[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 8/7/2020 at 11:50 AM, Wong said:

I attached nextcloud conf. file for reference if anyone could tell me if I did any mistake.

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => '*********************',
  'passwordsalt' => '********************************',
  'secret' => '*****************************',
  'trusted_domains' => 
  array (
    0 => '192.168.0.16:444',
    1 => 'nextcloud.protech.my',
  ),
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'trusted_proxies' => 
  array (
    0 => 'letsencrypt',
  ),
  'overwrite.cli.url' => 'https://nextcloud.protech.my/',
  'overwritehost' => 'nextcloud.protech.my',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.0.16:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '***************',
  'installed' => true,
  'maintenance' => false,
);

Hi, so for the reason I can't use http is there is an error in my Letsenrypt log (same error as shown in the 1st version of SpaceInvander Reverse Proxy video). I think my ISP blocked port 80. Thats why I proceed with dns verification.

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

However, there was no error in my log after using dns verification. And stated server ready at the end. Yes I port forward port 80 to 180, 443 to 1443 with TCP/UDP. Just a note, if I only port forward with TCP only of 80 to 180 to my unraid server. I was kick out of my unraid server interface for some reason. But TCP/UDP works for me regardless if is need TCP only. Yes, it is still stuck in the Letencrypt WebUI after setting up Letsencrypt docker again.

 

Let say I dont want to use Reverse Proxy anymore to redirect me to my docker container, do I have another option to try with step by step guide? Cause my purpose is really to get onlyoffice working with nextcloud, can I get onlyoffice to work with or without reverse proxy?

 

(I am replying to my previous thread for anyone that want to refer to my conf file, I have tested all but always still stuck in letsencrypt WebUI)

Link to comment
2 hours ago, Wong said:

Hi, so for the reason I can't use http is there is an error in my Letsenrypt log (same error as shown in the 1st version of SpaceInvander Reverse Proxy video). I think my ISP blocked port 80. Thats why I proceed with dns verification.

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

However, there was no error in my log after using dns verification. And stated server ready at the end. Yes I port forward port 80 to 180, 443 to 1443 with TCP/UDP. Just a note, if I only port forward with TCP only of 80 to 180 to my unraid server. I was kick out of my unraid server interface for some reason. But TCP/UDP works for me regardless if is need TCP only. Yes, it is still stuck in the Letencrypt WebUI after setting up Letsencrypt docker again.

 

Let say I dont want to use Reverse Proxy anymore to redirect me to my docker container, do I have another option to try with step by step guide? Cause my purpose is really to get onlyoffice working with nextcloud, can I get onlyoffice to work with or without reverse proxy?

 

(I am replying to my previous thread for anyone that want to refer to my conf file, I have tested all but always still stuck in letsencrypt WebUI)

We don't know what is in the guide you followed, so please post all errors and how you set it up.

Start by getting letsencrypt running, which it looks like you have done already as you are getting to the default webserver page.

 

If you have already set up nextcloud and can access it locally, go ahead and enable the proxy-conf and be sure to read the top of the proxy-conf and do what it says.

 

Remember to take one step only, as it's easier to track the error then, for both you and us.

Link to comment
51 minutes ago, saarg said:

We don't know what is in the guide you followed, so please post all errors and how you set it up.

Start by getting letsencrypt running, which it looks like you have done already as you are getting to the default webserver page.

 

If you have already set up nextcloud and can access it locally, go ahead and enable the proxy-conf and be sure to read the top of the proxy-conf and do what it says.

 

Remember to take one step only, as it's easier to track the error then, for both you and us.

Alright, let break it down. I have register my own domain name (protech.my). The video I followed are link below from SpaceinvaderOne. Let's Encrypt's log said server is ready. Lets' Encrypt port is 80 -> 180 and 443 -> 1443. Port forwarding is done on my router as I able to see the Let's Encrypt WebUi. I attached the log for reference. I am sure nextcloud is working as I have manage to access it locally and set up admin account with Mariadb. For the record, my nextcloud container port is 444. I have used cloudflareddns docker by onzu to track my public IP. I have setup a CNAME nextcloud.protech.my where is point to my public IP. I have setup the nextcloud.subdomain.conf and conf.php I asssume is done correctly already I hope. Let me know if I make any mistake. I attached the file below. I restarted the dockers and still stuck at Let's Encypt Web UI. If anything is not clear, please let me know. I have been stuck with in for a month. It would be if anyone could solve this. I dont mind if I can't get reverse proxy working but if there any method to get onlyoffice working, that would work for me. Thanks. 

