[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Today something weird happened to letsencrypt. 
I had a clean installation of unraid, on docker just Plex, Nextcloud, Mariadb, duckdns and letsencrypt. Everything perfectly worked until this afternoon, when things just stopped working. Nextcloud and plex would kept working when trying to access them locally, but would timeout whenever trying to use the reverse proxy. So, since I'm far from being an expert user, and one time I already broke my docker containers by messing too much, I deleted my docker image, all my folders in appdata relative to docker containers, and just installed plex and letsencrypt, to see if the problem went away. But it still doesn't work - tried to change domain, issue new certificates - no luck.

Then I started thinking. For the sake of explaining I'll my plex domain plex.duckdns.org. I issued one certificate for this subdomain, but never actually used. Yet, for the sake of testing, I tried to access remotely my machine by typing plex.duckdns.org:32400, which is the port used by plex for its webgui, and it worked. I could access plex remotely just fine. Then I went, created a conf file in letsencrypt, which I'm posting:
 

# make sure that your dns has a cname set for plex
# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Changed the name from plex to the docker container name, so PlexMediaServer, obviously changed plex.* to the actual subdomain. And it worked! I shared the link with my friend, so that he could access my plex webgui remotely. 
Everything was fine, but tonight everything is "time out" and I can't wrap my head around this.

The port forwarding is working fine. The certs are issued without issues, and the letsencrypt log looks normal, the server is up (Server ready, as end message of the log). Before tonight, when trying to access one of the domains for which I issued a certificate I would get a white and simple html page saying "Welcome to our server. The website is currently being setup under this address. For help and support, please contact: me@example.com", but now, no matter the certs I issued, everything would just time out.

Letsencrypt is in a custom "proxynet" network (yes, I too followed, or better bought unraid thanks to the spaceinvaderone tutorials) and the command is the same of when the reverse proxy worked. Since the port forwarding is fine, the plex container itself is fine, the problem is either duckdns or letsencrypt, tertium non datur.

What can I do to see what is the problem? I tried a minimal troubleshooting, but I'm not an expert user, and already disheartened at how could this even happen without touching the nas or any settings.

Please, help me.

Edited by anongum
Link to comment
5 minutes ago, anongum said:

Today something weird happened to letsencrypt. 
I had a clean installation of unraid, on docker just Plex, Nextcloud, Mariadb, duckdns and letsencrypt. Everything perfectly worked until this afternoon, when things just stopped working. Nextcloud and plex would kept working when trying to access them locally, but would timeout whenever trying to use the reverse proxy. So, since I'm far from being an expert user, and one time I already broke my docker containers by messing too much, I deleted my docker image, all my folders in appdata relative to docker containers, and just installed plex and letsencrypt, to see if the problem went away. But it still doesn't work - tried to change domain, issue new certificates - no luck.

Then I started thinking. For the sake of explaining I'll my plex domain plex.duckdns.org. I issued one certificate for this subdomain, but never actually used. Yet, for the sake of testing, I tried to access remotely my machine by typing plex.duckdns.org:32400, which is the port used by plex for its webgui, and it worked. I could access plex remotely just fine. Then I went, created a conf file in letsencrypt, which I'm posting:
 


# make sure that your dns has a cname set for plex
# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Changed the name from plex to the docker container name, so PlexMediaServer, obviously changed plex.* to the actual subdomain. And it worked! I shared the link with my friend, so that he could access my plex webgui remotely. 
Everything was fine, but tonight everything is "time out" and I can't wrap my head around this.

The port forwarding is working fine. The certs are issued without issues, and the letsencrypt log looks normal, the server is up (Server ready, as end message of the log). Before tonight, when trying to access one of the domains for which I issued a certificate I would get a white and simple html page saying "the site or server is under construction, for more info contact the server admin", but now, no matter the certs I issued, everything would just time out.

Letsencrypt is in a custom "proxynet" network (yes, I too followed, or better bought unraid thanks to the spaceinvaderone tutorials) and the command is the same of when the reverse proxy worked. Since the port forwarding is fine, the plex container itself is fine, the problem is either duckdns or letsencrypt, tertium non datur.

