[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

19 hours ago, Mirano said:

Perfect thank you,

 

Regarding this. The website loads but upon opening the Shell or looking at processor graph. it doesn't seem to work, did i do something wrong?

 

897440435_1(2).png.923b390840abd8f74d2e324e7461177d.png59947363_1(1).png.ec2c08b6efe8a45d2d7d02acbd56578b.png

1 (3).png

Does anyone know what i did wrong? i really want to have this working!

 

Can't wait to hear from you guys!

Link to comment
3 hours ago, aptalca said:

Info in the readme

I am trying to setup f2b for bitwardenrss, about this: https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup

The jail is running and i have no error but its not working.

 

filter

bitwardenrs.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

 

jail:

# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = false


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log


[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
logpath = /config/log/nginx/access.log
maxretry = 3
bantime = 14400
findtime = 14400

What am I missing?

Link to comment
3 hours ago, norbertt said:

I am trying to setup f2b for bitwardenrss, about this: https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup

The jail is running and i have no error but its not working.

 

filter

bitwardenrs.conf


[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

 

jail:


# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = false


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log


[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
logpath = /config/log/nginx/access.log
maxretry = 3
bantime = 14400
findtime = 14400

What am I missing?

Logpath should point to bitwarden logs. You need to map that folder in letsencrypt

  • Thanks 2
Link to comment

Hi guys,

 

I tried installing letsencrypt and watched Spaceinvaders Video about that a couple of times now, but I cant manage to get the certificate working...

What I'm trying to do is setting up a reverse proxy, so I can use all of my dockers from anywhere. (like storage.youngspace.xyz pointing to the Nextcloud docker or Stations.youngspace.xyz pointing to guacamole).

 

At this point I've set up a DDNS with Namecheap, but it looks like the IP does not automatically update.

Im very sure it does have something to do with my Port forwardings or my Domain setup.

(I opened Port 1443, 443, 80, 180)

 

I would be very happy if someone could help me

 

 

 

 

 

letsencrypt log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=youngspace.xyz
SUBDOMAINS=stations
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d stations.youngspace.xyz
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
/usr/lib/python3.8/site-packages/digitalocean/LoadBalancer.py:19: SyntaxWarning: "is" with a literal. Did you mean "=="?
if type is 'cookies':
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stations.youngspace.xyz
http-01 challenge for youngspace.xyz
Waiting for verification...
Challenge failed for domain youngspace.xyz
Challenge failed for domain youngspace.xyz
Challenge failed for domain stations.youngspace.xyz
http-01 challenge for youngspace.xyz
http-01 challenge for stations.youngspace.xyz
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: youngspace.xyz
Type: connection
Detail: Fetching
http://youngspace.xyz/.well-known/acme-challenge/ps1sdQlZOvddALe_-cWAA_fPzt78aLvDmFwxQHqUUc4:
Error getting validation data

Domain: stations.youngspace.xyz
Type: connection
Detail: Fetching
http://stations.youngspace.xyz/.well-known/acme-challenge/a8ULSr2_IHrC2rKuYckXmwU93d_ZuOgInKhPX8ms41w:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
8 hours ago, .youngspace said:

Hi guys,

 

I tried installing letsencrypt and watched Spaceinvaders Video about that a couple of times now, but I cant manage to get the certificate working...

What I'm trying to do is setting up a reverse proxy, so I can use all of my dockers from anywhere. (like storage.youngspace.xyz pointing to the Nextcloud docker or Stations.youngspace.xyz pointing to guacamole).

 

At this point I've set up a DDNS with Namecheap, but it looks like the IP does not automatically update.

Im very sure it does have something to do with my Port forwardings or my Domain setup.

(I opened Port 1443, 443, 80, 180)

 

I would be very happy if someone could help me

 

 

 

 

 

letsencrypt log:


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=youngspace.xyz
SUBDOMAINS=stations
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d stations.youngspace.xyz
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
/usr/lib/python3.8/site-packages/digitalocean/LoadBalancer.py:19: SyntaxWarning: "is" with a literal. Did you mean "=="?
if type is 'cookies':
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stations.youngspace.xyz
http-01 challenge for youngspace.xyz
Waiting for verification...
Challenge failed for domain youngspace.xyz
Challenge failed for domain youngspace.xyz
Challenge failed for domain stations.youngspace.xyz
http-01 challenge for youngspace.xyz
http-01 challenge for stations.youngspace.xyz
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: youngspace.xyz
Type: connection
Detail: Fetching
http://youngspace.xyz/.well-known/acme-challenge/ps1sdQlZOvddALe_-cWAA_fPzt78aLvDmFwxQHqUUc4:
Error getting validation data

Domain: stations.youngspace.xyz
Type: connection
Detail: Fetching
http://stations.youngspace.xyz/.well-known/acme-challenge/a8ULSr2_IHrC2rKuYckXmwU93d_ZuOgInKhPX8ms41w:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment

Hey folks,

Just installed the letsencrypt and came across this alert

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

As I am just starting out with Unraid and dockers is this a worry?

