[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, jon123 said:

Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container.

 

It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors.

 

build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC
 

Any ideas?

 

le log (I've attached the full le log here as well).


le             | 2018-04-29T16:54:15.228690086Z Performing the following challenges:
le             | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini
le             | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate
le             | 2018-04-29T16:54:26.534836161Z Waiting for verification...
le             | 2018-04-29T16:54:30.185131883Z Cleaning up challenges
le             | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES:
le             | 2018-04-29T16:54:46.250348556Z  - Congratulations! Your certificate and chain have been saved at:
le             | 2018-04-29T16:54:46.250445899Z    /etc/letsencrypt/live/mydomain/fullchain.pem
le             | 2018-04-29T16:54:46.253021957Z    Your key file has been saved at:
le             | 2018-04-29T16:54:46.253059746Z    /etc/letsencrypt/live/mydomain/privkey.pem
le             | 2018-04-29T16:54:46.253064950Z    Your cert will expire on 2018-07-28. To obtain a new or tweaked
le             | 2018-04-29T16:54:46.253069538Z    version of this certificate in the future, simply run certbot
le             | 2018-04-29T16:54:46.253073599Z    again. To non-interactively renew *all* of your certificates, run
le             | 2018-04-29T16:54:46.253077573Z    "certbot renew"
le             | 2018-04-29T16:54:46.253088918Z  - If you like Certbot, please consider supporting our work by:
le             | 2018-04-29T16:54:46.253097379Z 
le             | 2018-04-29T16:54:46.253101610Z    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
le             | 2018-04-29T16:54:46.253106190Z    Donating to EFF:                    https://eff.org/donate-le
le             | 2018-04-29T16:54:46.253110181Z 
le             | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file.

 

The docker compose file:


  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: le
    ports:
      - 443:443
      - 80:80
    volumes:
      - /opt/appdata/letsencrypt:/config
      - /opt/appdata/organizr/www:/fail2ban:ro
    restart: always
    depends_on:
      - tautulli
      - nzbget
      - sonarr
      - radarr
      - delugevpn
    environment:
      - PUID=1002
      - PGID=1002
      - EMAIL=my@email
      - URL=myserver
      - SUBDOMAINS=wildcard
      - ONLY_SUBDOMAINS=true
      - VALIDATION=dns
      - DNSPLUGIN=digitalocean
      - DHLEVEL=4096
      - TZ=America/New_York


 

le.log

 

Please use our forum if you're not using unraid.

Link to comment
6 hours ago, jon123 said:

Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container.

 

It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors.

 

build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC
 

Any ideas?

 

le log (I've attached the full le log here as well).


le             | 2018-04-29T16:54:15.228690086Z Performing the following challenges:
le             | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini
le             | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate
le             | 2018-04-29T16:54:26.534836161Z Waiting for verification...
le             | 2018-04-29T16:54:30.185131883Z Cleaning up challenges
le             | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES:
le             | 2018-04-29T16:54:46.250348556Z  - Congratulations! Your certificate and chain have been saved at:
le             | 2018-04-29T16:54:46.250445899Z    /etc/letsencrypt/live/mydomain/fullchain.pem
le             | 2018-04-29T16:54:46.253021957Z    Your key file has been saved at:
le             | 2018-04-29T16:54:46.253059746Z    /etc/letsencrypt/live/mydomain/privkey.pem
le             | 2018-04-29T16:54:46.253064950Z    Your cert will expire on 2018-07-28. To obtain a new or tweaked
le             | 2018-04-29T16:54:46.253069538Z    version of this certificate in the future, simply run certbot
le             | 2018-04-29T16:54:46.253073599Z    again. To non-interactively renew *all* of your certificates, run
le             | 2018-04-29T16:54:46.253077573Z    "certbot renew"
le             | 2018-04-29T16:54:46.253088918Z  - If you like Certbot, please consider supporting our work by:
le             | 2018-04-29T16:54:46.253097379Z 
le             | 2018-04-29T16:54:46.253101610Z    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
le             | 2018-04-29T16:54:46.253106190Z    Donating to EFF:                    https://eff.org/donate-le
le             | 2018-04-29T16:54:46.253110181Z 
le             | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file.

