EvilTiger Posted August 26, 2020 Share Posted August 26, 2020 (edited) Quote [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Certbot: https://supporters.eff.org/donate/support-work-on-certbot To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/New_York URL=***.net SUBDOMAINS=sonarr,radarr,ombi EXTRA_DOMAINS= ONLY_SUBDOMAINS=true VALIDATION=http DNSPLUGIN= EMAIL=***@***.com STAGING= SUBDOMAINS entered, processing SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d sonarr.***.net -d radarr.***.net -d ombi.***.net E-mail address entered: ***@***.com http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Saving debug log to /var/log/letsencrypt/letsencrypt.log No match found for cert-path /config/etc/letsencrypt/live/sonarr.***.net/fullchain.pem! Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ombi.***.net http-01 challenge for radarr.***.net http-01 challenge for sonarr.***.net Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sonarr.***.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sonarr.***.net/privkey.pem Your cert will expire on 2020-11-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le New certificate generated; starting nginx Downloading GeoIP2 City database. tar: invalid tar magic [cont-init.d] 50-config: exited 0. [cont-init.d] 60-renew: executing... The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am). [cont-init.d] 60-renew: exited 0. [cont-init.d] 99-custom-files: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-files: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) Server ready 2 issues ... 1) Downloading GeoIP2 City database. tar: invalid tar magic I've added my api key for MaxMind but getting an invalid tar magic error 2) nginx isnt routing requests to my downstream app container on the same subnet letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample] any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files? Thank you in advance Edited August 26, 2020 by EvilTiger Quote Link to comment
aptalca Posted August 26, 2020 Share Posted August 26, 2020 1 hour ago, EvilTiger said: 2 issues ... 1) Downloading GeoIP2 City database. tar: invalid tar magic I've added my api key for MaxMind but getting an invalid tar magic error 2) nginx isnt routing requests to my downstream app container on the same subnet letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample] any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files? Thank you in advance Likely your api key is not correctly added or is not correct If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive Quote Link to comment
aptalca Posted August 26, 2020 Share Posted August 26, 2020 11 hours ago, cardo said: Hi All, I set up the SWAG docker container last weekend and have reverse proxied all of the services I want except one, Pi-Hole. I had it working when I was using a physical Pi-Hole on my 192.168.0.0 network, and I have Pi-Hole running fine when I use the custom network as per @SpaceInvaderOne’s video, but I am unable to use the needed network that is shared with the SWAG container for the all of the reverse proxy containers as it is on the internal 172.18.0.0 network and I need it to be on my 192.168 network. The other issue is that UnRAID is already using port 80 and 443. I know I can change those, but port 67 is still be used by something and I’m not sure what. I tried searching this thread, but didn’t have much luck. I’m certain it’s something easy I’m missing, but just don’t know what. EDIT: After some more digging I determined that libvert binds to port 67 which makes pihole not start unless I disable my vm manager. I was able to get pihole to work by specifying the letsencrypt custom interface and specifying the IP for the pihole docker container, but now VM Manager won’t start because the pihole docker has port 67 bound now. I also just realized that my pihole is using the unRAID default internal ip and not the one I specified so that won’t work. Any recommendations/best practices here? Also, I set up Plex to reverse proxy via a subfolder as required so I’m reversing the root domain, is there a .conf file I can add the allow/deny entry so the root site domain.com is only accessible from my internal network? I have all of the other services locked down via the appropriate file in proxy-confs. If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker. The subfolder confs get included in the main server block in the default site conf. You can edit that. Quote Link to comment
EvilTiger Posted August 26, 2020 Share Posted August 26, 2020 10 minutes ago, aptalca said: Likely your api key is not correctly added or is not correct If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive thank you for the quick response 1) you're correct ... there was an extra space after the api key from the copy / paste 2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG Quote Link to comment
EvilTiger Posted August 26, 2020 Share Posted August 26, 2020 1 hour ago, EvilTiger said: thank you for the quick response 1) you're correct ... there was an extra space after the api key from the copy / paste 2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge must be a browser setting issue, any clues? Quote Link to comment
cardo Posted August 27, 2020 Share Posted August 27, 2020 8 hours ago, aptalca said: If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker. The subfolder confs get included in the main server block in the default site conf. You can edit that. Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too? allow 192.168.0.0/16; deny all; I have the swag container set to only sub domains and cname record only for request.domain.com. Quote Link to comment
aptalca Posted August 27, 2020 Share Posted August 27, 2020 8 hours ago, EvilTiger said: scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge must be a browser setting issue, any clues? Could be browser cache. Try an incognito window Quote Link to comment
aptalca Posted August 27, 2020 Share Posted August 27, 2020 58 minutes ago, cardo said: Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too? allow 192.168.0.0/16; deny all; I have the swag container set to only sub domains and cname record only for request.domain.com. In your previous question, you were asking about subfolder. They are handled differently. The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks. A subfolder proxy conf is a child location block of the main domain's server block. So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block. Quote Link to comment
EvilTiger Posted August 27, 2020 Share Posted August 27, 2020 35 minutes ago, aptalca said: Could be browser cache. Try an incognito window that was it! thank you for the help, much appreciated. Quote Link to comment