 

Extra information:

(to be very sure my nextcloud is working, I port forwarded 443->444 which is my nextcloud container. I am able to access it from outside my home wifi but when I port forward to 443->1443 and back to stuck in Let'sEncrypt Web UI)

 and 

/////////////////////////////////{ LETSENCRYPT LOG }////////////////////////////////////

[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: supervisor died
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Asia/Singapore
URL=protech.my
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=**************@gmail.com
STAGING=

SUBDOMAINS entered, processing
Wildcard cert for protech.my will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

////////////////////////////{ nextcloud.subdomain.conf }///////////////////////////////////

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}
 

/////////////////////{config.php}////////////////////////////////////

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc5hdxqy44ml',
  'passwordsalt' => '***************************',
  'secret' => '********************************',
  'trusted_domains' => 
  array (
    0 => '192.168.0.16',
    1 => 'nextcloud.protech.my',
  ),
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.protech.my/',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.0.16:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '***********',
  'installed' => true,
  'trusted_proxies' => ['letsencrypt'],
  'overwritehost' => 'nextcloud.protech.my',
  'overwriteprotocol' => 'https',
  'onlyoffice' => array (
    'verify_peer_off' => true
    ),
);
 

image.png

Edited by Wong
Link to comment
13 minutes ago, Wong said:

Alright, let break it down. I have register my own domain name (protech.my). The video I followed are link below from SpaceinvaderOne. Let's Encrypt's log said server is ready. Lets' Encrypt port is 80 -> 180 and 443 -> 1443. Port forwarding is done on my router as I able to see the Let's Encrypt WebUi. I attached the log for reference. I am sure nextcloud is working as I have manage to access it locally and set up admin account with Mariadb. For the record, my nextcloud container port is 444. I have used cloudflareddns docker by onzu to track my public IP. I have setup a CNAME nextcloud.protech.my where is point to my public IP. I have setup the nextcloud.subdomain.conf and conf.php I asssume is done correctly already I hope. Let me know if I make any mistake. I attached the file below. I restarted the dockers and still stuck at Let's Encypt Web UI. If anything is not clear, please let me know. I have been stuck with in for a month. It would be if anyone could solve this. I dont mind if I can't get reverse proxy working but if there any method to get onlyoffice working, that would work for me. Thanks. 

 

Extra information:

(to be very sure my nextcloud is working, I port forwarded 443->444 which is my nextcloud container. I am able to access it from outside my home wifi but when I port forward to 443->1443 and back to stuck in Let'sEncrypt Web UI)

 and 

/////////////////////////////////{ LETSENCRYPT LOG }////////////////////////////////////

[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: supervisor died
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Asia/Singapore
URL=protech.my
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=**************@gmail.com
STAGING=

SUBDOMAINS entered, processing
Wildcard cert for protech.my will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

////////////////////////////{ nextcloud.subdomain.conf }///////////////////////////////////

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}
 

/////////////////////{config.php}////////////////////////////////////

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc5hdxqy44ml',
  'passwordsalt' => '***************************',
  'secret' => '********************************',
  'trusted_domains' => 
  array (
    0 => '192.168.0.16',
    1 => 'nextcloud.protech.my',
  ),
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.protech.my/',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.0.16:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '***********',
  'installed' => true,
  'trusted_proxies' => ['letsencrypt'],
  'overwritehost' => 'nextcloud.protech.my',
  'overwriteprotocol' => 'https',
  'onlyoffice' => array (
    'verify_peer_off' => true
    ),
);
 

image.png

Post the docker run command for both containers.

Link to comment
On 8/16/2020 at 10:02 PM, saarg said:

Post the docker run command for both containers.

What is a run command? Sorry I am still a newbie. Do you mean the setting page of the container as shown below?

image.thumb.png.5d819bc7e3032bb827cf5f16dcdd9b45.png

 

 

 

 

Edited by Wong
Removed email address
Link to comment

@saarg

This is from letsencrypt. You said do it with both container. I use the same command line for nextcloud container as well? Yes, I am trying to run https://protech.my CNAME is nextcloud

 

root@adb850c459a2:/# ping nextcloud
PING nextcloud (172.18.0.4): 56 data bytes
64 bytes from 172.18.0.4: seq=0 ttl=64 time=0.055 ms
64 bytes from 172.18.0.4: seq=1 ttl=64 time=0.051 ms
64 bytes from 172.18.0.4: seq=2 ttl=64 time=0.043 ms
64 bytes from 172.18.0.4: seq=3 ttl=64 time=0.036 ms
64 bytes from 172.18.0.4: seq=4 ttl=64 time=0.035 ms
64 bytes from 172.18.0.4: seq=5 ttl=64 time=0.038 ms
64 bytes from 172.18.0.4: seq=6 ttl=64 time=0.033 ms
64 bytes from 172.18.0.4: seq=7 ttl=64 time=0.027 ms
64 bytes from 172.18.0.4: seq=8 ttl=64 time=0.035 ms
64 bytes from 172.18.0.4: seq=9 ttl=64 time=0.036 ms

--- nextcloud ping statistics ---
73 packets transmitted, 73 packets received, 0% packet loss
round-trip min/avg/max = 0.026/0.040/0.089 ms

Edited by Wong
Reduced the length of thread
Link to comment
15 minutes ago, aptalca said:

Your nextcloud subdomain is showing the default landing page, which likely means that your nextcloud proxy conf is not activated properly. Is it named "nextcloud.subdomain.conf" and resides at "/config/nginx/proxy-confs"?