Edited by CJandDarren
Link to comment

Greetings

I have a couple of questions regarding the (automated?) certificate renewal of the LetsEncrypt container:

 

I have recently set up my first reverse proxy following Ed's tutorial and everything seems to be working fine.

 

Since I am not yet actively running any apps behind the reverse proxy, I have stopped the LetsEncrypt container and closed the relevant ports on my firewall.

However, I now have received my first email notification saying my certs will expire in the coming 2 weeks.

 

My understanding is, and please correct me if I am wrong, that while the container is actively running, there is a Cron job running every night at 2 AM to auto-renew the certs?

 

1) Is that a fully automated renewal where I don't need to do anything? Or do I need to push any commands manually?

 

2) Is that a daily or a weekly check? I seem to have read contradicting statements about this.

 

3) Is it possible for me to modify that 2AM hour and set my own time of the day? Since I am not actively running the container for now I'd rather not wait until 2AM to try it out. Yes I know I can just leave it running and check the next day, but I am still very cautious about having ports 80 and 443 open to the Internet. For now I would prefer just to open the ports on a per need basis when I renew the certs.

 

Many thanks in advance for any clarifications and guidance :)

Link to comment
3 hours ago, CJandDarren said:

Hey folks,

Just installed the letsencrypt and came across this alert

 


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

As I am just starting out with Unraid and dockers is this a worry?

Just an alert. It's harmless

Link to comment
2 hours ago, MacDingo said:

Greetings

I have a couple of questions regarding the (automated?) certificate renewal of the LetsEncrypt container:

 

I have recently set up my first reverse proxy following Ed's tutorial and everything seems to be working fine.

 

Since I am not yet actively running any apps behind the reverse proxy, I have stopped the LetsEncrypt container and closed the relevant ports on my firewall.

However, I now have received my first email notification saying my certs will expire in the coming 2 weeks.

 

My understanding is, and please correct me if I am wrong, that while the container is actively running, there is a Cron job running every night at 2 AM to auto-renew the certs?

 

1) Is that a fully automated renewal where I don't need to do anything? Or do I need to push any commands manually?

 

2) Is that a daily or a weekly check? I seem to have read contradicting statements about this.

 

3) Is it possible for me to modify that 2AM hour and set my own time of the day? Since I am not actively running the container for now I'd rather not wait until 2AM to try it out. Yes I know I can just leave it running and check the next day, but I am still very cautious about having ports 80 and 443 open to the Internet. For now I would prefer just to open the ports on a per need basis when I renew the certs.

 

Many thanks in advance for any clarifications and guidance :)

1) fully automated

2) daily

3) sure, edit the crontabs/root file in the config folder and restart the container

 

PS. If you do dns or duckdns validation, you don't need to keep any ports open or forwarded as they are not used for validation

Edited by aptalca
  • Like 1
Link to comment

Hey,

Just got this and letting you know.

Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:

 

Link to comment
On 2/1/2020 at 12:03 AM, Coolsaber57 said:

I am trying to expose my Octoprint page, but am having trouble finding a configuration that will work.  

 

Here's the examples that Octoprint provides: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107

 

Here's my current config:

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.13:80;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;

    }

}

I took out a few lines that were causing the docker container to throw errors.  I'm currently getting a 500 error.  If I copy a config from another container and change the IP/port/subdomain, I do actually get to see the login page, but it says it's offline and asks me to reconnect.

 

Has anyone successfully configured Octoprint in this container? If so, would you be able to share the config?

 

Anyone have any suggestions?

