[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 minute ago, Quiks said:

Are you accessing it the same way? What do you see instead of your nextcloud page?

 

My only issue was getting my certificate pushed. After that, everything worked per normal.

 

you should be able to go to your public ipaddress:port instead of the domain and have it work as well (albeit without the pretty "secure" icon) assuming you have this allowed in your conf.

nothing in the logs, just this when I go to my public ip. everything was normal up until a couple days ago

 

502 Bad Gateway


nginx/1.12.2
Link to comment
2 minutes ago, ffhelllskjdje said:

nothing in the logs, just this when I go to my public ip. everything was normal up until a couple days ago

 

502 Bad Gateway


nginx/1.12.2

Maybe try restarting nextcloud? can you access it locally (not through nginx)?

 

is it only nextcloud having an issue?

Edited by Quiks
Link to comment
Just now, lespaul said:

Count me among the dead. My ISP blocks port 80 so httpval doesn't seem to work. Not really sure what to do?

You just have to wait for a fix, or for letsencrypt to accept ports other than 80/443 =P. I'm betting this container will be fixed before that though.

Link to comment
2 minutes ago, ffhelllskjdje said:

i've tried rebooting both to no effect.

I only have nextcloud running so no other apps to check.

 

so frustrating, it was working fine for like 6 months and now it's broken.

try adding another app into it and see if you can get that working.

post your conf file and I'll eyeball it, but I'm by no means an nginx expert.

Link to comment
3 minutes ago, Quiks said:

try adding another app into it and see if you can get that working.

post your conf file and I'll eyeball it, but I'm by no means an nginx expert.

server {
    listen 443 ssl;
    server_name nextcloud.mydomain.org;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-$
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
    client_max_body_size 0;
    location / {
        proxy_pass https://192.168.1.1:444/;
        proxy_max_temp_file_size 4096m;
        include /config/nginx/proxy.conf;
    }
}

thanks. config hasn;t changed. it's like it's being ignored though.

Port 444 is nextcloud

 

Edited by ffhelllskjdje
Link to comment
Just tried HTTPVAL = true, forwarded port 80 to my exposed http port 90 > 80 and it did the trick.
 
Hopefully they fix this so i can close back up port 80.
 
edit: for anyone else that needs to know where to edit this, it's under advanced settings
 
image.thumb.png.0b33565cddf9789ae9e8d164d3ada2c7.png


Same here. Fixed it after I changed the value, added the 80 port forward to my internal http port on the container. I did check to make sure I redirect to https but I will probably close 80 again in a bit until it breaks again.
Link to comment
9 minutes ago, ffhelllskjdje said:

server {
    listen 443 ssl;
    server_name nextcloud.mydomain.org;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-$
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
    client_max_body_size 0;
    location / {
        proxy_pass https://192.168.1.1:444/;
        proxy_max_temp_file_size 4096m;
        include /config/nginx/proxy.conf;
    }
}

thanks. config hasn;t changed. it's like it's being ignored though.

Port 444 is nextcloud

 

 

Can you reach nextcloud on https://192.168.1.1:444/ right now?

Link to comment
21 minutes ago, Quiks said:

 

Can you reach nextcloud on https://192.168.1.1:444/ right now?

It times out. same error 502 bad gateway

 

thanks, that tipped me off, i was just in that file earlier and had the wrong ip above, a zero got deleted somehow. fixed and up and running again.

 

Edited by ffhelllskjdje
Link to comment
37 minutes ago, Greygoose said:

 

Looks like you're onto to something but without being able to start the container I cant get to a bash command prompt to try any of that. Maybe someone knows of a way I can keep the container running to try this...

Link to comment

HI all,

 

Hopefully my strange fix helps people here with this "Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA."  error.... because HTTPVAL was not working for me (and my ISP does not block port 80) and I figured out why...

 

I use a docker-compose file with the line = "image: linuxserver/letsencrypt:latest" and it was not updating my image upon running "docker-compose up -d" for whatever reason. I came to this conclusion after closing port 80 in my router and was not receiving the timeout error during validation. 

 

Then I run "docker pull linuxserver/letsencrypt:latest" and watched it actually pull the latest image, start letsencrypt and bam, I was able to complete validation. 

 

IDK how to force an update to an image on unRAID or others or if my fix will work for anyone else, because I use Docker for Mac (do not have an unRIAD box YET :P ) 

 

edit - spelling

Edited by glassbase
Link to comment
2 hours ago, ffhelllskjdje said:

server {
    listen 443 ssl;
    server_name nextcloud.mydomain.org;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-$
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
    client_max_body_size 0;
    location / {
        proxy_pass https://192.168.1.1:444/;
        proxy_max_temp_file_size 4096m;
        include /config/nginx/proxy.conf;
    }
}

thanks. config hasn;t changed. it's like it's being ignored though.