OHHH MYYY GODDDD, it worked. So the problem is because when I saved the nextcloud.subdomain.conf, notepad++ save it as text file. I edited the save type into all type. Then it worked. It feel good to get things working. Thanks you for the awesome unraid community support. 

Link to comment

Hi,

 

I am having issues setting up a second domain via the LetsEncrypt docker in Unraid. I added the EXTRA_DOMAINS variable in the conf page and saved it. It wants to create a certificate for the extra domain although is gives me an error saying that the there is an invalid response for the extra domain.

 

The odd thing is that both the 'old' and new domain have the in their DNS records the same ip setup, pinging the new domain gives back the correct IP address. When you navigate to the new domain in the browser it shows the test page from the ngix server that is running on unraid. So i would assume that the port forwarding is also working fine, oh and just creating a cert for the 'old' domain works fine without any issue.

 

Could anyone give me advise on why the new domains isnt being registerd correctly? I attached the log file that i got from LE.

 

/docker run -d --name='letsencrypt' --net='proxynet' --privileged=true -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'EMAIL'='rj***@***.com' -e 'URL'='rjwalet.nl' -e 'SUBDOMAINS'='nextcloud,sonarr,radarr' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='bakbijbel.nl' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt'

 

Thanks in advance!

 

Never mind, already fixed it myself :) Turns out there was a AAAA record still present with an IPv6 attachted to it, after deleting that DNS record an giving it sometime it worked :)

 

Edited by Rexl
Link to comment
5 hours ago, Wong said:

OHHH MYYY GODDDD, it worked. So the problem is because when I saved the nextcloud.subdomain.conf, notepad++ save it as text file. I edited the save type into all type. Then it worked. It feel good to get things working. Thanks you for the awesome unraid community support. 

In windows, make sure you enable the setting for displaying file extensions even if known

  • Like 1
Link to comment

@aptalca Hey sorry to bother.. I was wondering to do an HTTP blank setup on let's encrypt does it have to have anything special set anywhere besides the standard stuff in the docker like subdomains and stuff? I had an issue trying to add a subdomain but another container would set it properly so made me think I might have something configured improperly. Though I couldn't for the life of me figure it  out. The error I was getting was "Timeout during connect (likely firewall problem)”. But if I just pointed my ports to the other container HTTP worked. The other strange thing is sometimes it would work for a subdomain and other times it wouldn't after just a restart. I assume it's something I'm doing but just wondering if you heard of this ever happening. I ended up doing a DNS challenge and it all worked fine. Thanks for any insights

 

 

Edit

Should also mention I only use cloudflare for my DNS now and no longer use it as a pass through so it shouldn't be that to my knowledge. Also the other container shouldn't of worked if that was the case. I have 6-7 subdomains.

Edited by Jerky_san
Link to comment
12 hours ago, Jerky_san said:

@aptalca Hey sorry to bother.. I was wondering to do an HTTP blank setup on let's encrypt does it have to have anything special set anywhere besides the standard stuff in the docker like subdomains and stuff? I had an issue trying to add a subdomain but another container would set it properly so made me think I might have something configured improperly. Though I couldn't for the life of me figure it  out. The error I was getting was "Timeout during connect (likely firewall problem)”. But if I just pointed my ports to the other container HTTP worked. The other strange thing is sometimes it would work for a subdomain and other times it wouldn't after just a restart. I assume it's something I'm doing but just wondering if you heard of this ever happening. I ended up doing a DNS challenge and it all worked fine. Thanks for any insights

 

 

Edit

Should also mention I only use cloudflare for my DNS now and no longer use it as a pass through so it shouldn't be that to my knowledge. Also the other container shouldn't of worked if that was the case. I have 6-7 subdomains.

I don't follow. What's "HTTP blank"?

 

You'll have to be provide a clearer description of the issues you're having.

Link to comment
4 hours ago, aptalca said:

I don't follow. What's "HTTP blank"?

 

You'll have to be provide a clearer description of the issues you're having.

Sorry I don't know why I said blank.. HTTP challenge over port 80. Even though the port is totally accessible it seems it has trouble completing the challenges stating "Timeout during connect (likely firewall problem)". It will even fail to do the challenge on subdomains it just did a few minutes ago when adding another subdomain to the list. But if I spin up "NginxProxyManager" as a test container just to see if other containers fail. It is able to challenge via http without issue. To my knowledge when it does the HTTP challenge the server redirects to the let'sencrypt folder where the challenges are stored but for some reason it times out sometimes on one or more subdomains and succeeds on others. I almost wonder if fail to ban is kicking in because I have so many subdomains.