 

The docker compose file:


  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: le
    ports:
      - 443:443
      - 80:80
    volumes:
      - /opt/appdata/letsencrypt:/config
      - /opt/appdata/organizr/www:/fail2ban:ro
    restart: always
    depends_on:
      - tautulli
      - nzbget
      - sonarr
      - radarr
      - delugevpn
    environment:
      - PUID=1002
      - PGID=1002
      - EMAIL=my@email
      - URL=myserver
      - SUBDOMAINS=wildcard
      - ONLY_SUBDOMAINS=true
      - VALIDATION=dns
      - DNSPLUGIN=digitalocean
      - DHLEVEL=4096
      - TZ=America/New_York


 

le.log

 

You can't do only subdomains with wildcard

Link to comment

My ISP blocks port 443 and I am struggling to get letsencrypt to work with non-standard ports.

I've managed to obtain certificates by using the dns verification (vice 443) and cloudflare (set authentication type to "dns" in docker settings then use mc to change username and api key in letsencrypt/dns-conf/cloudflare.ini)

I can forward the docker's port on my edge router from WAN port to the right port on the LAN unRAID server and get to the dockers in http, just not in https.

What I'm struggling with is how to access dockers from the WAN if 443 is blocked. For example, if as explained here I set up subdomain.mydomain.com and use the ngnix reverse proxy to point it to my unraid server's IP and docker port, this doesn't work because the traffic is still coming in on 443. Forwarding ports 443 (and 80) on the edge router doesn't seem to help. The guide seems to assume that 443 is not blocked by the ISP (as some of us have to deal with).

 

So, I assume I should be using a non-standard port to come in from the WAN, say port 2345. I should then be able to point my browser from the WAN to https://mydomain.com:2345

How do I set that up in letsencrypt?

Thank you for any help, I've spent many hours trying to make this work without success.

Link to comment
4 minutes ago, adoucette said:

My ISP blocks port 443 and I am struggling to get letsencrypt to work with non-standard ports.

I've managed to obtain certificates by using the dns verification (vice 443) and cloudflare (set authentication type to "dns" in docker settings then use mc to change username and api key in letsencrypt/dns-conf/cloudflare.ini)

I can forward the docker's port on my edge router from WAN port to the right port on the LAN unRAID server and get to the dockers in http, just not in https.

What I'm struggling with is how to access dockers from the WAN if 443 is blocked. For example, if as explained here I set up subdomain.mydomain.com and use the ngnix reverse proxy to point it to my unraid server's IP and docker port, this doesn't work because the traffic is still coming in on 443. Forwarding ports 443 (and 80) on the edge router doesn't seem to help. The guide seems to assume that 443 is not blocked by the ISP (as some of us have to deal with).

 

So, I assume I should be using a non-standard port to come in from the WAN, say port 2345. I should then be able to point my browser from the WAN to https://mydomain.com:2345

How do I set that up in letsencrypt?

Thank you for any help, I've spent many hours trying to make this work without success.

who is your ISP? curious

Link to comment

Help!

 

I have set this up, to use in conjunction with Nextcloud, Plex, Radarr, blah blah.... I followed this guide. Nextcloud is working-ish; and Letsencrypt is working, as long as I only set the subdomains covered to www.

1167059693_ScreenShot2018-05-01at5_02_55PM.thumb.png.651648341328fefd77ab8f6da9216b9a.png

 

If i make the subdomains www,nextcloud things don't work.

 

Here are the Letsencrypt logs, when it does not work.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=greulich.me
SUBDOMAINS=www,nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.greulich.me -d nextcloud.greulich.me
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for greulich.me
http-01 challenge for nextcloud.greulich.me
http-01 challenge for www.greulich.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.greulich.me (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.greulich.me
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
nextcloud.greulich.me
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Here is my router port forwarding...

 

1662968973_ScreenShot2018-05-01at5_03_52PM.thumb.png.28997c3a6f94f298924802091ecf8c64.png

 

Here is my '/config/nginx/site-confs/nextcloud' file.

 

server {
	listen 443 ssl;
	server_name nextcloud.greulich.me];

	root /config/www;
	index index.html index.htm index.php;

	###SSL Certificates
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

	###Diffie–Hellman key exchange ###
	ssl_dhparam /config/nginx/dhparams.pem;

	###SSL Ciphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	###Extra Settings###
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;

	location / {
		proxy_pass https://192.168.1.24:10443/;
        	proxy_max_temp_file_size 2048m;
        	include /config/nginx/proxy.conf;
	}
}

Here is my '/config/www/nextcloud/config/config.php.

