[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I just just received an email from Letsencrypt telling me that I need to renew my certificate because it will expire in 19 days, however when I check my Letsencrypt logs I see this:

<------------------------------------------------->
cronjob running on Tue Jan 21 02:08:00 EST 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/my.site/fullchain.pem expires on 2020-04-16 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Any suggestions for how I can figure out what's going on? Thanks.  

Link to comment

Hello everybody,

 

i wanted to install this container and it failed giving me the following error:

8c411aab6af9fba2f9d3d982c8ac842944fcf80c320d4f90cfe0a3f9c22d181e
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (0ca54bc2bc38d42e5657046a19a28e0acc414439f640a0cba7bf4b711ff43e10): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

Don't really know what's up or how to fix it, any suggestions would be greatly appreciated.

i tried installing it on the bridge and on a custom network, both times same error.

Thanks in advance,

Timo

 

Link to comment

I am having a problem getting letsencrypt to work in Unraid. I followed the instruction provided on spaceinvader one video and I am getting this in the letsencrypt log:

http-01 challenge for sflalife-bw.ddns.net
http-01 challenge for sflalife.ddns.net
Waiting for verification...
Challenge failed for domain sflalife-bw.ddns.net
Challenge failed for domain sflalife.ddns.net

 

I am forwarding the following ports in pfsense:

WAN HTTP (80) > Unraid server IP port 180

WAN HTTPS (443) > Unraid server IP port 1443

 

I am using a custom network ‘proxynet’ and I can see letsencrypt is getting an IP.

I am using a VPN for my entire local network and have set up an alias for unraid to bypass the VPN and connect through the ISP provided public IP.

I have pfblocker set up in pfsense which is used to block adds.

I have tried disabling each on these services to see if they are the problem.

I am using No-IP for my subdomains. When I ping my subdomain, it resolves to my current external IP number.

I know I am missing something, I just can’t figure out what it is.

Hopefully someone out there has a similar setup and has had success getting letsencrypt to work.

Link to comment
On 1/21/2020 at 7:43 PM, aptalca said:

 

That email means, "one of the certs that you received with that email address is expiring". In this case, it's not the cert that your server is currently using.

Ah okay, thanks. I was just a little concerned because it listed all of the domains/subdomains I certify through the Letsencrypt container, and I'd never received one of these emails over the last three or four years of using Letsencrypt. 

Link to comment

I've had this container running for some time, and until recently it's been fine. However, my certs now aren't being renewed. I'm being told that the cert I have assigned to my nextcloud instance has expired. I'm getting the following logs in my letsencrypt container:

nginx: [emerg] still could not bind()
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)

I hope someone can help with this. I'm not sure what to do. There are no other apps that are using 180/1443 on the unraid server.

Edited by manderso
Link to comment

I setup router port forwarding for letsencypt 80 > 8080 and 443 > 8443

I am using xxxx.ddns.net services

I have also create a custom network "proxynet"

The log file showing "Server Ready"

 

but when I am trying to access my sites like next.ddns.net (example), I get error "The site can't be reach", "ERR_CONNECTION_RESET". I can ping next.ddns.net though

 

What other information I need to provide? Please help

 

Update:

Found out the issue, it seems I cant resolved dyndns on the same network, anyone know how to solve this?

 

Update 2:

Fixed, CTF broke NAT loopback

Edited by Kira
Link to comment
13 hours ago, manderso said:

I've had this container running for some time, and until recently it's been fine. However, my certs now aren't being renewed. I'm being told that the cert I have assigned to my nextcloud instance has expired. I'm getting the following logs in my letsencrypt container:


nginx: [emerg] still could not bind()
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address in use)

I hope someone can help with this. I'm not sure what to do. There are no other apps that are using 180/1443 on the unraid server.

Did you change it to host networking?

Because right now nginx isn't even starting.

 

You said "I'm being told that the cert. . . has expired". Who told you that? Email or browser?

Link to comment

Onlyoffice DS docker needs the certificates installed in /mnt/user/appdata/onlyofficeds/Data/certs folder. I copied the certs from letsencrypt to this folder. It works. But, I need to find a way to automate the certs from LE docker as the static LE certs in onlyoffice docker will expire in max. 3 months. How can I do that? Does a symbolic link to LE certs work? Or should I set a cron job to copy LE certs everyday?

Thanks.

Link to comment
4 hours ago, aptalca said:

Did you change it to host networking?

Because right now nginx isn't even starting.

