endiz Posted January 13, 2018 Share Posted January 13, 2018 5 minutes ago, aptalca said: I will only post this once. Feel free to refer folks to this post. A few points of clarification: The last update of this image didn't break things. Letsencrypt abruptly disabled the authentication method previously used by this image (tls over port 443) due to a security vulnerability. It is unclear whether they will ever re-enable it again. So we added the option of validating over port 80, via setting the HTTPVAL variable to true. But you have to make sure port 80 is forwarded to the container from your router. Keep in mind that unraid gui runs on port 80, so you should map port 80 on your router to any other port, ie. 85. Then in the container settings, map port 85 to port 80. Unraid template has been updated to include this new variable setting, and I think the brand new unraid stable as well as the previous betas will automatically add that variable to your settings (not 100% sure because I'm still on 6.3.5). Either way, check your settings. If your isp blocks port 80, there's nothing we can do as it is the only port letsencrypt will validate through at this point. Someone mentioned dns validation. It's not gonna happen as it is. It requires a script to change dns settings on your dns provider. Since all the dns providers have different api's for this process, we cannot automate it for you, therefore we will not add dns validation (unless there is a standardized way to update dns entries in the future but I wouldn't hold my breath). And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed. Thanks! Changing HTTP to port 80, setting the HTTPVAL variable to true and port forwarding 80 > 81 on the unraid server worked. Quote Link to comment
aptalca Posted January 13, 2018 Share Posted January 13, 2018 (edited) 7 minutes ago, FreeMan said: I went ahead and removed the extra "Hosts" parameter and LE is running, however, I'm still unable to get through to emby It seems that I'm having a non-fatal error on startup: Here's the run command: The new run command: Carp, is this the issue? Check your settings, you have two HTTPVAL directives, second one is setting it to false Edited January 13, 2018 by aptalca Quote Link to comment
drsparks68 Posted January 13, 2018 Share Posted January 13, 2018 11 minutes ago, aptalca said: I will only post this once. Feel free to refer folks to this post. A few points of clarification: The last update of this image didn't break things. Letsencrypt abruptly disabled the authentication method previously used by this image (tls over port 443) due to a security vulnerability. It is unclear whether they will ever re-enable it again. So we added the option of validating over port 80, via setting the HTTPVAL variable to true. But you have to make sure port 80 is forwarded to the container from your router. Keep in mind that unraid gui runs on port 80, so you should map port 80 on your router to any other port, ie. 85. Then in the container settings, map port 85 to port 80. Unraid template has been updated to include this new variable setting, and I think the brand new unraid stable as well as the previous betas will automatically add that variable to your settings (not 100% sure because I'm still on 6.3.5). Either way, check your settings. If your isp blocks port 80, there's nothing we can do as it is the only port letsencrypt will validate through at this point. Someone mentioned dns validation. It's not gonna happen as it is. It requires a script to change dns settings on your dns provider. Since all the dns providers have different api's for this process, we cannot automate it for you, therefore we will not add dns validation (unless there is a standardized way to update dns entries in the future but I wouldn't hold my breath). And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed. Awesome write-up. Unfortunately it doesn't seem like this crappy C2000T router from CL will let me do port translation, so seems like I'm out of luck. Quote Link to comment
CHBMB Posted January 13, 2018 Share Posted January 13, 2018 Read the last few pages of this thread and it should get you going.... Quote Link to comment
Muff Posted January 13, 2018 Share Posted January 13, 2018 1 hour ago, endiz said: Thanks! Changing HTTP to port 80, setting the HTTPVAL variable to true and port forwarding 80 > 81 on the unraid server worked. How did you do that? Quote Link to comment
Dhagon Posted January 13, 2018 Share Posted January 13, 2018 After applying the HTTPVAL fix, Ombi became completely inaccessible. I've mapped the ports (internal port 81 -> external 80, 443->443) and forwarded them on my router, and this setup had been working for almost a year before this.. Also, for some reason, I can't access nextcloud on my PC (timeout), but it works on my phone using the same URL.. Also had some friends test this with no errors on their phones and/or PCs.. Quote Link to comment
izarkhin Posted January 13, 2018 Share Posted January 13, 2018 7 minutes ago, Muff said: How did you do that? In the container map port 80 to some other port (8083 in this case): In the container advanced settings set HTTPVAL to true: On the router forward port 80 to the same port you mapped your container's port 80 to (port 8083 ion this case): Quote Link to comment
