aptalca Posted July 3, 2019 Share Posted July 3, 2019 34 minutes ago, dbinott said: I thought I saw somewhere that the certs are supposed to be auto-updated, but I keep getting emails from LE that it's going to expire and now expires in 10 days. Is there a way to just do it manually? Read the last few posts Quote Link to comment
aptalca Posted July 3, 2019 Share Posted July 3, 2019 4 hours ago, blaine07 said: Certs this time aren't expired; last time when they were due up for renewal they didnt renew but that was resolved by addition of fictitious site, starting up and errors, removing and restarting and certs renewed. Seems like a lot are having some issue at some capacity with certs not auto renewing for some reason though. You keep insinuating that a lot of people are having renewal issues, therefore there must be something wrong with the image. However, 1) Users aren't even checking whether their certs are really expiring, which can be easily done in a browser by clicking on the lock icon, but instead rely on an e-mail that is non-specific and may not even be about the cert that is currently used (you included) 2) Nobody's checking their logs to see what the issues may be that cause a non-renewal (also you included) The logs are rotated weekly and 52 log files are kept. That means you have up to a year's worth of renewal attempt logs. Feel free to go back and find the ones that failed and if you really do identify a bug with the image, we'll fix it. Quote Link to comment
blaine07 Posted July 3, 2019 Share Posted July 3, 2019 You keep insinuating that a lot of people are having renewal issues, therefore there must be something wrong with the image. However, 1) Users aren't even checking whether their certs are really expiring, which can be easily done in a browser by clicking on the lock icon, but instead rely on an e-mail that is non-specific and may not even be about the cert that is currently used (you included) 2) Nobody's checking their logs to see what the issues may be that cause a non-renewal (also you included) The logs are rotated weekly and 52 log files are kept. That means you have up to a year's worth of renewal attempt logs. Feel free to go back and find the ones that failed and if you really do identify a bug with the image, we'll fix it.I never said their was anything wrong with the image at all. Ray Charles could see all the comments with people having issues getting them to renew though; consensus on WHY I haven’t a clue. I wouldn’t have any idea if their was something wrong with the image; way beyond my skill set, and I know that, so who would I be to say their is definitively something wrong with image? I DID say certs not renewing seems to be common; I didn’t further specify it was images fault or the end users fault. Wasn’t aware logs are kept 52 weeks, thanks! Mine is due to expire in October so I’ll see what happens there. I just know last time it was to renew it didn’t do it on its own, and I had to do as I mentioned above to get them renewed. Perhaps a one time fluke for all I know, but seeing others having issues getting them to renew piqued my interest. You mentioned a lot of users jack with port 80 or DNS mappings and I asked how one would know they had as its entirely possible I unknowingly did. Still not sure where or in what config those get changed in. Regardless, calm down, I’m grateful for all the work that goes into building and maintaining these dockers. I’m not retarded, it’s a lot of time, work and effort to maintain these. I’m also well aware about 4.9/5 of all the issues you guys deal with in relation to these are end user idiocracy problems. I’m not positive if you felt I was being rude or what the deal is but I most certainly wasn’t intending to be. Quote Link to comment
Guest Posted July 3, 2019 Share Posted July 3, 2019 On 6/30/2019 at 9:39 PM, aptalca said: Then check your port forwarding and post your docker log here https://gyazo.com/6e605ce33080800e63484fc586b8e253 - Port Forward https://gyazo.com/0295f867d135a13546fa9348816cd201 - Docker Log Quote Link to comment
Mindsgoneawol Posted July 3, 2019 Share Posted July 3, 2019 Okay. I'm stumped... I can't get letsencrypt to see port 80 or 443. Ports are forwarded correctly. (just replaced router too....) Turned in Suddenlink modem and bought my own (Netgear CM700 which I have had for about a year actually and never activated and finally have). Called "tech support" 4 times now just to be told they don't block ports. Ports are blocked by their modem and if I have my own no ports are blocked. Yet both ports are closed. I set up a ubuntu vm with owncloud which would redirect but only listened to port 443 even though I forwarded both those ports to the vm. Not sure if it makes any since but even when I try to use my domain i get "Refused to connect". Any Ideas where I should be looking. Am I missing something? Quote Link to comment
aptalca Posted July 4, 2019 Share Posted July 4, 2019 7 hours ago, MarkPla7z said: https://gyazo.com/6e605ce33080800e63484fc586b8e253 - Port Forward https://gyazo.com/0295f867d135a13546fa9348816cd201 - Docker Log It's all working from here. Check your sonarr if you don't believe me 😁 you really should password protect those services 2 Quote Link to comment
