[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hello,

 

First of all, thank you for your work ! 

 

I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port.

 

This is the error that I get :

Quote

Failed authorization procedure.

 

2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://2566335.xyz/.well-known/acme-challenge/okr2q6AOqCJKPZWCYQfd-4r9MPKAhl9D3hmc7X5OlDk: Timeout during connect (likely firewall problem),

 

www.2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://www.2566335.xyz/.well-known/acme-challenge/IXluIrRlEw5xsmD7gjqaXM3iZgN8Rv7uxYF3jYHMd4o: Timeout during connect (likely firewall problem)

 

Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200.

I made the appropriate port forwarding in my router.

Quote

Service Name | Source Target | Port Range | Local IP | Local Port | Protocol

unRAID WebGUI | | 16500 | 192.168.1.110 | 80 | TCP

HTTP Lets Encrypt | | 80 | 192.168.1.110 | 18100 | TCP

HTTPS Lets Encrypt | | 443 | 192.168.1.110 | 18200 | TCP

 

My DNS configuration:

Quote

Name / Host / Alias | TTL | Type | Priority | Data / Value / Answer / Destination

@ | 300 | A | | 176.131.3.8

nextcloud | 300 | CNAME | | @

www | 300 | CNAME | | @

 

I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before.

Could you help me please?

 

Thank you

Edited by wblondel
Link to comment
43 minutes ago, wblondel said:

Hello,

 

First of all, thank you for your work ! 

 

I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port.

 

This is the error that I get :

 

Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200.

I made the appropriate port forwarding in my router.

 

My DNS configuration:

 

I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before.

Could you help me please?

 

Thank you

Try restarting your router

Link to comment

So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker

 

Quote

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=duckdns.org
SUBDOMAINS=REDACTEDDUCKDNSDOMAIN
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d REDACTEDDUCKDNSDOMAIN.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for unraidcerberus.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. REDACTEDDUCKDNSDOMAIN.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA: "<html>

<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: REDACTEDDUCKDNSDOMAIN.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 


My unraid network settings:

 

download-1.thumb.png.7854fc53d45e036a9dd7e77d32ce950c.png

 

My LetsEncrypt docker settings:

 

download-2.thumb.png.562470839cdc9b68b10654240e9a5794.png

 

My port forwarding in my router:

 

download-3.thumb.png.a93c7a49377481314781b81190b1d1b5.png

 

Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try?

Link to comment
1 hour ago, halorrr said:

So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker

 


My unraid network settings:

 

download-1.thumb.png.7854fc53d45e036a9dd7e77d32ce950c.png

 

My LetsEncrypt docker settings:

 

download-2.thumb.png.562470839cdc9b68b10654240e9a5794.png

 

My port forwarding in my router:

 

download-3.thumb.png.a93c7a49377481314781b81190b1d1b5.png

 

Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try?

Your port forwarding is incorrect. You need to forward outside port 80 to host's 180

Link to comment
3 hours ago, aptalca said:

Your port forwarding is incorrect. You need to forward outside port 80 to host's 180

Ahhhhh I see, I misunderstood the settings in my router and thought that was the case with how I had it set. Internal to external port forwarding is under "Virtual Servers" in my router. All working now though!

Link to comment

Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error:

 

nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36

 

Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it:

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
    
    location ^~ /api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
}

Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ?

Link to comment
17 minutes ago, halorrr said:

Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error:

 


nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36

 

Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it:

 


# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
    
    location ^~ /api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
}

Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ?

There should be one more } at the end of this config file to close the server section.

 

Link to comment
On 9/11/2018 at 1:45 AM, aptalca said:

Post what you have. Either pastebin or screenshots where necessary. 

 

And also, are you going to https://ombi.domain.com

Yes I'm going to that url (where domain is my own domain).

 

Currently I'm trying this:

server {
	listen 80;
	server_name _;
    rewrite     ^   https://$host$request_uri? permanent;
}

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	# Replace domain.com with my own domain
	server_name ombi.domain.com;

	# Removed just in case this is sensitive
	ssl_certificate LOCATION_REDACTED;    
	ssl_certificate_key LOCATION_REDACTED;    
	ssl_dhparam LOCATION_REDACTED;    
	ssl_ciphers 'CIPHER_REDACTED';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=31536000";


	client_max_body_size 0;

	location / {
		auth_basic off;    
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.55:12345;	
	}
}

 

Link to comment
11 hours ago, CyberMew said:

Yes I'm going to that url (where domain is my own domain).

 

Currently I'm trying this:


server {
	listen 80;
	server_name _;
    rewrite     ^   https://$host$request_uri? permanent;
}

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	# Replace domain.com with my own domain
	server_name ombi.domain.com;

	# Removed just in case this is sensitive
	ssl_certificate LOCATION_REDACTED;    
	ssl_certificate_key LOCATION_REDACTED;    
	ssl_dhparam LOCATION_REDACTED;    
	ssl_ciphers 'CIPHER_REDACTED';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=31536000";


	client_max_body_size 0;

	location / {
		auth_basic off;    
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.55:12345;	
	}
}

 

Try removing the auth basic lines

Link to comment

Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel?

 

I currently have Blue Iris and Stunnel working together (meaning I can port forward my stunnel port in my router and stunnel will redirect to the Blue Iris port, thus giving https). I was hoping to setup Let's Encrypt to work with Stunnel in order to use Let's Encrypts 443 port and close the Stunnel port to the world.

 

I have Let's Encrypt successfully working with Nextcloud. The next cloud config file is "letsencrypt\nginx\site-confs\nextcloud".

 

I was thinking that all I would have to do is copy the nextcloud config and rename it as follows: "letsencrypt\nginx\site-confs\blueiris" and I changed the new blue iris config to as follows:

 

server {
	listen 443 ssl;
	server_name fake.archedraft.server.name.org;

	root /config/www;
	index index.html index.htm index.php;
	
	###SSL Certificates
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	
	###Diffie–Hellman key exchange ###
	ssl_dhparam /config/nginx/dhparams.pem;
	
	###SSL Ciphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	
	###Extra Settings###
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;
	
	location /stunnel {
		proxy_pass https://192.168.1.105:8998/stunnel/;
		include /config/nginx/proxy.conf;
	}
	
}

When I restart the Let's Encrypt Docker and attempt to connect to https://fake.archedraft.server.name.org/stunnel - I revived the following message in my browser:

404 Not Found


nginx/1.14.0

 

Any ideas on what I am screwing up?

Link to comment
On 8/13/2018 at 6:52 AM, CHBMB said:

Namecheaps API isn't compatible with DNS Auth, I changed my DNS provider to Cloudflare and used their DNS plugin.

Sent from my Mi A1 using Tapatalk
 

Wish i would have read this before I just switched over to them. So is that still true? There's no way to use namecheap with letsencrypt?

I was getting

Detail: DNS problem: SERVFAIL looking up A for

in my letsencrypt log....is that because of namecheap?

 

I'm in the process of moving nameservers over to cloudfare. Ugh, everything was working perfectly before too. Glutton for punishment

Edited by ffhelllskjdje
Link to comment
7 hours ago, archedraft said:

Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel?

 

 

For anyone wondering the answer is yes! I had to edit my let's encrypt config and made "blueiris" a sub domain. As soon as I changed that it started working immediately. I was also able to close my stunnel port forwarding rule in my router! Let's Encrypt is pretty cool stuff. 😎

 

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name blueiris.random.server.name.org;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass  https://192.168.1.100:8777;	
#		NOTE: Port 8777 is the stunnel port number and not the blue iris http port number
	}
}

 

Edited by archedraft
  • Like 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.