What can I do to see what is the problem? I tried a minimal troubleshooting, but I'm not an expert user, and already disheartened at how could this even happen without touching the nas or any settings.

Please, help me.

A few things wrong here.

 

Using uppercase letters in container name will prevent nginx from properly resolving it. You'll get a 502

 

If you're trying to access https://url:32400, you're not going through reverse proxy as letsencrypt is accessed at port 443, not 32400. You are giving direct access to Plex via that port.

 

Start over and follow our guides: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And for troubleshooting: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment
17 minutes ago, aptalca said:

A few things wrong here.

 

Using uppercase letters in container name will prevent nginx from properly resolving it. You'll get a 502

 

If you're trying to access https://url:32400, you're not going through reverse proxy as letsencrypt is accessed at port 443, not 32400. You are giving direct access to Plex via that port.

 

Start over and follow our guides: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And for troubleshooting: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Ok, didn't about the uppercase thing, thanks. Regarding url:port, I tried that before setting up letsencrypt, it worked before, it doesn't now.

I'm going to read thoroughly the guide and try again from scratch - to completely delete any previous installation deleting appdata container folders and the docker image is sufficient, or is there more I need to delete to start clean? Obviously I delete everything in the shares dedicated to some containers, like nextcloud or Plex.

Link to comment
16 hours ago, aptalca said:

A few things wrong here.

 

Using uppercase letters in container name will prevent nginx from properly resolving it. You'll get a 502

 

If you're trying to access https://url:32400, you're not going through reverse proxy as letsencrypt is accessed at port 443, not 32400. You are giving direct access to Plex via that port.

 

Start over and follow our guides: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And for troubleshooting: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Ok, i reinstalled everything and looks like letsencrypt works fine now, I get the "website currently being setup under this address" that confirms me that the reverseproxy is working (I guess), and managed to make it work for nextcloud. Now I'm trying to install plex. The plex conf file says: 
 

# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")
  
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app plex;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Now, considering that I'm installing PlexMediaServer form the plexinc/pms-docker repo, what should be my move? Do I simply name the container "plex" when adding it from the community apps plugin, and then just edit the server_name <plexsubdomain>.*? Or is better to try the second option, leaving the network to host? In that case the <HOSTIP> is the regular localurl:32400 of the webgui, or is some other ip? 

Link to comment
1 hour ago, anongum said:

Ok, i reinstalled everything and looks like letsencrypt works fine now, I get the "website currently being setup under this address" that confirms me that the reverseproxy is working (I guess), and managed to make it work for nextcloud. Now I'm trying to install plex. The plex conf file says: 
 


# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")
  
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app plex;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Now, considering that I'm installing PlexMediaServer form the plexinc/pms-docker repo, what should be my move? Do I simply name the container "plex" when adding it from the community apps plugin, and then just edit the server_name <plexsubdomain>.*? Or is better to try the second option, leaving the network to host? In that case the <HOSTIP> is the regular localurl:32400 of the webgui, or is some other ip? 

You don't have to change the server name. That sets your subdomain. Leave it as plex.*

 

Change the container name to plex so you don't have to modify the proxy conf.

 

Follow the rest of the steps outlined at the top of the proxy conf

Link to comment

Doesn't seem like my certs are renewing for some reason...thanks in advance for any insight.
 

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=mydomain.duckdns.org
SUBDOMAINS=nextcloud,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=test@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d nextcloud.mydomain.duckdns.org -d home.mydomain.duckdns.org -d heimdall.mydomain.duckdns.org
E-mail address entered: test@gmail.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes.
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Apr 2 22:27:57 PDT 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/mydomain.duckdns.org.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.
No hooks were run.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/mydomain.duckdns.org.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

Link to comment
13 hours ago, puncho said:

Doesn't seem like my certs are renewing for some reason...thanks in advance for any insight.
 

