[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I deleted the default HTTP port mapping:

image.png.d06a616e7e94ba69c6f45b13e4e23966.png

 

and created a new one:

image.png.aa5707d07efa98a23d78b4212d5bfc90.png

 

and winner, winner, chicken dinner I'm back in business!

 

Is there something wrong with the template that it's mapping internally to port 81, or is that in preparation for v6.4 and I need to change my port forward at the router, or...?

Link to comment
5 hours ago, aptalca said:

The last update of this image didn't break things.

 

I fully appreciate all the work & support you and @CHBMB , in particular, put into supporting all the lsio containers and answering all our questions. I, for one, meant no implication that you guys broke things - it's just that the symptoms of the LE change didn't show up for us mere-mortal users until the updated, fixed version rolled out to us and we tried to revalidate our sites using configuration for the old methods. Since I don't keep a finger on the pulse of the latest security issues, my two data points were A) LE updated, and B) I can't get the container to start. That, therefore, led to my conclusion - it's broken.

 

Again - there's no way I could manage to get through all these fantastic bits working without you wizards behind the curtain. Thank you!

Link to comment
19 minutes ago, FreeMan said:

I deleted the default HTTP port mapping:

image.png.d06a616e7e94ba69c6f45b13e4e23966.png

 

and created a new one:

image.png.aa5707d07efa98a23d78b4212d5bfc90.png

 

and winner, winner, chicken dinner I'm back in business!

 

Is there something wrong with the template that it's mapping internally to port 81, or is that in preparation for v6.4 and I need to change my port forward at the router, or...?

 

The 81 part is most likely your own doing. It's port 80 in the template. 

Link to comment

I'm trying to use my own domain (namecheap) but either I setup the DNS wrong or I'm missing something.

I have my docker on seperate IPs (example 192.168.1.4, .5,.6 etc) and I'm not sure if this is causing the issue or not.  I have ports forwarded properly.   If I run a dns lookup for the subdomain.domain I see my public IP, but I'm getting this error in the log:

 

Failed authorization procedure. subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/o9FHDJfbOQWeotQxma9kLk-AT5iRiBRyXXNKHn5zvgQ: Timeout, subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/mKVzhGyDzD0_QHj3YQ0fA4VW9tykyzkvdees4r9nTWw: Timeout, subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/jtizzEhlv4utMnBqMCauCIrR48_gkzx7kuak5JaWZH0: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/o9FHDJfbOQWeotQxma9kLk-AT5iRiBRyXXNKHn5zvgQ:
Timeout

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/mKVzhGyDzD0_QHj3YQ0fA4VW9tykyzkvdees4r9nTWw:
Timeout

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/jtizzEhlv4utMnBqMCauCIrR48_gkzx7kuak5JaWZH0:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

On namecheap I have every subdomain as A +Dynamic DNS Record (using their DNS Client to update the ip). I'm really stumped.

 

Link to comment
8 minutes ago, Earache said:

I'm trying to use my own domain (namecheap) but either I setup the DNS wrong or I'm missing something.

I have my docker on seperate IPs (example 192.168.1.4, .5,.6 etc) and I'm not sure if this is causing the issue or not.  I have ports forwarded properly.   If I run a dns lookup for the subdomain.domain I see my public IP, but I'm getting this error in the log:

 

Failed authorization procedure. subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/o9FHDJfbOQWeotQxma9kLk-AT5iRiBRyXXNKHn5zvgQ: Timeout, subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/mKVzhGyDzD0_QHj3YQ0fA4VW9tykyzkvdees4r9nTWw: Timeout, subdomain.domain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://subdomain.domain/.well-known/acme-challenge/jtizzEhlv4utMnBqMCauCIrR48_gkzx7kuak5JaWZH0: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/o9FHDJfbOQWeotQxma9kLk-AT5iRiBRyXXNKHn5zvgQ:
Timeout

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/mKVzhGyDzD0_QHj3YQ0fA4VW9tykyzkvdees4r9nTWw:
Timeout

Domain: subdomain.domain
Type: connection
Detail: Fetching
http://subdomain.domain/.well-known/acme-challenge/jtizzEhlv4utMnBqMCauCIrR48_gkzx7kuak5JaWZH0:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

On namecheap I have every subdomain as A +Dynamic DNS Record (using their DNS Client to update the ip). I'm really stumped.

 

Im getting the same, i believe my ISP is blocking port 80, which is causing the timeout. 