ijuarez Posted July 4, 2019 Share Posted July 4, 2019 It's all working from here. Check your sonarr if you don't believe me you really should password protect those servicesThe faster the better otherwise the interwebs will have their way with you. And leave you without a lobster dinner and an almost empty jar of Vaseline. Sent from my SM-N960U using Tapatalk 1 Quote Link to comment
darkreeper Posted July 4, 2019 Share Posted July 4, 2019 Hey guys, I have a little problem with my reverse-proxy config for dokuwiki. I am using the new ls.io dokuwiki docker and I am not sure what I am doing wrong. I have used the sample config and modified it to my needs. You can find it here: DokuWiki Nginx Conf The docker container has the name "dokuwiki" and the network interface is changed to my user defined proxynet. Port does also match. CNAME is registered, too and working since I get a 502 from nginx. That's why I think it should be something with the config. Dokuwiki docker is running fine and I can reach it locally. Other containers like collabora, nextcloud or ombi work totally fine this way. I hope someone has an idea. Thx. Quote Link to comment
Guest Posted July 4, 2019 Share Posted July 4, 2019 (edited) 11 hours ago, aptalca said: It's all working from here. Check your sonarr if you don't believe me 😁 you really should password protect those services Hahhaha, Thanks for that, I just realised you have to type https in the header Update, Now using cloudflare dns I can access it without typing https in the header However I do have a quick question which is can I make my heimdall container, go to www.mydomain.com or server.mydomain.com rather than heimdall.mydomain.com Edited July 4, 2019 by Guest Quote Link to comment
aptalca Posted July 4, 2019 Share Posted July 4, 2019 2 hours ago, MarkPla7z said: Hahhaha, Thanks for that, I just realised you have to type https in the header Update, Now using cloudflare dns I can access it without typing https in the header However I do have a quick question which is can I make my heimdall container, go to www.mydomain.com or server.mydomain.com rather than heimdall.mydomain.com Yup, edit the heimdall subdomain conf and change the server name directive to www.* or server.* Quote Link to comment
aptalca Posted July 4, 2019 Share Posted July 4, 2019 5 hours ago, darkreeper said: Hey guys, I have a little problem with my reverse-proxy config for dokuwiki. I am using the new ls.io dokuwiki docker and I am not sure what I am doing wrong. I have used the sample config and modified it to my needs. You can find it here: DokuWiki Nginx Conf The docker container has the name "dokuwiki" and the network interface is changed to my user defined proxynet. Port does also match. CNAME is registered, too and working since I get a 502 from nginx. That's why I think it should be something with the config. Dokuwiki docker is running fine and I can reach it locally. Other containers like collabora, nextcloud or ombi work totally fine this way. I hope someone has an idea. Thx. Don't change the port in the proxy confs Quote Link to comment
Guest Posted July 4, 2019 Share Posted July 4, 2019 2 minutes ago, aptalca said: Yup, edit the heimdall subdomain conf and change the server name directive to www.* or server.* Ok, Perfect Thank you so much Quote Link to comment
darkreeper Posted July 4, 2019 Share Posted July 4, 2019 51 minutes ago, aptalca said: Don't change the port in the proxy confs Worked perfectly. Thank you. 😀 Quote Link to comment
kelmino Posted July 4, 2019 Share Posted July 4, 2019 (edited) @deepthought I changed those settings and I'm still getting the same issue on my end, I guess the next step would be to revert to default settings and see if that fixes the issue? Also just to confirm I have the right ports, I did attach a screenshot of my letsencrypt docker ports edit: Another thing I just noticed, is that if I type my normal duckdns URL without the /sonarr behind it, it does bring me to my router settings from inside my network and doesn't give me any errors. Edit2: I did reset everything to default and kept the same settings as I posted with no fixes. Edited July 4, 2019 by kelmino edit Quote Link to comment
Endy Posted July 4, 2019 Share Posted July 4, 2019 I could use a little help. I've got the LetsEncrypt docker setup and it's working for things like Emby no problem. No I am trying to setup some websites for testing. I managed to get a wordpress site working with .conf file in the site-confs folder so that it uses a subdomain of my domain. So that much works. I've also tried setting up a phpBB forum on it's own subdomain, but that isn't working. I add the .conf file for nginx that comes with phpBB to the site-confs folder (modified with my domain details) and I just get an error that it can't connect the default site and the wordpress site stop working as well. I've tried searching but have not come across anything that has worked so far. Any one who has successfully gotten phpBB to work with this docker have any ideas? Quote Link to comment
