[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, fachizel90 said:

Hi my certificates seem to have expired and arent renewing properly. Everything shows an insecure connection error.

 

I managed to find a command that forces a renewal but it failed also. 

 

Please Help.

 

 

We do not support users running manual commands. The readme contains info on how to troubleshoot renewal issues.

 

In your case, either your ip on duckdns is wrong or your port isn't forwarded properly

Link to comment

I found this on Ubiquity’s website, not sure what I need from it to make UNMS work? Like I said previously I can get the GUI page but can’t see my devices, that was by editing the UniFi template!

 

Hoping that someone with mor knowledge can help?

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  server_name unms.example.com;

  client_max_body_size 4G;

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8080/;
  }
}

server {
  listen 443 ssl http2;
  server_name unms.example.com;

  ssl_certificate     /etc/letsencrypt/live/unms.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/unms.example.com/privkey.pem;

  ssl on;

  set $upstream 127.0.0.1:8443;

  location / {
    proxy_pass     https://$upstream;
    proxy_redirect https://$upstream https://$server_name;

    proxy_cache off;
    proxy_store off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_read_timeout 36000s;

    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer "";

    client_max_body_size 0;
  }
}

 

Link to comment

I would really appreciate your help:

 

Quote

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=[x]
URL=[x]
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=[x]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of [x] will be requested
E-mail address entered: [x]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

Server ready

 

and I can't access my subdomains since I came back to Unraid after a few weeks. The SSL certificate had to be renewed and it seems to be fine when I check it with an SSL checker. The subdomains won't though, if that is of relevance. I'm not sure if that is good or not.

 

a) Does not being able to access my subdomains has a conneciton to the error(s) I get in the report?

b) How can I fix it?

 

I followed Spaceinvaderone's videos to setting up a reverse proxy with letsencrypt using a wildcard.

 

Thank you all for your input!

 

Edit: Subdomains are accessible again. The LetsEncrypt error persists though.

Edited by dr_drei
Link to comment
6 hours ago, aptalca said:

We do not support users running manual commands. The readme contains info on how to troubleshoot renewal issues.

 

In your case, either your ip on duckdns is wrong or your port isn't forwarded properly

Hi thanks for the reply, It was working fine until the certs expired three months in. I did upgrade my router to a OPNsense firewall. Will revert back to old router and see if that helps with renewing the certs.

Link to comment
6 hours ago, fachizel90 said:

Hi thanks for the reply, It was working fine until the certs expired three months in. I did upgrade my router to a OPNsense firewall. Will revert back to old router and see if that helps with renewing the certs.

 

Or you could simply post your docker run command (in case you didn't. On phone and too lazy to scroll) and a screenshot of the port forwarding in your opnsense firewall.

Link to comment
5 hours ago, saarg said:

 

Or you could simply post your docker run command (in case you didn't. On phone and too lazy to scroll) and a screenshot of the port forwarding in your opnsense firewall.

Do you mean the container logs? Apologies I'm not sure where to find the docker run command.

 

Quote

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=duckdns.org
SUBDOMAINS=1231eb,1231,1231cloud,1231collab,1231books,1231sonic
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=1231i1@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d 1231eb.duckdns.org -d 1231.duckdns.org -d 1231cloud.duckdns.org -d 1231collab.duckdns.org -d 1231books.duckdns.org -d 1231sonic.duckdns.org
E-mail address entered: 12311@gmail.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Screenshot of OPNsense port forward

https://imgur.com/bBh90eV

 

 

Thanks Alot

 

Link to comment
8 hours ago, jowi said:

I just recieved an email from letsencrypt regarding renewal of certificates (e.g. for nextcloud). I followed SpaceInvaderOne's guide for installing LetsEncrypt but i don't recall installing any certificates, let alone renewing them? What do i need to do?

Looks like logging into the console of the letsencrypt docker and running the command 'certbot renew' did the trick. 

Link to comment
35 minutes ago, jowi said:

Looks like logging into the console of the letsencrypt docker and running the command 'certbot renew' did the trick. 

Or you could have read the instructions in the readme, which talks about renewals.

 

We do not support running manual commands inside the container. You're on your own from this point on

Link to comment
2 minutes ago, aptalca said:

Or you could have read the instructions in the readme, which talks about renewals.

 

We do not support running manual commands inside the container. You're on your own from this point on

i forgot what a great community this is if you are not an autistic bearded linux freak with asperger from the 70s. Damn. well thanks for your ‘help’. 

Link to comment

Hi all.
Anybody able to help out with this issue?
I added a new subdomain [I've successfully set up several others so far], and started getting this:

dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
An unexpected error occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 316, in connect
conn = self._new_conn()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e)

urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))


During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

cloudflare.ini hasn't been touched, but I re-verified the login / api info and it's still correct...

any ideas?

Link to comment

I'm having issues getting a few dockers set up.

 

Booksonic is a strange one, here is my config

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name booksonic.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_booksonic booksonic;
        proxy_pass http://$upstream_booksonic:4040;
    }
}

Which gives me this when I actually try and navigate to it

lsJZpck.png

 

Clicking on the link actually brings me to where I want to be

rhOpgak.png

 

the webUI for the docker has it set to http://10.0.0.10:4040/booksonic which gets redirected like it should, but how to set up the equivalent with nginx or a DNS config I don't know.

 

Then we have gotify, which doesn't work at all. I just get a bad gateway.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name gotify.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_gotify gotify;
        proxy_pass http://$upstream_gotify:1400;
    }
}

6ETb5Dd.png

 

This is regular docker container, not one that was setup for unraid. Not sure if that means there's something to set up that I don't know about.

 

Link to comment
18 hours ago, newillusions said:

Hi all.
Anybody able to help out with this issue?
I added a new subdomain [I've successfully set up several others so far], and started getting this:


dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
An unexpected error occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 316, in connect
conn = self._new_conn()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
self, "Failed to establish a new connection: %s" % e)

urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))


During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x1483b7300400>: Failed to establish a new connection: [Errno -3] Try again'))

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

cloudflare.ini hasn't been touched, but I re-verified the login / api info and it's still correct...

any ideas?

Update: this was solved on discord. Pihole / dns settings were preventing outgoing connection to letsencrypt servers

  • Like 1
Link to comment
1 hour ago, Toobie said:

Or at least check the query log.
If the pihole is correctly configured, everything on the network goes over the pihole.

So may the letsencrypt servers are blacklisted.

Sent from my MI 6 using Tapatalk
 

I believe the issue is actually when you run PiHole as a container with it's own IP, there are docker security features that stop docker macvlan IP's communicating with each other. So when you have Letencrypt on it's own net and Pihole on it's own ip, if unraid it setup to check pihole for dns, letsencrypt is able to talk to pihole.

 

I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.

Link to comment
I believe the issue is actually when you run PiHole as a container with it's own IP, there are docker security features that stop docker macvlan IP's communicating with each other. So when you have Letencrypt on it's own net and Pihole on it's own ip, if unraid it setup to check pihole for dns, letsencrypt is able to talk to pihole.
 
I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.
Sorry my fault.
I'm running pihole on a pi and predicted that it should be run dedicated.

Sent from my MI 6 using Tapatalk

Link to comment
31 minutes ago, j0nnymoe said:

I always suggest to people if their wanting to run pihole/adguard on your network, run it from a dedicated device.

I have six pihole containers running, acting as the local DNS server for their designated network.

This runs flawless (though I am not using letsencrypt)

 

image.png.bfb497be841e3c691718bcd53d1ba6aa.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.