeah, restarting after every edit I just re-tested and confirmed. If I don't have iptables-multiport as well as sendmail, I won't get a ban. These configs definitely work for my setup. I am only running .htpasswd on one of my NGINX locations if that changes anything. I did notice that the ban can potentially take a second or two to take effect, meaning I was able to get a username/password prompt once or twice more beyond my 5 fail threshold. I figured this is because i was entering wrong users pretty quickly. My default file is below if it helps. I only have security on my /cops/ URL. upstream backend { server 10.1.1.99:19999; keepalive 64; } server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name SOMESERVER.duckdns.org; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; # location = / { # return 301 /sonarr; # } location /ombi/ { proxy_pass http://10.1.1.99:3579; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 90; proxy_redirect http://10.1.1.99:3579 https://$host; } if ($http_referer ~* /ombi/) { rewrite ^/dist/([0-9\d*]).js /ombi/dist/$1.js last; } location /cops { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://10.1.1.99:8008/; } Quote Link to comment
jasgud Posted January 11, 2018 Share Posted January 11, 2018 Any suggestion as to how we can deal with the TLS-SNI-01 security flaw detailed below. They seem to have disabled their renew and request system on it. https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983 Quote Link to comment
FreeMan Posted January 11, 2018 Share Posted January 11, 2018 I'm working my way through some of the support threads on the emby boards and one of them recommends some tweaks to the nginx.conf. I'd like to get some input from the folks here, as I trust them more than the people on the emby forum. (Nothing against emby users, but I've been there for about 15 minutes and I've been hanging out here for years.) This is recommended server_tokens off; because "This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses." He's added these items as "further security tweaks", but doesn't indicate what they do: add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; Are these legitimate things to consider adding to my config file or are they more security theater (particularly the server_tokens off; setting)? Quote Link to comment
aptalca Posted January 11, 2018 Share Posted January 11, 2018 1 hour ago, FreeMan said: I'm working my way through some of the support threads on the emby boards and one of them recommends some tweaks to the nginx.conf. I'd like to get some input from the folks here, as I trust them more than the people on the emby forum. (Nothing against emby users, but I've been there for about 15 minutes and I've been hanging out here for years.) This is recommended server_tokens off; because "This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses." He's added these items as "further security tweaks", but doesn't indicate what they do: add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; Are these legitimate things to consider adding to my config file or are they more security theater (particularly the server_tokens off; setting)? Never heard of the server tokens one, but most of the rest are legit and fairly common security related settings. If you Google them you'll see tons of mentions. We didn't set those in the default config because some sites won't work with them. Quote Link to comment
aptalca Posted January 11, 2018 Share Posted January 11, 2018 (edited) 3 hours ago, jasgud said: Any suggestion as to how we can deal with the TLS-SNI-01 security flaw detailed below. They seem to have disabled their renew and request system on it. https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983 They re-enabled it for some providers. It is unclear what the long term action will be. But we already have a PR on github to add the option of http validation through port 80 Edited January 11, 2018 by aptalca 1 Quote Link to comment
lespaul Posted January 11, 2018 Share Posted January 11, 2018 I upgraded to 6.4 and it screwed up my reverse proxy setup after adding the new cert to unraid itself. I saw earlier in this thread the suggestion to give the letsencrypt docker its own IP and to forward 443 to the new IP. This fixed it not loading, but I still couldn't access some of my dockers (emby, ubooquity, etc) via my duckdns reverse proxy. I then found that giving each docker its own IP address and updating the "nginx\site-confs\default" file with the new addresses fixed the issue. Is this the "correct" way of doing things or is there a better way? Quote Link to comment
omfgunraid Posted January 11, 2018 Share Posted January 11, 2018 4 hours ago, lespaul said: I upgraded to 6.4 and it screwed up my reverse proxy setup after adding the new cert to unraid itself. I saw earlier in this thread the suggestion to give the letsencrypt docker its own IP and to forward 443 to the new IP. This fixed it not loading, but I still couldn't access some of my dockers (emby, ubooquity, etc) via my duckdns reverse proxy. I then found that giving each docker its own IP address and updating the "nginx\site-confs\default" file with the new addresses fixed the issue. Is this the "correct" way of doing things or is there a better way? I had to do the exact same thing. I've been looking into this for the past few days and apparently this is the only way of doing things "properly" on 6.4. Also, if you want to for your dockers to communicate with eachother at a certain point, don't for get that you have to select the same network when assigning the IPs 1 Quote Link to comment