deepthought Posted July 4, 2019 Share Posted July 4, 2019 1 hour ago, kelmino said: @deepthought I changed those settings and I'm still getting the same issue on my end, I guess the next step would be to revert to default settings and see if that fixes the issue? Also just to confirm I have the right ports, I did attach a screenshot of my letsencrypt docker ports edit: Another thing I just noticed, is that if I type my normal duckdns URL without the /sonarr behind it, it does bring me to my router settings from inside my network and doesn't give me any errors. Edit2: I did reset everything to default and kept the same settings as I posted with no fixes. I was experiencing similar redirections before I got this working, so it still sounds like a similar issue. My first thought was to have you delete and re-create the port forwards while the LAN interface option is set correctly - I'm not sure if the loopback stuff is set correctly if the rules are created while other parameters are bad. But if you started from a fresh default config then there's no point in trying again I guess. I'll post my edgeos and docker configs later this evening and you can compare yours to mine. Quote Link to comment
deepthought Posted July 5, 2019 Share Posted July 5, 2019 (edited) @kelmino See below for my edgeos config and letsencrypt settings. Might be helpful to compare our edgeos configs - mine is only very mildly modified from the default config created via the Basic Setup wizard. One thing I notice is that your network type for letsencrypt differs from mine - you're using the default bridge mode instead of a custom proxy network. The Spaceinvader One tutorial I followed had a section on this, and while I won't pretend to understand the specifics of it, here is the link for that portion of the video: https://youtu.be/I0lhZc25Sro?t=692. Might be worth checking out. firewall { all-ping enable broadcast-ping disable ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { description Desktop duplex auto speed auto } ethernet eth2 { description Server duplex auto speed auto } ethernet eth3 { description unplugged duplex auto speed auto } ethernet eth4 { description "WiFi AP" duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.1.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } } port-forward { auto-firewall enable hairpin-nat enable lan-interface switch0 rule 1 { description plex forward-to { address 192.168.1.38 port 32400 } original-port 32400 protocol tcp_udp } rule 2 { description openvpn forward-to { address 192.168.1.38 port 1194 } original-port 1194 protocol udp } rule 3 { description "letsencrypt 80" forward-to { address 192.168.1.38 port 180 } original-port 80 protocol tcp_udp } rule 4 { description "letsencrypt 443" forward-to { address 192.168.1.38 port 1443 } original-port 443 protocol tcp_udp } wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name comnetdhcp { authoritative disable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 start 192.168.1.100 { stop 192.168.1.199 } static-mapping cc-ultra { ip-address 192.168.1.40 mac-address } static-mapping ipad1 { ip-address 192.168.1.52 mac-address } static-mapping lap1 { ip-address 192.168.1.53 mac-address } static-mapping phone2 { ip-address 192.168.1.51 mac-address } static-mapping server { ip-address 192.168.1.38 mac-address } static-mapping desktop { ip-address 192.168.1.69 mac-address } static-mapping phone1 { ip-address 192.168.1.61 mac-address } static-mapping vm { ip-address 192.168.1.42 mac-address } static-mapping wifi-ap-1 { ip-address 192.168.1.10 mac-address } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { connection } } system { host-name comnet ipv6 { disable } login { user admin { authentication { encrypted-password plaintext-password "" } level admin } } name-server 1.1.1.1 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York } Edited July 5, 2019 by deepthought Quote Link to comment
kelmino Posted July 5, 2019 Share Posted July 5, 2019 @deepthought Whelp, I think I'm about done with this. It's not worth the time I keep putting into this, I'll just make new bookmarks for internal links and be done with it. Everything works from outside the network, and that's the main thing, the rest I can just deal with. I did end up changing it over to custom proxy network and it didn't seem to help, I ended up following the video through the end going the steps that related to that and sonarr to see if it would work. With the same end results. @deepthought I really do appreciate all of the work that you've done with this and with helping me as much as you have, I've spent probably 5 hours on this particular issue over the course of all of this, and it's really just not worth it for me to put anymore time in for me. If I find a solution later then cool, if not ¯\_(ツ)_/¯ . not a huge deal I have other things to work on with the server that I'd rather spend time on, maybe I'll come back to this later when everything else is done (lol like I'm ever going to truly ever be done ) Quote Link to comment
slimshizn Posted July 6, 2019 Share Posted July 6, 2019 I have had the same issue for a bit now, could never figure out what it truly was. Never changed any settings on the USG3, or the letsencrypt container. No idea. Quote Link to comment