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc2mc6z7bo8o',
  'passwordsalt' => '[salt]',
  'secret' => '[secret]',
  'trusted_domains' =>
  array (
    0 => '192.168.1.24:10443',
    1 => 'nextcloud.greulich.me',
  ),
  'overwrite.cli.url' => 'https://nextcloud.greulich.me',
  'overwritehost' => 'nextcloud.greulich.me',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '13.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.24:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '[user]',
  'dbpassword' => '[password]',
  'installed' => true,
);

I am completely stumped.

 

Help me Obi Won Kenobi, you're my only hope.

Edited by igreulich
typos
Link to comment
2 hours ago, igreulich said:

Help!

 

I have set this up, to use in conjunction with Nextcloud, Plex, Radarr, blah blah.... I followed this guide. Nextcloud is working-ish; and Letsencrypt is working, as long as I only set the subdomains covered to www.

1167059693_ScreenShot2018-05-01at5_02_55PM.thumb.png.651648341328fefd77ab8f6da9216b9a.png

 

If i make the subdomains www,nextcloud things don't work.

 

Here are the Letsencrypt logs, when it does not work.


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=greulich.me
SUBDOMAINS=www,nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.greulich.me -d nextcloud.greulich.me
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for greulich.me
http-01 challenge for nextcloud.greulich.me
http-01 challenge for www.greulich.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.greulich.me (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nextcloud.greulich.me

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.greulich.me
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
nextcloud.greulich.me
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Here is my router port forwarding...

 

1662968973_ScreenShot2018-05-01at5_03_52PM.thumb.png.28997c3a6f94f298924802091ecf8c64.png

 

Here is my '/config/nginx/site-confs/nextcloud' file.

 


server {
	listen 443 ssl;
	server_name nextcloud.greulich.me];

	root /config/www;
	index index.html index.htm index.php;

	###SSL Certificates
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

	###Diffie–Hellman key exchange ###
	ssl_dhparam /config/nginx/dhparams.pem;

	###SSL Ciphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	###Extra Settings###
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;

	location / {
		proxy_pass https://192.168.1.24:10443/;
        	proxy_max_temp_file_size 2048m;
        	include /config/nginx/proxy.conf;
	}
}

Here is my '/config/www/nextcloud/config/config.php.


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc2mc6z7bo8o',
  'passwordsalt' => '[salt]',
  'secret' => '[secret]',
  'trusted_domains' =>
  array (
    0 => '192.168.1.24:10443',
    1 => 'nextcloud.greulich.me',
  ),
  'overwrite.cli.url' => 'https://nextcloud.greulich.me',
  'overwritehost' => 'nextcloud.greulich.me',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '13.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.24:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '[user]',
  'dbpassword' => '[password]',
  'installed' => true,
);

I am completely stumped.

 

Help me Obi Won Kenobi, you're my only hope.

Create a cname for nextcloud on your dns provider

Link to comment

Anyone have any ideas why my LE docker cannot ping the unraid IP?  I've got LE bound to a custom IP of 10.1.1.8 while my unraid is 10.1.1.10.  Certs went through fine, but cannot successfully ping the unraid IP:

 

Trying to RP to my homeassistant docker and getting a `failed (113: Host is unreachable) while connecting to upstream` error

 

docker exec -it letsencrypt /bin/bash

root@e01490db42ac:/$ curl http://10.1.1.10:8123/
curl: (7) Failed to connect to 10.1.1.10 port 8123: Host is unreachable

root@e01490db42ac:/$ ping 10.1.1.10
PING 10.1.1.10 (10.1.1.10): 56 data bytes
^C
--- 10.1.1.10 ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss

root@e01490db42ac:/$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: seq=0 ttl=64 time=0.475 ms
64 bytes from 10.1.1.1: seq=1 ttl=64 time=0.383 ms
64 bytes from 10.1.1.1: seq=2 ttl=64 time=0.391 ms
64 bytes from 10.1.1.1: seq=3 ttl=64 time=0.378 ms
^C
--- 10.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.378/0.406/0.475 ms

root@e01490db42ac:/$ ping 10.1.1.8
PING 10.1.1.8 (10.1.1.8): 56 data bytes
64 bytes from 10.1.1.8: seq=0 ttl=64 time=0.072 ms
64 bytes from 10.1.1.8: seq=1 ttl=64 time=0.063 ms
^C
--- 10.1.1.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.063/0.067/0.072 ms

 

Link to comment
55 minutes ago, poldim said:

Anyone have any ideas why my LE docker cannot ping the unraid IP?  I've got LE bound to a custom IP of 10.1.1.8 while my unraid is 10.1.1.10.  Certs went through fine, but cannot successfully ping the unraid IP:

 