Caboose20 Posted January 11, 2018 Share Posted January 11, 2018 I am having issues getting the container to start. I had this working yesterday but I needed to remove and readd the container as I was no longer getting updates for it. Port forward is working. I know I ran into this issue when I first set this up but I am at a loss. Can someone take a look? [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d sonarr.mydomain.com -d nzbget.mydomain.com -d radarr.mydomain.com -d hydra.mydomain.com -d lazy.mydomain.com -d books.mydomain.com -d hass.mydomain.com E-mail address entered: [email protected] Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: argument --cert-path: No such file or directory Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
jasgud Posted January 11, 2018 Share Posted January 11, 2018 13 hours ago, aptalca said: They re-enabled it for some providers. It is unclear what the long term action will be. But we already have a PR on github to add the option of http validation through port 80 Thanks for that. For anyone struggling with this, under extra parameters enter in the below paramater -e "HTTPVAL"="true" Quote Link to comment
Greygoose Posted January 11, 2018 Share Posted January 11, 2018 I am trying this again the weekend, as I had my DNS certificates REJECTED as i kept trying too many times and had to wait 7 days to issue new cert. Whats the most simple docker to get working with letsencrypt docker, raddarr or something? Quote Link to comment
jasgud Posted January 11, 2018 Share Posted January 11, 2018 (edited) 4 hours ago, Caboose20 said: I am having issues getting the container to start. I had this working yesterday but I needed to remove and readd the container as I was no longer getting updates for it. Port forward is working. I know I ran into this issue when I first set this up but I am at a loss. Can someone take a look? [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d sonarr.mydomain.com -d nzbget.mydomain.com -d radarr.mydomain.com -d hydra.mydomain.com -d lazy.mydomain.com -d books.mydomain.com -d hass.mydomain.com E-mail address entered: [email protected] Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: argument --cert-path: No such file or directory Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Your issue is the same one I was having. its because letsencrypt disabled a service. under your container, hit advanced options add the below code into your extra parameters. restart/start the service. Note that this means http (tcp 80) will need to be forwarded as well as https (tcp 443) for validation. -e "HTTPVAL"="true" Edited January 11, 2018 by jasgud Quote Link to comment
aptalca Posted January 11, 2018 Share Posted January 11, 2018 Extra parameter makes things a little more complicated because it is hidden in advanced view and such. Just add a new environment variable in the gui where the key is HTTPVAL and the value is true similar to how there is already a variable for PUID and 99 Quote Link to comment
MrChunky Posted January 12, 2018 Share Posted January 12, 2018 (edited) 17 hours ago, jasgud said: Your issue is the same one I was having. its because letsencrypt disabled a service. under your container, hit advanced options add the below code into your extra parameters. restart/start the service. Note that this means http (tcp 80) will need to be forwarded as well as https (tcp 443) for validation. -e "HTTPVAL"="true" I have what seems like the same problem, so I applied the suggested fix. FYI the required variable is set to false by default in the docker config already. There is no need to add a new variable, just change the existing one. But, I am getting connection refused on port 80. Should I change something in the nginx config as well? Domain: www.xxx.com Type: connection Detail: Fetching http://www.xxx.com/.well-known/acme-challenge/xxx: Connection refused Here is my current nginx config... port 80 listening seems to be enabled as per instructions. server { listen 80; server_name www.xxx.com; return 301 https://$host$request_uri; } server { listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name www.xxx.com; Edit: I have figured out that the problem started after the last update of letsencrypt docker. Still don't know how to fix it. Edited January 12, 2018 by MrChunky Quote Link to comment
Londinium Posted January 12, 2018 Share Posted January 12, 2018 Hi! I have the same exact problem as MrChunky. Letsencrypt docker stopped working very recently. I have already : set the HTTPVAL variable to true uncommented the port 80 server section in my default nginx file opened the port 80 on my router restarted Letsencrypt docker And I get a 401 unauthorized in the docker log file : Failed authorization procedure. foobar.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://foobar.duckdns.org/.well-known/acme-challenge/xxx [xx.xxx.xx.xxx]: 401 IMPORTANT NOTES: - The following errors were reported by the server: Domain: foobar.duckdns.org Type: unauthorized Detail: Invalid response from http://foobar.duckdns.org/.well-known/acme-challenge/UzrREGhzZemotfGsM076gy9aQdCi--8H_2OcGBMM-T4 [xx.xxx.xx.xxx]: 401 Anyone else got this ? Could it be linked to the tls-sni challenge problem ? FYI, this docker has been working fine for the last 2 months (thanks by the way!) Londinium Quote Link to comment
EdgarWallace Posted January 12, 2018 Share Posted January 12, 2018 (edited) Same here....everything was running fine until the todays container update: ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 4096 bit DH parameters present No subdomains defined E-mail address entered: [email protected] Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. /var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Edited April 22, 2019 by EdgarWallace Quote Link to comment
kreene1987 Posted January 12, 2018 Share Posted January 12, 2018 Mine is dead this morning as well. Same error log as above with different webserver address (clearly). Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.