Lien1454 Posted July 6, 2019 Share Posted July 6, 2019 On 7/1/2019 at 9:47 PM, aptalca said: Open your domain in a better and click on the lock to see if it really expired If so, check the log in the config folder under letsencrypt to see why the renewal failed Yes. that is where I was noticing that they had expired. In the lock in the browser. The certificate expired on 02 June 2019, 11:01. The current time is 06 July 2019, 15:17. Error code: SEC_ERROR_EXPIRED_CERTIFICATE No activity in the log file for a while it seems. This is the contents of the file... I've edited and removed my domain and replaced with "private". Quote <-------------------------------------------------> <-------------------------------------------------> cronjob running on Sat Feb 23 02:08:00 GMT 2019 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/private.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/private/fullchain.pem expires on 2019-05-18 (skipped) No renewals were attempted. No hooks were run. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <-------------------------------------------------> <-------------------------------------------------> cronjob running on Fri Mar 1 02:08:00 GMT 2019 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/private.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/private.me/fullchain.pem expires on 2019-05-18 (skipped) No renewals were attempted. No hooks were run. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <-------------------------------------------------> <-------------------------------------------------> cronjob running on Sun Mar 10 02:08:00 GMT 2019 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/private.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/private/fullchain.pem expires on 2019-06-02 (skipped) No renewals were attempted. No hooks were run. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Quote Link to comment
aptalca Posted July 6, 2019 Share Posted July 6, 2019 1 hour ago, Lien1454 said: Yes. that is where I was noticing that they had expired. In the lock in the browser. The certificate expired on 02 June 2019, 11:01. The current time is 06 July 2019, 15:17. Error code: SEC_ERROR_EXPIRED_CERTIFICATE No activity in the log file for a while it seems. This is the contents of the file... I've edited and removed my domain and replaced with "private". Those logs are from March and they are several days apart. I'm guessing you shut down the container at night, which is when it's supposed to renew the certs Quote Link to comment
Lien1454 Posted July 6, 2019 Share Posted July 6, 2019 10 minutes ago, aptalca said: Those logs are from March and they are several days apart. I'm guessing you shut down the container at night, which is when it's supposed to renew the certs Do you know at what time the cron job runs or how I can find out? Thanks Quote Link to comment
saarg Posted July 6, 2019 Share Posted July 6, 2019 2 hours ago, Lien1454 said: Do you know at what time the cron job runs or how I can find out? Thanks At 02:00 AM if I remember correctly. 1 Quote Link to comment
Essaith Posted July 9, 2019 Share Posted July 9, 2019 Hey, I have a problem since last Wednesday. I didn't touch anything with Unraid (I was happy for now with my configuration) but my applications suddenly became unvailable from external network. There is my configuration and logs from Let'sEncrypt docker (I've redacted my email and domain name): Let'sEncrypt docker conf: Let'sEncrypt log: [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Europe/Warsaw URL=[domain] SUBDOMAINS=homeassistant,plex,minecraft EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=http DNSPLUGIN= EMAIL=[email] STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d homeassistant.[domain] -d plex.[domain] -d minecraft.[domain] E-mail address entered: [email] http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log No match found for cert-path /config/etc/letsencrypt/live/[domain]/fullchain.pem! Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for homeassistant.[domain] http-01 challenge for minecraft.[domain] http-01 challenge for [domain] http-01 challenge for plex.[domain] Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/[domain]/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/[domain]/privkey.pem Your cert will expire on 2019-10-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le New certificate generated; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] 99-custom-files: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-files: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: no field package.preload['resty.core'] no file './resty/core.lua' no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua' no file '/usr/local/share/lua/5.1/resty/core.lua' no file '/usr/local/share/lua/5.1/resty/core/init.lua' no file '/usr/share/lua/5.1/resty/core.lua' no file '/usr/share/lua/5.1/resty/core/init.lua' no file '/usr/share/lua/common/resty/core.lua' no file '/usr/share/lua/common/resty/core/init.lua' no file './resty/core.so' no file '/usr/local/lib/lua/5.1/resty/core.so' no file '/usr/lib/lua/5.1/resty/core.so' no file '/usr/local/lib/lua/5.1/loadall.so' no file './resty.so' no file '/usr/local/lib/lua/5.1/resty.so' no file '/usr/lib/lua/5.1/resty.so' no file '/usr/local/lib/lua/5.1/loadall.so') Server ready Nginx site-confs/default (I didn't edit any other file): upstream backend { server 192.168.1.116:19999; keepalive 64; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:82/; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:8989/sonarr; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:7878/radarr; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } } server { listen 443 ssl http2; server_name homeassistant.