Port 444 is nextcloud

 

you don't have port 80 configured to respond.  You need to enable the default port 80 response so that letsencrypt can connect to it to verify.  

Link to comment

Is anyone having this error or am I just the lucky one? It looks similar to the ones above though I am able to login and get that error do to "sleep infinity".

 

Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment

I seem to be having issues with the docker starting since last night's update:

 

Quote

 


-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d books.MyDomain.com -d cp.MyDomain.com -d emby.MyDomain.com -d photos.MyDomain.com -d sab.MyDomain.com -d shows.MyDomain.com -d sick.MyDomain.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
 

 

 

What is the recommended next step?

 

I was playing around with some configuration last night, but it did start when I left it last night.

Edited by FreeMan
Link to comment
47 minutes ago, FreeMan said:

I seem to be having issues with the docker starting since last night's update:

 

 

What is the recommended next step?

 

I was playing around with some configuration last night, but it did start when I left it last night.

 

Its not you. Big security vulnerability killed one of their(Let's Encrypt) authentication methods - https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/.  TL;DR, Let's Encrypt properly followed a standard, the standard had a flaw. Let's Encrypt disabled the standard.

 

Luckily the genius folks at LSIO have built in a work around.  

 

Add a new variable

 

-e HTTPVAL - if you wish to get certs through http validation on port 80 instead of port 443, set this to true. Keep in mind that you also have to map port 80 as listed above - SOURCE: https://github.com/linuxserver/docker-letsencrypt

 

2018-01-12-30efa.png

Edited by smdion
Link to comment

In my case, my internet provider block the port 80 so the HTTPVAL fix wont work.

 

Since TLS-SNI challenge is deactivated and I can't use HTTP challenge, I'm obligated to use the DNS-01 challenge. I've found a way to use it with this docker and cloudflare. You will need those 2 scripts ( here ) and you will need to modify the script /etc/cont-init/50-config inside the docker. 

docker exec -it [DOCKERNAME] /bin/bash
vi /etc/cont-init.d/50-config

In the file comment this line :

certbot certonly --non-interactive --renew-by-default --standalone --preferred-challenges $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS

And add this one :

certbot certonly --agree-tos --manual --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook /app/authenticator.sh --manual-cleanup-hook /app/cleanup.sh --rsa-key-size 4096 $EMAILPARAM --no-eff-email $URLS

 

However, this is a one time fix since any modification to the docker is reverted when restarted. 

 

@aptalca It would be nice if the DNS-01 challenge could be added definitively to this docker.

 

Edited by matthope
tag
Link to comment

Hi folks

Can't seem to make it work again.

Changed "HTTPVAL" to "true" but I think m provider blocks port 80:


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.com -d dlg.mydomain.com -d cp.mydomain.com -d sr.mydomain.com -d sab.mydomain.com -d nc.mydomain.com -d office.mydomain.com -d plexpy.mydomain.com -d ha.mydomain.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
http-01 challenge for www.mydomain.com
http-01 challenge for dlg.mydomain.com
http-01 challenge for cp.mydomain.com
http-01 challenge for sr.mydomain.com
http-01 challenge for sab.mydomain.com
http-01 challenge for nc.mydomain.com
http-01 challenge for office.mydomain.com
http-01 challenge for plexpy.mydomain.com
http-01 challenge for ha.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ha.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ha.mydomain.com/.well-known/acme-challenge/37kVVX3GQepKzvimZVl2ZWe9LAeWbGQHKtqriblf2eY: Timeout, cp.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cp.mydomain.com/.well-known/acme-challenge/iblVH3jUuFK0ezr-4y8NjXmlxXc3-H7P8zzoKlKU-18: Timeout, mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.com/.well-known/acme-challenge/-L6DgVivC4CAWB4w0P_ca32hKMlMg-TCnEQ8jOshKW8: Timeout, www.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.mydomain.com/.well-known/acme-challenge/m_urJrcV5bGi7_w_TgmtP9QFyNucA4-jegcU2sh-DMo: Timeout, dlg.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://dlg.mydomain.com/.well-known/acme-challenge/X2QMi7zQp0T2n3hyP8JGSs_rQJtTR9ly874lqvtS49g: Timeout, nc.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nc.mydomain.com/.well-known/acme-challenge/nMZ0kONU3uVrPno4IMCs5yQbYjWmhOFSE5v7rqR-gkc: Timeout, office.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://office.mydomain.com/.well-known/acme-challenge/-q-KtpROO-cUzdDcm4oO5_84E-Lf4pA1lwmi6Akuvw4: Timeout, plexpy.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://plexpy.mydomain.com/.well-known/acme-challenge/HhpJuxmw8jg3fxgZuRKLqPjNn4QQTEvBVWg66IIGMNo: Timeout, sr.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sr.mydomain.com/.well-known/acme-challenge/BqtOau3Gc_lu5_FsPApWjF_DoChm0ctSn8DGbnd6j14: Timeout, sab.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sab.mydomain.com/.well-known/acme-challenge/L6d2qCm8DXNUwlnjJW6pfKnJ484MS09u_InlLt9Jv_8: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ha.mydomain.com
Type: connection
Detail: Fetching
http://ha.mydomain.com/.well-known/acme-challenge/37kVVX3GQepKzvimZVl2ZWe9LAeWbGQHKtqriblf2eY:
Timeout