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=mydomain.duckdns.org
SUBDOMAINS=nextcloud,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=test@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d nextcloud.mydomain.duckdns.org -d home.mydomain.duckdns.org -d heimdall.mydomain.duckdns.org
E-mail address entered: test@gmail.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes.
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Apr 2 22:27:57 PDT 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/mydomain.duckdns.org.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.
No hooks were run.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/mydomain.duckdns.org.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

Your renewal conf file is broken for some reason. Perhaps a bad backup/restore. Change the parameters and recreate to force a renewal

Link to comment

Ive been banging my head on this all day. I have my domains DNS linked up with cloudflare and cloudflare pointing to duckdns pointing to me.

Lets encrypt got its cert all fine and happy as.

I'm currently only trying to get ombi and nextcloud sorted out and have followed space invaders videos on lets encrypt and dns certs 

 

What else do you guys need to help? it should just work but i only get 522 errors :(

I feel ipv6 might be screwing things up but i have ipv4 and 6 forwarded. I'm at a complete loss

2020-04-04 18_06_03-DNS _ bomb191.xyz _ Account _ Cloudflare - Web Performance & Security.png

2020-04-04 18_09_20-Tower_UpdateContainer.png

2020-04-04 18_08_54-Tower_Docker.png

Link to comment
10 hours ago, BomB191 said:

Ive been banging my head on this all day. I have my domains DNS linked up with cloudflare and cloudflare pointing to duckdns pointing to me.

Lets encrypt got its cert all fine and happy as.

I'm currently only trying to get ombi and nextcloud sorted out and have followed space invaders videos on lets encrypt and dns certs 

 

What else do you guys need to help? it should just work but i only get 522 errors :(

I feel ipv6 might be screwing things up but i have ipv4 and 6 forwarded. I'm at a complete loss

2020-04-04 18_06_03-DNS _ bomb191.xyz _ Account _ Cloudflare - Web Performance & Security.png

2020-04-04 18_09_20-Tower_UpdateContainer.png

2020-04-04 18_08_54-Tower_Docker.png

Did you Google error 522? It tells you exactly what the problem is. Cloudflare can't reach your server. Check your port forwarding

 

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

  • Thanks 1
Link to comment
5 hours ago, aptalca said:

Did you Google error 522? It tells you exactly what the problem is. Cloudflare can't reach your server. Check your port forwarding

 

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

OMFG! ok so i shouldn't do stuff on 3 hours sleep. I was under the impression I could use port 180 and 1443 externally But couldn't figure out how it was mapped. forwarding port 80 and 443 works. I am an idiot. Thanks for the assistance :)

 

Makes me wonder though can one change the external port used to not be 80 or 443? or is that something embedded withing the protocol?

Link to comment
5 hours ago, BomB191 said:

OMFG! ok so i shouldn't do stuff on 3 hours sleep. I was under the impression I could use port 180 and 1443 externally But couldn't figure out how it was mapped. forwarding port 80 and 443 works. I am an idiot. Thanks for the assistance :)

 

Makes me wonder though can one change the external port used to not be 80 or 443? or is that something embedded withing the protocol?

Https default is 443. If you use a different port, you'll have to define it to browse it like https://domain.com:1443

Link to comment

Hello all,

I am trying to configure f2b for permanent bans.  

 

I have started the container with "--cap-add=NET_ADMIN" and have set the bantime to "-1" for each jail (as noted under "Jail Options" at https://www.fail2ban.org/wiki/index.php/MANUAL_0_8).  

 

I am able to see IP's being detected:

2020-03-30 22:04:20,572 fail2ban.filter         [392]: INFO    [nginx-botsearch] Found 148.72.207.250 - 2020-03-30 22:04:20

2020-03-31 06:46:10,028 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 34.76.172.157 - 2020-03-31 06:46:09
2020-03-31 09:29:25,455 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 128.199.254.23 - 2020-03-31 09:29:25
2020-03-31 11:38:48,885 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 103.5.150.16 - 2020-03-31 11:38:48

 

But I'm not seeing those in the persistent DB (fail2ban.sqlite3):

 

image.png.ac586d1a2ea4c6c13cb0b63545754f6f.png

 

 

Curious if I'm missing something that is preventing this from working.