Trying to RP to my homeassistant docker and getting a `failed (113: Host is unreachable) while connecting to upstream` error

 


docker exec -it letsencrypt /bin/bash

root@e01490db42ac:/$ curl http://10.1.1.10:8123/
curl: (7) Failed to connect to 10.1.1.10 port 8123: Host is unreachable

root@e01490db42ac:/$ ping 10.1.1.10
PING 10.1.1.10 (10.1.1.10): 56 data bytes
^C
--- 10.1.1.10 ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss

root@e01490db42ac:/$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: seq=0 ttl=64 time=0.475 ms
64 bytes from 10.1.1.1: seq=1 ttl=64 time=0.383 ms
64 bytes from 10.1.1.1: seq=2 ttl=64 time=0.391 ms
64 bytes from 10.1.1.1: seq=3 ttl=64 time=0.378 ms
^C
--- 10.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.378/0.406/0.475 ms

root@e01490db42ac:/$ ping 10.1.1.8
PING 10.1.1.8 (10.1.1.8): 56 data bytes
64 bytes from 10.1.1.8: seq=0 ttl=64 time=0.072 ms
64 bytes from 10.1.1.8: seq=1 ttl=64 time=0.063 ms
^C
--- 10.1.1.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.063/0.067/0.072 ms

 

 

It's a security mechanism in docker. You will need to route it in your router to get it working. 

Link to comment

Anyone have any guides to get fail2ban working with nzbget, radarr and sonarr? I use the built in http auth of each app, but i'm OK with disabling the built-in mechanisms and utilizing nginx for all authentication so it integrates nicely with fail2ban.

 

Thanks

Edited by endiz
Link to comment

I was able to get LetsEncrypt to work with DuckDNS but it only works when I enter www.[myduckdnsdomain].duckdns.org, or https://www.[myduckdnsdomain].duckdns.org. If I enter just [myduckdnsdomain].duckdns.org it loads but says Your Connection is not valid. If I try https://[myduckdnsdomain].duckdns.org it loads a page that says my connection is not private.

 

I've searched but can't find any answers. If I'm honest I'm not even sure what I should be searching for.

Link to comment
6 hours ago, Nomar1245 said:

I was able to get LetsEncrypt to work with DuckDNS but it only works when I enter www.[myduckdnsdomain].duckdns.org, or https://www.[myduckdnsdomain].duckdns.org. If I enter just [myduckdnsdomain].duckdns.org it loads but says Your Connection is not valid. If I try https://[myduckdnsdomain].duckdns.org it loads a page that says my connection is not private.

 

I've searched but can't find any answers. If I'm honest I'm not even sure what I should be searching for.

Post your docker run command (or a screenshot of your settings) 

Link to comment
10 hours ago, endiz said:

Anyone have any guides to get fail2ban working with nzbget, radarr and sonarr? I use the built in http auth of each app, but i'm OK with disabling the built-in mechanisms and utilizing nginx for all authentication so it integrates nicely with fail2ban.

 

Thanks

If you use nginx auth via htpasswd, the fail2ban filter for that is already active

Link to comment

Thanks for the help.I was under the impression that only_subdomains was needed because I was using duckdns.org. However, after I removed my existing container, recreated it with the same settings, except for changing only_subdomains to false, I am having the same problem. 

 

Update: It's working

 

So, I setup my docker using a guide that took me 90% of the way, but the last 10% is what I needed. After replying to aptalca, I stepped back and looked at everything I was doing and decided to work through on my own, one step at a time, and the culprit ended up being a bad default file. I should have known better. Thank you for the help. 

Edited by Nomar1245
Humility
Link to comment

Is there a way we can upgrade nginx to 1.3.x? Home assistant needs websocket support for reverse proxy to work. Even if the docker itself isn't updated, is there a way I can update the image I have downloaded?

I've tried 

apk add --no-cache --update nginx

but nginx -v still says 1.12.x

 

Thanks!

Edited by Blaze9
Link to comment
2 hours ago, Blaze9 said:

Is there a way we can upgrade nginx to 1.3.x? Home assistant needs websocket support for reverse proxy to work. Even if the docker itself isn't updated, is there a way I can update the image I have downloaded?

I've tried 


apk add --no-cache --update nginx

but nginx -v still says 1.12.x

 

Thanks!

 

That's the latest version in the repo

Link to comment

Hi all,

 

Like many others I am struggling with Letsencrypt and NextCloud.

I spent a lot of time following numerous tutorials but none of them could make it work.