  • Like 1
Link to comment
On 2/17/2020 at 11:50 PM, aptalca said:

1) fully automated

2) daily

3) sure, edit the crontabs/root file in the config folder and restart the container

 

PS. If you do dns or duckdns validation, you don't need to keep any ports open or forwarded as they are not used for validation

Hi again
One more clarification please :)

 

Below is the content of the root file in the crontab folder:

 

------------------------------------

# do daily/weekly/monthly maintenance
# min   hour    day     month   weekday command
*/15    *       *       *       *       run-parts /etc/periodic/15min
0       *       *       *       *       run-parts /etc/periodic/hourly
0       2       *       *       *       run-parts /etc/periodic/daily
0       3       *       *       6       run-parts /etc/periodic/weekly
0       5       1       *       *       run-parts /etc/periodic/monthly
# renew letsencrypt certs
8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

------------------------------------

 

Am I reading this correctly, if I interpret that as below?

 

Monthly maintenance is run every FIRST day of the month at 5.00 AM
AND
Weekly maintenance is run every SATURDAY at 3.00 AM
AND
Daily maintenance is run every DAY at 2.00 AM
AND
Certificate renewal is run every DAY at 2.08 AM?

1) Not sure how to read the 15 mins and hourly lines... but that's really for my own curiosity

2) Since there is a daily maintenance already, what would be the point in having the weekly and monthly active too?
3) Is the daily renewal done at 2.08 AM in order not to conflict with the 2.00AM maintenance?
4) Finally, if I want to set the renewal to 7PM, I guess I just replace the '2' with '19'?

Thanks again :)

Link to comment
2 hours ago, MacDingo said:

Hi again
One more clarification please :)

 

Below is the content of the root file in the crontab folder:

 

------------------------------------

# do daily/weekly/monthly maintenance
# min   hour    day     month   weekday command
*/15    *       *       *       *       run-parts /etc/periodic/15min
0       *       *       *       *       run-parts /etc/periodic/hourly
0       2       *       *       *       run-parts /etc/periodic/daily
0       3       *       *       6       run-parts /etc/periodic/weekly
0       5       1       *       *       run-parts /etc/periodic/monthly
# renew letsencrypt certs
8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

------------------------------------

 

Am I reading this correctly, if I interpret that as below?

 

Monthly maintenance is run every FIRST day of the month at 5.00 AM
AND
Weekly maintenance is run every SATURDAY at 3.00 AM
AND
Daily maintenance is run every DAY at 2.00 AM
AND
Certificate renewal is run every DAY at 2.08 AM?

1) Not sure how to read the 15 mins and hourly lines... but that's really for my own curiosity

2) Since there is a daily maintenance already, what would be the point in having the weekly and monthly active too?
3) Is the daily renewal done at 2.08 AM in order not to conflict with the 2.00AM maintenance?
4) Finally, if I want to set the renewal to 7PM, I guess I just replace the '2' with '19'?

Thanks again :)

Only worry about the last line. The others are system ones and are used for things like logrotate.

 

4) yes

Link to comment

Hi guys, I'm having issues with this container. I have my domain set up, it has been for a while since this was working until I changed one of the subdomains so it had to re-generate the certificate. The validation fails using http challenge.

 

I have tried removing the container and appdata and even that does not rectify the issue. If I fire up an NGINX container with the default config then it shows the NGINX startup page by going to the domain. When I use this container with the same port forwarding there doesn't seem to be anything listening.

 

This is my log:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=johimself.co.uk
SUBDOMAINS=www,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=MY_EMAIL_ADDRESS
STAGING=true

NOTICE: Staging is active
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.johimself.co.uk
E-mail address entered: MY_EMAIL_ADDRESS
http validation is selected
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Waiting for verification...
Challenge failed for domain www.johimself.co.uk

Challenge failed for domain johimself.co.uk

http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

If anyone has any more ideas, that would be great!

Link to comment
4 hours ago, JoHimself said:

Hi guys, I'm having issues with this container. I have my domain set up, it has been for a while since this was working until I changed one of the subdomains so it had to re-generate the certificate. The validation fails using http challenge.

 

I have tried removing the container and appdata and even that does not rectify the issue. If I fire up an NGINX container with the default config then it shows the NGINX startup page by going to the domain. When I use this container with the same port forwarding there doesn't seem to be anything listening.

 

This is my log:


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=johimself.co.uk
SUBDOMAINS=www,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=MY_EMAIL_ADDRESS
STAGING=true

NOTICE: Staging is active
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.johimself.co.uk
E-mail address entered: MY_EMAIL_ADDRESS
http validation is selected
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Waiting for verification...
Challenge failed for domain www.johimself.co.uk

Challenge failed for domain johimself.co.uk

http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

If anyone has any more ideas, that would be great!

When you put up the nginx container, are you trying the http endpoint? From outside of the lan?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.