cardo Posted August 27, 2020 Share Posted August 27, 2020 29 minutes ago, aptalca said: In your previous question, you were asking about subfolder. They are handled differently. The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks. A subfolder proxy conf is a child location block of the main domain's server block. So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block. If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go? I am really new to nginx. Quote Link to comment
aptalca Posted August 27, 2020 Share Posted August 27, 2020 11 hours ago, cardo said: If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go? I am really new to nginx. Put it in the main server block in the default site conf located at "/config/nginx/site-confs/default". That will take care of the main domain and all subfolder proxies. Quote Link to comment
cardo Posted August 27, 2020 Share Posted August 27, 2020 43 minutes ago, aptalca said: Put it in the main server block in the default site conf located at "/config/nginx/site-confs/default". That will take care of the main domain and all subfolder proxies. Thank you very much! Quote Link to comment
ich777 Posted August 29, 2020 Share Posted August 29, 2020 Is this container now depricated or not because this message apperas now: ****************************************************** ****************************************************** * * * * * This image has been deprecated * * * * Use the new image at * * * * linuxserver/swag * * * * https://hub.docker.com/r/linuxserver/swag * * * * https://github.com/linuxserver/docker-swag * * * * * * * ****************************************************** ****************************************************** Will it get updates or do I have to setup swag instead? Also what are the differences, can I just point my existing Let's Encrypt folder to swag and it will work OOB and will there be a official template for swag? Quote Link to comment
dockerPolice Posted August 29, 2020 Share Posted August 29, 2020 1 hour ago, ich777 said: Is this container now depricated or not because this message apperas now: Certainly appears to be as of a week ago. (https://blog.linuxserver.io/2020/08/21/introducing-swag/) I would expect that @aptalca will shortly adjust the Unraid template to reflect this change. Quote Link to comment
ich777 Posted August 29, 2020 Share Posted August 29, 2020 2 hours ago, dockerPolice said: Certainly appears to be as of a week ago. (https://blog.linuxserver.io/2020/08/21/introducing-swag/) I would expect that @aptalca will shortly adjust the Unraid template to reflect this change. 2 hours ago, dockerPolice said: Can confirm, changing the repo from /letsencrypt to /swag works fine. Quote Link to comment
blaine07 Posted August 29, 2020 Share Posted August 29, 2020 Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... Quote Link to comment
ich777 Posted August 29, 2020 Share Posted August 29, 2020 1 minute ago, blaine07 said: Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... Works OOB in my case, just changed the repo from /letsencrypt to /swag Quote Link to comment
Squid Posted August 29, 2020 Share Posted August 29, 2020 22 minutes ago, blaine07 said: Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... Quote At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can. The main change is to the docker image name, which was linuxserver/letsencrypt for the old image and is linuxserver/swag for the new. 2 Quote Link to comment
blaine07 Posted August 29, 2020 Share Posted August 29, 2020 Works OOB in my case, just changed the repo from /letsencrypt to /swagPardon my inexperience but how exactly does one just change repo? Download swag and point it at same app data as letsencrypt or? Quote Link to comment
ich777 Posted August 29, 2020 Share Posted August 29, 2020 30 minutes ago, blaine07 said: Pardon my inexperience but how exactly does one just change repo? Download swag and point it at same app data as letsencrypt or? Enable the advanced view on the existing letsencrypt template page and there you should see linuxserver/letsencrypt at Repository just change that to linuxserver/swag That's how it looks now: Also there will be a orphan image at the bottom on your docker page if you done this (just the old letsencrypt image), just click on it and you select remove. 1 1 Quote Link to comment
blaine07 Posted August 30, 2020 Share Posted August 30, 2020 Enable the advanced view on the existing letsencrypt template page and there you should see linuxserver/letsencrypt at Repository just change that to linuxserver/swag That's how it looks now: Also there will be a orphan image at the bottom on your docker page if you done this (just the old letsencrypt image), just click on it and you select remove. One last question...I use Cloudflare Proxy... when I change the repository is it going to try to renew certs or is that something that will be maintained; existing certs kept? (If it wants to rewrite certs I need to go through and turn Cloudflare proxy off etc etc and don’t want it to fail renewal is why I’m asking...). Quote Link to comment
ich777 Posted August 30, 2020 Share Posted August 30, 2020 Just now, blaine07 said: One last question... I use Cloudflare Proxy... when I change the repository is it going to try to renew certs or is that something that will be maintained; existing certs kept? (If it wants to rewrite certs I need to go through and turn Cloudflare proxy off etc etc and don’t want it to fail renewal is why I’m asking...). In my case it kept the certificates. Quote Link to comment
blaine07 Posted August 30, 2020 Share Posted August 30, 2020 In my case it kept the certificates.What I would’ve expected but figured I’d ask; my certs aren’t up for renewal so should be same situation for me. Quote Link to comment
CorneliousJD Posted August 31, 2020 Share Posted August 31, 2020 Two simple questions with the changes to SWAG. #1 - Is there a new icon URL I can plug into the container so it doesn't show "LetsEncrypt" icon anymore? I'm weird about these things. #2 - Is there going to be a new support thread that I should update it to link to, or is this still going to be the same thread? Quote Link to comment
mlounsbury Posted August 31, 2020 Share Posted August 31, 2020 4 hours ago, CorneliousJD said: Two simple questions with the changes to SWAG. #1 - Is there a new icon URL I can plug into the container so it doesn't show "LetsEncrypt" icon anymore? I'm weird about these things. Looks like the swag image is in the same directory as the LE png file: https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/swag.gif Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.