 

You said "I'm being told that the cert. . . has expired". Who told you that? Email or browser?

That came from nextcloud that said my cert had expired.

And I haven't changed any settings, including networking. I had followed spaceinvaders guide for setting up nextcloud behind a letsencrypt cert, and that's using a proxynet network I setup for this purpose.

Link to comment
1 hour ago, manderso said:

That came from nextcloud that said my cert had expired.

And I haven't changed any settings, including networking. I had followed spaceinvaders guide for setting up nextcloud behind a letsencrypt cert, and that's using a proxynet network I setup for this purpose.

What do you mean by nextcloud told you?

Link to comment
23 hours ago, Kira said:

I setup router port forwarding for letsencypt 80 > 8080 and 443 > 8443

I am using xxxx.ddns.net services

I have also create a custom network "proxynet"

The log file showing "Server Ready"

 

but when I am trying to access my sites like next.ddns.net (example), I get error "The site can't be reach", "ERR_CONNECTION_RESET". I can ping next.ddns.net though

 

What other information I need to provide? Please help

 

Update:

Found out the issue, it seems I cant resolved dyndns on the same network, anyone know how to solve this?

 

Update 2:

Fixed, CTF broke NAT loopback

How did you fix it exactly? I'm having the same issue.

 

Update: issue fixed. Thank you for pointing to CTF being the root cause! I've been fiddling with my router settings for almost 3 weeks now :)

Edited by izarkhin
Link to comment
15 hours ago, sse450 said:

Onlyoffice DS docker needs the certificates installed in /mnt/user/appdata/onlyofficeds/Data/certs folder. I copied the certs from letsencrypt to this folder. It works. But, I need to find a way to automate the certs from LE docker as the static LE certs in onlyoffice docker will expire in max. 3 months. How can I do that? Does a symbolic link to LE certs work? Or should I set a cron job to copy LE certs everyday?

Thanks.

It's explained in the readme

Link to comment
4 hours ago, phyzical said:

Hey again!

 

is there any references you can provide in regards to php-fpm setup.

 

Or is this out of the scope of the docker configs and just requires manually connecting to the box and adding the appropriate confs fpm side?

 

Thanks!

What are you trying to do?

 

Php is already set up and ready to go. The default nginx site config has a php block that works out of the box for the main server block.

Link to comment
15 hours ago, manderso said:

Looking at page information, on the security tab in firefox, for my nextcloud page, I see

Verified by: Let's Encrypt,

Expires on: December 28, 2019.

Did you copy the certificate from the letsencrypt container to the Nextcloud container?

If you are using reverse proxy, check what the browser says about the certificate.

Link to comment
8 hours ago, aptalca said:

Just replicate that php block for any server blocks you need

i figured it was that simple but the part that i dont know is how does each block line up with a particular app.

 

but.. now that i think about it, what i remember from when i used guis ispconfig ect. The blocks line up with a user not a nginx server directive.

 

or am i wrong on that?

 

thanks!

Link to comment
2 hours ago, phyzical said:

i figured it was that simple but the part that i dont know is how does each block line up with a particular app.

 

but.. now that i think about it, what i remember from when i used guis ispconfig ect. The blocks line up with a user not a nginx server directive.

 

or am i wrong on that?

 

thanks!

?? Php-fpm is just a processor. Your index file and root directive tell nginx where the necessary files are. When php files are called, they are sent to the processor.

 

What exactly are you trying to accomplish here? What are these apps you're referring to?

Link to comment
46 minutes ago, aptalca said:

?? Php-fpm is just a processor. Your index file and root directive tell nginx where the necessary files are. When php files are called, they are sent to the processor.

 

What exactly are you trying to accomplish here? What are these apps you're referring to?

so what i mean is i want to have a seperate pool per nginx server directive. so one pool for be website-a and another for website-b. im just trying to acheive separation of envs through php-fpm.

 

so i add a new pool for [website-a] how does it line up with website-a server directive

 

sorry if my not being clear enough

 

thanks!

Link to comment
On 1/25/2020 at 8:16 AM, aptalca said:

It's explained in the readme

@aptalca , thank you for indicating the readme file. I successfully mounted LE config folder to onlyoffice docker. Howver, I still need to present the certs in the filenames onlyoffice required onlyoffice.crt, onlyoffice.key. Should I use "ln -s" or create a cron job to copy LE certs in the filenames required?

 

I would appreciate any advice. Thank you.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.