 

What is installed:

  • duckdns
  • nextcloud
  • letsencrypt

 

What does work:

  • Local access to nextcloud through an unsecured connection by using my unraid local address: 192.168.1.206:442 (I have to add an exception in my browser so it will connect)
  • Remote access to nextcloud through an unsecured connection by using my duckdns address XXXXX.duckdns.org:442 (I have to add an exception in my browser so it will connect)
  • Looks like duckdns works as well as port forwarding on port 442
  • Letsencrypt works I guess, here is the log:
    Processing /etc/letsencrypt/renewal/XXXX.duckdns.org.conf
    -------------------------------------------------------------------------------
    Cert not yet due for renewal
    
    -------------------------------------------------------------------------------
    
    The following certs are not due for renewal yet:
    /etc/letsencrypt/live/XXXX.duckdns.org/fullchain.pem expires on 2018-08-13 (skipped)
    No renewals were attempted.
    No hooks were run.
    -------------------------------------------------------------------------------
    [cont-init.d] 50-config: exited 0.
    [cont-init.d] done.
    [services.d] starting services
    [services.d] done.
    Server ready

     

What does not work:

  • Local secured access to next cloud
  • Remote secure acess to next cloud

What is my configuration:

  • letsencrypt\nginx\site-confs\default
upstream backend {
    server 192.168.1.206:19999;
    keepalive 64;
}
 
server {
    listen 443 ssl;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name XXXX.duckdns.org;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location = / {
        return 301 /htpc;
    }
 
    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.206:8989/sonarr;
    }
   
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.206:7878/radarr;
    }
 
    location /htpc {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.206:8085/htpc;
    }
 
   
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.1.206:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
   
    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.206:32400;
    }
 
    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.206:32400/web;
    }
 
    location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.1.206:442/nextcloud;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}
  • nextcloud config.php
<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc4xjllsleky',
  'passwordsalt' => 'AePwbt7LYPhHr9QW/xhQEHG3Upk+XC',
  'secret' => 'eg8adPotUPdkAphDtJKC0abNfglncPMdGPYlx5ujkwWRhZBf',
  'trusted_domains' => 
  array (
    0 => '192.168.1.206:442',
	1 => 'XXXXX.duckdns.org',
  ),
  'overwrite.cli.url' => 'https://192.168.1.206:442',
  'dbtype' => 'mysql',
  'version' => '13.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.206:3305',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xXxXxXxX',
  'dbpassword' => 'xXxXxX',
  'installed' => true,
);

And attached, the docker configuration of both Letsencrypt and Nextcloud

 

There must be something stupid I did but I can't put my finger on it. Thanks a lot for your help!

lestencrypt.PNG

nextcloud.PNG

Edited by mathgoy
Link to comment
2 hours ago, mathgoy said:

Like many others I am struggling with Letsencrypt and NextCloud.

I spent a lot of time following numerous tutorials but none of them could make it work. 

You know, I had a hell of a time trying to make it work myself at first.  Eventually I decided give it a whirl using a subdomain (ie nextcloud.domain.com as opposed to domain.com/nextcloud).  Turns out the subdomain was easier to implement and for me - easier to remember my url address.  As an added benefit, its apparently also more secure!

 

So, just to make it better for yourself, its worth it to review your installation from the ground up.  Just go back one more time and follow Linuxserver's excellent step-by-step process on this very topic: https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

 

As I don't use DuckDNS I had to make sure that subdomains were possible, and apparently they are! So try this for your subdomain setup:

 

Good luck!

 

 

Link to comment

How can I reverse proxy my Small business server through the letsencrypt docker without adding the letsencrypt certificates.

ie   I want to be able to connect to https://remote.mydomain.com.au 

I want this to pass straight through the letsencrypt dockers reverse proxy to the sbs server.

The SBS server will provide self signed certs rather than letsencrypt certs.

 

The config file is shown below.

I have hashed out what I think would be needed to pass straight in and out again.

 

It doesn't work of course, which is why I am posting here.

 

server {  
    listen 443 ssl;
    server_name remote.mydomain.com.au;

 #   root /config/www;
 #   index index.html index.htm index.php;

    ###SSL Certificates
#    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
#    ssl_dhparam /config/nginx/dhparams.pem;

    
    ###SSL Ciphers
#    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ###Extra Settings###
#    ssl_prefer_server_ciphers on;
#    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
 #   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
 #   add_header Front-End-Https on;

#    client_max_body_size 0;

#    proxy_request_buffering off;
#    proxy_buffering off;

        
    location / {
        proxy_pass https://192.168.10.27:443/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.