Domain: cp.mydomain.com
Type: connection
Detail: Fetching
http://cp.mydomain.com/.well-known/acme-challenge/iblVH3jUuFK0ezr-4y8NjXmlxXc3-H7P8zzoKlKU-18:
Timeout

Domain: mydomain.com
Type: connection
Detail: Fetching
http://mydomain.com/.well-known/acme-challenge/-L6DgVivC4CAWB4w0P_ca32hKMlMg-TCnEQ8jOshKW8:
Timeout

Domain: www.mydomain.com
Type: connection
Detail: Fetching
http://www.mydomain.com/.well-known/acme-challenge/m_urJrcV5bGi7_w_TgmtP9QFyNucA4-jegcU2sh-DMo:
Timeout

Domain: dlg.mydomain.com
Type: connection
Detail: Fetching
http://dlg.mydomain.com/.well-known/acme-challenge/X2QMi7zQp0T2n3hyP8JGSs_rQJtTR9ly874lqvtS49g:
Timeout

Domain: nc.mydomain.com
Type: connection
Detail: Fetching
http://nc.mydomain.com/.well-known/acme-challenge/nMZ0kONU3uVrPno4IMCs5yQbYjWmhOFSE5v7rqR-gkc:
Timeout

Domain: office.mydomain.com
Type: connection
Detail: Fetching
http://office.mydomain.com/.well-known/acme-challenge/-q-KtpROO-cUzdDcm4oO5_84E-Lf4pA1lwmi6Akuvw4:
Timeout

Domain: plexpy.mydomain.com
Type: connection
Detail: Fetching
http://plexpy.mydomain.com/.well-known/acme-challenge/HhpJuxmw8jg3fxgZuRKLqPjNn4QQTEvBVWg66IIGMNo:
Timeout

Domain: sr.mydomain.com
Type: connection
Detail: Fetching
http://sr.mydomain.com/.well-known/acme-challenge/BqtOau3Gc_lu5_FsPApWjF_DoChm0ctSn8DGbnd6j14:
Timeout

Domain: sab.mydomain.com
Type: connection
Detail: Fetching
http://sab.mydomain.com/.well-known/acme-challenge/L6d2qCm8DXNUwlnjJW6pfKnJ484MS09u_InlLt9Jv_8:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
2 hours ago, matthope said:

In my case, my internet provider block the port 80 so the HTTPVAL fix wont work.

 

Since TLS-SNI challenge is deactivated and I can't use HTTP challenge, I'm obligated to use the DNS-01 challenge. I've found a way to use it with this docker and cloudflare. You will need those 2 scripts ( here ) and you will need to modify the script /etc/cont-init/50-config inside the docker. 


docker exec -it [DOCKERNAME] /bin/bash
vi /etc/cont-init.d/50-config

In the file comment this line :


certbot certonly --non-interactive --renew-by-default --standalone --preferred-challenges $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS

And add this one :


certbot certonly --agree-tos --manual --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook /app/authenticator.sh --manual-cleanup-hook /app/cleanup.sh --rsa-key-size 4096 $EMAILPARAM --no-eff-email $URLS

 

However, this is a one time fix since any modification to the docker is reverted when restarted. 

 

@aptalca It would be nice if the DNS-01 challenge could be added definitively to this docker.

 

 

 

Hi, and hwo do you start this workaround? 

Link to comment

Ok, I have overseen the two scripts. At least I have now a workaround.

 

I also tried with HTTPVAL but this was not working. Port 80 is forwarded to LetsEncrpyt but I am not sure if I have to change something in my sites-conf?

Do I need to enable 80 for all virtual hosts? At the moment I am forwarding in all virtual hosts port 80 to 443.

 

Br,

Johannes

Link to comment

Ok, it is not working with the temporary workaround. 

 

I am getting: 

 

Error output from authenticator.sh:

Traceback (most recent call last):
File "<string>", line 1, in <module>
TypeError: 'NoneType' object has no attribute '__getitem__'
Traceback (most recent call last):
File "<string>", line 1, in <module>
TypeError: 'NoneType' object has no attribute '__getitem__'

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.