[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 minute ago, FreeMan said:

 

If you added the extra container parameter, consider removing it? I'd never added it in the first place, so maybe that's the difference.

 

/SWAG

 

No, thats not the issue, I now completley deleted the docker (+appdata directory) and recreated. It is still not working.

Link to comment

Well, maybe I jumped the gun, too...

 

The container will start, but it doesn't seem to be redirecting to my emby container. i.e. I get "Unable to connect" when I point my browser at "emby.mydoinain.com". This was working a few days ago prior to the kerfuffle about the LE docker and was working fine while trying to get the Android emby app to connect through a secured RP.

 

I looked at the docker config:

image.thumb.png.5f4df751115b6190aed99c415337f416.png

 

and I seem to have an extra "http" variable down there at the bottom. I have no recollection if this is a default path or if I'd manually added it for some reason. I've reviewed the last 12-15 pages for issues I've posted and none of the resolutions seemed to indicate me adding this as an extra variable, so this really has be cornfoosed...

 

I'd like to get confirmation that this shouldn't be there before I go and delete it

Link to comment
1 minute ago, CHBMB said:

 

Without logs, and what you're actually running nobody can really help you though.....

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
No subdomains defined
E-mail address entered: myemailaddress
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.mydomain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching mydomain.well-known/acme-challenge/oRXMV_jiOZf46BZZIfcvf4OMbOHr9zF7cza7CIrY4zM: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: mydomain
Type: connection
Detail: Fetching
mydomain/.well-known/acme-challenge/oRXMV_jiOZf46BZZIfcvf4OMbOHr9zF7cza7CIrY4zM:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment

The only difference I can see is that you have DHLEVEL set to 4096 whereas mine is set to 2048. I tried setting HTTPVAL to true and it still fails, albeit with a different error:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/London" -e HOST_OS="unRAID" -e "EMAIL"="mine" -e "URL"="mine" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="false" -p 443:443/tcp -p 81:80/tcp -v "/mnt/cache/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

4ace7d0eb4e12f1e6fff297403f6ef2a77f6d8a317d9825d78ef0bb4069c322b

Edited by allanp81
Link to comment

Hi,

 

I've just upgrade my unRaid server from 6.3.4 (?) to 6.4.0 and since then my container letsencrypt isn't working as it used to.

I've reinstalled the container and I still can't find the solution to the problem with some googleing :(

 

The log:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
DH parameters bit setting changed. Deleting old dhparams file.
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................+......................................................................................................................+...+.........................................+...............................................................................................................................................+.......................................................................+...................................................+..................+.................................................................................+....................................................................+.................................................................................+..........................................................................................................+.+..................................................................................+..................................................................................................................................................................................+..........................................................+..........................................+.............................................................................................+..................................+................................................................................................................................................................................................+..............................................+.........................+.......................................................................................................+...................................................................................+.+........................................................+..........................................................................................+....................................+.......+............+...............................................................................................................................+.........................................................................................................................................................................................+.........+............................................+..........................................................+..+................................+........................................................................+....................................................................................+..................+..+...................................................................................................................................................................+......................................................................+..................................................................................................................................................................................................................................................................................................................................................................+.......................................................................+.......................................+..+.........................................+..................................+............................+............................................................+................................................................................................................................................................................+.+...............................................................................................................+.................................................+..............................................+...................+......................................................+.....................................................................................................................................................................................................+............................+.................................................................................+...........+......................................+........................................................................+...............................................................................................................................................................................................................................................................................................................................................................................................+.................................................................................+...........................................................................+................................................................................................................................................................................................................................................................................+....++*++*
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d domain.duckdns.org
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

The container config: Screenshot_1.jpg

 

Thank you!

Screenshot_1.jpg

Edited by Muff
Link to comment

I will only post this once. Feel free to refer folks to this post.

 

A few points of clarification:

 

The last update of this image didn't break things. Letsencrypt abruptly disabled the authentication method previously used by this image (tls over port 443) due to a security vulnerability. It is unclear whether they will ever re-enable it again. 

 

So we added the option of validating  over port 80, via setting the HTTPVAL variable to true (similar to how PUID is set to 99). But you have to make sure port 80 is forwarded to the container from your router. 

 

Keep in mind that unraid gui runs on port 80, so you should map port 80 on your router to any other port, ie. 85. Then in the container settings, map port 85 to port 80.

 

Unraid template has been updated to include this new variable setting, and I think the brand new unraid stable as well as the previous betas will automatically add that variable to your settings (not 100% sure because I'm still on 6.3.5). Either way, check your settings. 

 

If your isp blocks port 80, there's nothing we can do as it is the only port letsencrypt will validate through at this point. 

 

Someone mentioned dns validation. It's not gonna happen as it is. It requires a script to change dns settings on your dns provider. Since all the dns providers have different api's for this process, we cannot automate it for you, therefore we will not add dns validation (unless there is a standardized way to update dns entries in the future but I wouldn't hold my breath). 

 

You do not need to make changes to your nginx site config and you do not need to enable listening on port 80. Validation is done through a separate web server temporarily put up during validation and is not affected by your nginx config. 

 

And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed. 

Edited by aptalca
  • Like 2
  • Upvote 7
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.