Link to comment
2 minutes ago, j123ss said:

Cox? Everyone with that issue seems to be port 80 ISP issue like they said. Same thing here and I have COX.

Rogers Internet (Canada).

They apparently don't block it so I don't know wtf is going on.  I'm using an EdgeRouter Lite, so either my port-forwarding is farked or Rogers decided to block the port?

5x4ktLW.png

Link to comment
16 minutes ago, Earache said:

Rogers Internet (Canada).

They apparently don't block it so I don't know wtf is going on.  I'm using an EdgeRouter Lite, so either my port-forwarding is farked or Rogers decided to block the port?

5x4ktLW.png

 

Your port forwarding is wrong. You are forwarding 81 to 80, you should be forwarding 80 to 81

Edited by aptalca
Link to comment
8 minutes ago, aptalca said:

 

Your port forwarding is wrong. You are forwarding 81 to 80, you should be forwarding 80 to 81

Nope still get 

Failed authorization procedure. sub.domain.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub.domain/.well-known/acme-challenge/dcVgooswjuwm_DhQXskQSuKDbRdmN4qKyZTxbDzFg9g: Timeout

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
5 hours ago, Earache said:

Nope still get 

Failed authorization procedure. sub.domain.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub.domain/.well-known/acme-challenge/dcVgooswjuwm_DhQXskQSuKDbRdmN4qKyZTxbDzFg9g: Timeout

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

You're also forwarding 444 to 443, again the wrong way around, these are inbound ports, not outbound

Link to comment
11 hours ago, FreeMan said:

 

I hit the "advanced view" and put the "-e "HTTPVAL"="true"" in there while not hitting the "Advanced settings" to realize that it had been added to the container

Phew - thanks, I'd done the same.  Spent 30 mins trying to work out what I was doing wrong.

 

For other users (and there will be more).  The TLDR solution to the docker not working is:

 

1. Forward port 80 in your router to the docker if your docker has a unique IP via 6.4, if not forward another port e.g. 81 to unraid and then change use the same port in the http setting in the docker

2. click on 'show more settings' and change HTTPVAL to true - do not add a new variable HTTPVAL like I did, as it's already there in the new docker

Edited by DZMM
Link to comment

If you're having problems with this container, ensure you've read the quoted post above, make sure you post your docker run command, screenshots of your router port forwarding setup, and docker logs.

 

Without the above, nobody can help you!  And, your post will probably get ignored as we're getting swamped from various avenues with queries about the change in LetsEncrypt certification validation.

Edited by CHBMB
  • Like 1
Link to comment
13 hours ago, CHBMB said:

 

Scroll up to my last set of posts in this thread helping another user.  Docker run command as my sig demonstrates and LE logs

 

Here's the docker run cmd and the forwarded ports, not sure if the attached LE log is the one you wanted, let me know if you need more. I haven't changed anything in the docker settings or my router, other than applying the "HTTPVAL = true" fix.. I'd guess I was having the same issue as several other people, with ISP blocking port 80, but since nextcloud works with the fix, just ombi that stopped working, it doesn't really make sense..

Docker run command.png

LE log.png

Ports.png

Link to comment
 
Here's the docker run cmd and the forwarded ports, not sure if the attached LE log is the one you wanted, let me know if you need more. I haven't changed anything in the docker settings or my router, other than applying the "HTTPVAL = true" fix.. I'd guess I was having the same issue as several other people, with ISP blocking port 80, but since nextcloud works with the fix, just ombi that stopped working, it doesn't really make sense..
5a5b43b345a9c_Dockerruncommand.thumb.png.f5132ea9844ea5efd49688bf7ace871f.png
5a5b43b5a126e_LElog.thumb.png.d522e743c700250946938ba21f54912a.png
Ports.png.5c0f90133bfb21fa580e2715e9230250.png
That looks like everything is working fine to me.

Sent from my LG-H815 using Tapatalk

Link to comment
 

The was doing the trick: port forward http (tcp 80 -->> 85) as well as https (tcp 443 -->> 443) is required. 

 

This was working for unRAID 6.3.5 but it stopped working for 6.4.

 

Anyone Else whole made that experience? Latest letsencrypt Docker is installed:

 

 root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.org" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="4096" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 85:80/tcp -p 443:443/tcp -v "/mnt/user/system/docker/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt68820e55413df4f6d12189d079334a943a01c4699136e38059fc459597f8670b/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (296916628be7ee045bd094ac8ebaa72631a8bd1146130c8480a19b91462dd0d4): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use.

 

 

Gesendet von iPad mit Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.