CHBMB Posted January 13, 2018 Share Posted January 13, 2018 10 minutes ago, Dhagon said: After applying the HTTPVAL fix, Ombi became completely inaccessible. I've mapped the ports (internal port 81 -> external 80, 443->443) and forwarded them on my router, and this setup had been working for almost a year before this.. Also, for some reason, I can't access nextcloud on my PC (timeout), but it works on my phone using the same URL.. Also had some friends test this with no errors on their phones and/or PCs.. Absolutely nothing anyone can do to help with the information you've provided. Quote Link to comment
Dhagon Posted January 13, 2018 Share Posted January 13, 2018 2 minutes ago, CHBMB said: Absolutely nothing anyone can do to help with the information you've provided. All right, sorry, I just didn't want to flood you various logs and screenshots right away, as I'm not entirely sure that it's caused by this container, apart from ombi being inaccessible.. What additional information would you need to assist me? I don't really know which logs would be useful.. Quote Link to comment
Taddeusz Posted January 13, 2018 Share Posted January 13, 2018 Wow, this sucks! Our ISP blocks port 80 so there is absolutely nothing I can do but wait and it's already been 3 days. Quote Link to comment
Kash76 Posted January 13, 2018 Share Posted January 13, 2018 Wow, this sucks! Our ISP blocks port 80 so there is absolutely nothing I can do but wait and it's already been 3 days.I thought Comcast did as well but I set the port forwarding on 80 and it works for me. Try it.Sent from my ONEPLUS A5010 using Tapatalk Quote Link to comment
Taddeusz Posted January 13, 2018 Share Posted January 13, 2018 2 minutes ago, Kash76 said: I thought Comcast did as well but I set the port forwarding on 80 and it works for me. Try it. Sent from my ONEPLUS A5010 using Tapatalk I already did just to make sure things haven't changed but Cox Cable blocks port 80. Quote Link to comment
Kash76 Posted January 13, 2018 Share Posted January 13, 2018 I already did just to make sure things haven't changed but Cox Cable blocks port 80.DarnSent from my ONEPLUS A5010 using Tapatalk Quote Link to comment
aptalca Posted January 13, 2018 Share Posted January 13, 2018 3 minutes ago, Taddeusz said: I already did just to make sure things haven't changed but Cox Cable blocks port 80. Are you sure it blocks it or does the modem's webpage run on port 80? If the latter you might be able to change it to another port Quote Link to comment
Taddeusz Posted January 13, 2018 Share Posted January 13, 2018 2 minutes ago, aptalca said: Are you sure it blocks it or does the modem's webpage run on port 80? If the latter you might be able to change it to another port Yes, they most definitely block port 80: https://www.cox.com/residential/support/internet-ports-blocked-or-restricted-by-cox.html They don't want people running web servers out of their homes. Quote Link to comment
CHBMB Posted January 13, 2018 Share Posted January 13, 2018 24 minutes ago, Dhagon said: All right, sorry, I just didn't want to flood you various logs and screenshots right away, as I'm not entirely sure that it's caused by this container, apart from ombi being inaccessible.. What additional information would you need to assist me? I don't really know which logs would be useful.. Scroll up to my last set of posts in this thread helping another user. Docker run command as my sig demonstrates and LE logs Quote Link to comment
aptalca Posted January 13, 2018 Share Posted January 13, 2018 1 minute ago, Taddeusz said: Yes, they most definitely block port 80: https://www.cox.com/residential/support/internet-ports-blocked-or-restricted-by-cox.html They don't want people running web servers out of their homes. Wow that's a pretty dick move. Now their name makes more sense 2 Quote Link to comment
FreeMan Posted January 13, 2018 Share Posted January 13, 2018 2 hours ago, aptalca said: Check your settings, you have two HTTPVAL directives, second one is setting it to false Thanks - the penny dropped when you said that... I believe I've got everything set correctly , but I'm still getting errors and not getting access via the domain, while internally via the IP works fine. My docker settings: I hit the "advanced view" and put the "-e "HTTPVAL"="true"" in there while not hitting the "Advanced settings" to realize that it had been added to the container - that's why I had 2 conflicting settings in the run command. I've rectified that and now my run command is: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.us" -e "SUBDOMAINS"="books,cp,emby,photos,sab,shows,sick" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:81/tcp -p 443:443/tcp -v "/mnt/cache/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt I'm confused by the port mapping of 81:81 - I thought it should be 80:81 (or vice versa) since I'm forwarding external port 80 to internal port 81 and LE should be listening on that. Here's the router settings showing that: And yet the LE log shows: IMPORTANT NOTES:- The following errors were reported by the server:Domain: photos.mydomain.usType: connectionDetail: Fetchinghttp://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M:Connection refusedDomain: cp.mydomain.usType: connectionDetail: Fetchinghttp://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8:Connection refused etc... In my ...