Edited by Jerky_san
Link to comment
7 hours ago, Jerky_san said:

Sorry I don't know why I said blank.. HTTP challenge over port 80. Even though the port is totally accessible it seems it has trouble completing the challenges stating "Timeout during connect (likely firewall problem)". It will even fail to do the challenge on subdomains it just did a few minutes ago when adding another subdomain to the list. But if I spin up "NginxProxyManager" as a test container just to see if other containers fail. It is able to challenge via http without issue. To my knowledge when it does the HTTP challenge the server redirects to the let'sencrypt folder where the challenges are stored but for some reason it times out sometimes on one or more subdomains and succeeds on others. I almost wonder if fail to ban is kicking in because I have so many subdomains.

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment
1 hour ago, ElectricBadger said:

Do we need to change anything in our unRAID configs in order to continue getting updates to this container, if it's being renamed? Or will the rename get picked up automatically?

I would assume that there will be a new container to swap to, as swag is in a different git repo than the lets encrypt image. There is currently not released one on the community application plugin in unraid, so i would assume they will release it when they have time.

Link to comment
11 hours ago, ElectricBadger said:

Do we need to change anything in our unRAID configs in order to continue getting updates to this container, if it's being renamed? Or will the rename get picked up automatically?

For now you can just edit the docker to point the repository from linuxserver/letsencrypt to linuxserver/swag and it seems to work fine for me so far.

  • Thanks 1
Link to comment

I have lets encrypt running on Nginx proxy manager and i'm looking to come back to this docker as my lets encrypt certs are set to expire, and they won’t renew.

 

I have followed Spaceinvaders guide, when I start lets encrypt docket i get

 

Challenge failed for domain nextcloud.mydomain.co.uk

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

The confusing part is my dockers currently working, so its like the port forward settings work but not allowing certificate renewal.

 

Quote

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=bmydomain.co.uk
SUBDOMAINS=nextcloud,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.mydomain.co.uk
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloudmydomain.co.uk
Waiting for verification...
Challenge failed for domain nextcloudmydomain.co.uk
http-01 challenge for nextcloud.mydomain.co.uk
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.mydomain.co.uk
Type: connection
Detail: Fetching

http:/iremoved thelinkfromhere
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Edited by Greygoose
Link to comment
8 hours ago, Greygoose said:

I have lets encrypt running on Nginx proxy manager and i'm looking to come back to this docker as my lets encrypt certs are set to expire, and they won’t renew.

 

I have followed Spaceinvaders guide, when I start lets encrypt docket i get

 

Challenge failed for domain nextcloud.mydomain.co.uk

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

The confusing part is my dockers currently working, so its like the port forward settings work but not allowing certificate renewal.

 

 

Check your port forwarding for port 80

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment

Has anything changed recently? I had this all set up correctly and working great using dns validation through cloudflare, but lately whenever I try to check my SAB docker by using the letsencrypt domain, I can get to the login page, but once I login I just get stuck on a  "Lost connection to SABnzbd.." error screen. I can view SAB just fine when I go directly to the docker's internal address, just not when going through letsencrypt. Any ideas?

Link to comment

Hi All,

 

I set up the SWAG docker container last weekend and have reverse proxied all of the services I want except one, Pi-Hole. I had it working when I was using a physical Pi-Hole on my 192.168.0.0 network, and I have Pi-Hole running fine when I use the custom network as per @SpaceInvaderOne’s video, but I am unable to use the needed network that is shared with the SWAG container for the all of the reverse proxy containers as it is on the internal 172.18.0.0 network and I need it to be on my 192.168 network. The other issue is that UnRAID is already using port 80 and 443.  I know I can change those, but port 67 is still be used by something and I’m not sure what.  I tried searching this thread, but didn’t have much luck. I’m certain it’s something easy I’m missing, but just don’t know what.

 

EDIT: After some more digging I determined that libvert binds to port 67 which makes pihole not start unless I disable my vm manager. I was able to get pihole to work by specifying the letsencrypt custom interface and specifying the IP for the pihole docker container, but now VM Manager won’t start because the pihole docker has port 67 bound now.

 

I also just realized that my pihole is using the unRAID default internal ip and not the one I specified so that won’t work.

 

Any recommendations/best practices here?

 

 

Also, I set up Plex to reverse proxy via a subfolder as required so I’m reversing the root domain, is there a .conf file I can add the allow/deny entry so the root site domain.com is only accessible from my internal network?  I have all of the other services locked down via the appropriate file in proxy-confs.

Edited by cardo
Further progress made
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.