[domain]; root /config/www; index index.html index.htm index.php; location / { proxy_pass http://192.168.1.116:8123; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } server { listen 443 ssl http2; server_name plex.[domain]; proxy_set_header X-Real-IP $remote_addr; location / { proxy_pass http://192.168.1.116:32400/; proxy_http_version 1.1; proxy_redirect off; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Real-IP $remote_addr; } } server { listen 443 ssl http2; server_name minecraft.[domain]; proxy_set_header X-Real-IP $remote_addr; location / { proxy_pass http://192.168.1.116:25565/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 90; } } and my router conf: I've also needed to set this: (in order to access my apps from local network using "nice" addresses, because the way my ISP configures public IP address is that you can't access it from your local network) Again, I didn't change a thing and this configuration worked for months until last Wednesday. I can see an error in letsencrypt log but I've found information in this thread that it is unrelated to my issues. Please help? Quote Link to comment
aptalca Posted July 9, 2019 Share Posted July 9, 2019 8 hours ago, Essaith said: Hey, I have a problem since last Wednesday. I didn't touch anything with Unraid (I was happy for now with my configuration) but my applications suddenly became unvailable from external network. There is my configuration and logs from Let'sEncrypt docker (I've redacted my email and domain name): Let'sEncrypt docker conf: Let'sEncrypt log: [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Europe/Warsaw URL=[domain] SUBDOMAINS=homeassistant,plex,minecraft EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=http DNSPLUGIN= EMAIL=[email] STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d homeassistant.[domain] -d plex.[domain] -d minecraft.[domain] E-mail address entered: [email] http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log No match found for cert-path /config/etc/letsencrypt/live/[domain]/fullchain.pem! Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for homeassistant.[domain] http-01 challenge for minecraft.[domain] http-01 challenge for [domain] http-01 challenge for plex.[domain] Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/[domain]/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/[domain]/privkey.pem Your cert will expire on 2019-10-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le New certificate generated; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] 99-custom-files: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-files: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: no field package.preload['resty.core'] no file './resty/core.lua' no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua' no file '/usr/local/share/lua/5.1/resty/core.lua' no file '/usr/local/share/lua/5.1/resty/core/init.lua' no file '/usr/share/lua/5.1/resty/core.lua' no file '/usr/share/lua/5.1/resty/core/init.lua' no file '/usr/share/lua/common/resty/core.lua' no file '/usr/share/lua/common/resty/core/init.lua' no file './resty/core.so' no file '/usr/local/lib/lua/5.1/resty/core.so' no file '/usr/lib/lua/5.1/resty/core.so' no file '/usr/local/lib/lua/5.1/loadall.so' no file './resty.so' no file '/usr/local/lib/lua/5.1/resty.so' no file '/usr/lib/lua/5.1/resty.so' no file '/usr/local/lib/lua/5.1/loadall.so') Server ready Nginx site-confs/default (I didn't edit any other file): upstream backend { server 192.168.1.116:19999; keepalive 64; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:82/; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:8989/sonarr; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:7878/radarr; } location /downloads { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.116:8112/; proxy_set_header X-Deluge-Base "/downloads/"; } } server { listen 443 ssl http2; server_name homeassistant.[domain]; root /config/www; index index.html index.htm index.php; location / { proxy_pass http://192.168.1.116:8123; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } server { listen 443 ssl http2; server_name plex.[domain]; proxy_set_header X-Real-IP $remote_addr; location / { proxy_pass http://192.168.1.116:32400/; proxy_http_version 1.1; proxy_redirect off; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Real-IP $remote_addr; } } server { listen 443 ssl http2; server_name minecraft.[domain]; proxy_set_header X-Real-IP $remote_addr; location / { proxy_pass http://192.168.1.116:25565/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 90; } } and my router conf: I've also needed to set this: (in order to access my apps from local network using "nice" addresses, because the way my ISP configures public IP address is that you can't access it from your local network) Again, I didn't change a thing and this configuration worked for months until last Wednesday. I can see an error in letsencrypt log but I've found information in this thread that it is unrelated to my issues. Please help? Could be DNS issue (check IP), could be port forwarding (router setting looks correct as long as you moved unraid to a different port) or maybe your ISP just started blocking ports 80 and 443. See here to further troubleshoot (article not published yet but here's a preview): https://blog.linuxserver.io/p/3959a1d3-d70d-4d1d-a4ef-4dcdc0bcfd94/ 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.