\nginx\site-confs\default I have: # listening on port 80 disabled by default, remove the "#" signs to enable # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header Content-Security-Policy "frame-ancestors bds.ddns.us emby.bds.ddns.us;"; add_header Referrer-Policy "no-referrer"; server_name _; #SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; #Diffie-Hellman key exchange ssl_dhparam /config/nginx/dhparams.pem; #SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ###Extra Settings### ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # With php7-cgi alone: fastcgi_pass 127.0.0.1:9000; # With php7-fpm: #fastcgi_pass unix:/var/run/php7-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } } to redirect HTTP to HTTPS. Do I now need to remove this section in blue in order to make validation work? If so, do I need to do it only in "default" since that's the only one of the config files that listens on 80? (All the rest only have a server { listen 443 ssl; ...} section.) I've read and re-read the last 4 pages or so of complaints, attempts, and fixes, I've thought they made sense and I've attempted to apply what I learned, but I'm still stuck... Quote Link to comment
CHBMB Posted January 13, 2018 Share Posted January 13, 2018 3 hours ago, aptalca said: You do not need to make changes to your nginx site config and you do not need to enable listening on port 80. Validation is done through a separate web server temporarily put up during validation and is not affected by your nginx config. Quote Link to comment
FreeMan Posted January 13, 2018 Share Posted January 13, 2018 OK, so what's causing these errors in the log and causing me not to be able to access my server? Failed authorization procedure. photos.bds.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M: Connection refused, cp.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8: Based on the lack of other feedback, I'd presume that all the configuration info I showed appears to be correct. Like I said, I've read through several pages of posts and tried to put it all together. This is the best I've come up with and it's still not working. You may have to break out the crayons and color me a picture 'cause I'm missing something. Quote Link to comment
CHBMB Posted January 13, 2018 Share Posted January 13, 2018 (edited) 35 minutes ago, FreeMan said: OK, so what's causing these errors in the log and causing me not to be able to access my server? Failed authorization procedure. photos.bds.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M: Connection refused, cp.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8: Based on the lack of other feedback, I'd presume that all the configuration info I showed appears to be correct. Like I said, I've read through several pages of posts and tried to put it all together. This is the best I've come up with and it's still not working. You may have to break out the crayons and color me a picture 'cause I'm missing something. You need to map port 80 INSIDE the docker container to port 81 on Unraid Like this..... Edited January 13, 2018 by CHBMB Quote Link to comment
DZMM Posted January 14, 2018 Share Posted January 14, 2018 Any idea what's gone wrong? I've been using this successfully for a while, but after upgrading from RC21 to 6.4 it's stopped working. I've tried a fresh install, but it still won't work: DH parameters successfully created - 2048 bits SUBDOMAINS entered, processing Sub-domains processed are: -d REDACTED EXTRA_DOMAINS entered, processing Extra domains processed are: REDACTED E-mail address entered: REDACTED Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Quote Link to comment
FreeMan Posted January 14, 2018 Share Posted January 14, 2018 1 hour ago, CHBMB said: You need to map port 80 INSIDE the docker container to port 81 on Unraid Like this..... Like this? That's how it's currently set (and hasn't been changed), but it is yielding this run command: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.us" -e "SUBDOMAINS"="books,cp,emby,photos,sab,shows,sick" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:81/tcp -p 443:443/tcp -v "/mnt/cache/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt When I clicked on the Edit button from the first picture, it shows me this: Which looks very much borked! Time for a reinstall? Quote Link to comment
FreeMan Posted January 14, 2018 Share Posted January 14, 2018 17 minutes ago, DZMM said: Any idea what's gone wrong? I've been using this successfully for a while, but after upgrading from RC21 to 6.4 it's stopped working. I've tried a fresh install, but it still won't work: psst... read the last 4 pages or so... Heck, just read my 2 posts above yours... Quote Link to comment
bb12489 Posted January 14, 2018 Share Posted January 14, 2018 (edited) EDIT: Never mind my post. iD10T error here. Edited January 14, 2018 by bb12489 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.