 

Thanks in advance,

 

D

Link to comment

Ok I got it all working with my own subdomain and a A record pointing to my new fixed IP :-)

 

But, can I change the subdomain to the main domain? (I have enabled it in the docker to false, and I can see that it pulls the certificate)

 

But all the conf.samples are for a subdomain where and how can I setup the main domain?

 

Strange I can only find support for reverse proxy using subdomains? (But my old Synology could do both subdomains and main domain?) 

Edited by casperse
Link to comment
6 hours ago, casperse said:

Ok I got it all working with my own subdomain and a A record pointing to my new fixed IP 🙂

 

But, can I change the subdomain to the main domain? (I have enabled it in the docker to false, and I can see that it pulls the certificate)

 

But all the conf.samples are for a subdomain where and how can I setup the main domain?

 

Strange I can only find support for reverse proxy using subdomains? (But my old Synology could do both subdomains and main domain?) 

Check out the heimdall subfolder conf sample and you'll see how

Link to comment

Hey aptalca, 

Thanks for your help with setting up pgadmin4. My users now want to access postgres via subdomain directly, rather than through pgadmin4. 

I think I might have the ports messed up again, because my attempt at setting it up failed. I can access via local network on port 5432, but the subdomain functionality doesn't work yet. 

Here's my custom postgres.subdomain.conf (which I want to give access to my postgres docker using postgres.mydomain.com):
 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name postgres.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
    client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_postgres myPostgresDocker;
        proxy_pass http://$upstream_postgres:5432;
    }
}

My error before was using the incorrect port, but I thought postgres used port 5432. I believe I have the docker ports set up correctly as:

 

172.18.0.8:5432/TCP <-> mylocalhost:5432

Thanks so much in advance!

 

Link to comment
9 hours ago, aptalca said:

Check out the heimdall subfolder conf sample and you'll see how

Thanks!

 

So this sample for subfolder would allow me to use the main domain?

Just updating the app naming to another docker?

I wanted to use the main domain on "Ombi" and I can see that there is a template for using it but again it's for a sub.domain

 

(The docker is auth. by Plex service so I would not need the .htpasswd)

# In order to use this location block you need to edit the default file one folder up and comment out the / location

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app heimdall; <----- "Replace with alternative Docker name"
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

1000 Thanks I have googled this for hours but didnt find anything......

Link to comment
3 hours ago, casperse said:

Thanks!

 

So this sample for subfolder would allow me to use the main domain?

Just updating the app naming to another docker?

I wanted to use the main domain on "Ombi" and I can see that there is a template for using it but again it's for a sub.domain

 

(The docker is auth. by Plex service so I would not need the .htpasswd)


# In order to use this location block you need to edit the default file one folder up and comment out the / location

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app heimdall; <----- "Replace with alternative Docker name"
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

1000 Thanks I have googled this for hours but didnt find anything......

Correct. Don't forget to follow the directions at the top otherwise nginx won't start due to duplicate location blocks

Link to comment
6 hours ago, njdowdy said:

Hey aptalca, 

Thanks for your help with setting up pgadmin4. My users now want to access postgres via subdomain directly, rather than through pgadmin4. 

I think I might have the ports messed up again, because my attempt at setting it up failed. I can access via local network on port 5432, but the subdomain functionality doesn't work yet. 

Here's my custom postgres.subdomain.conf (which I want to give access to my postgres docker using postgres.mydomain.com):
 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name postgres.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
    client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_postgres myPostgresDocker;
        proxy_pass http://$upstream_postgres:5432;
    }
}

My error before was using the incorrect port, but I thought postgres used port 5432. I believe I have the docker ports set up correctly as:

 

172.18.0.8:5432/TCP <-> mylocalhost:5432

Thanks so much in advance!

 

Isn't that a remote access port for postgre? There is no webserver there, is there? The conf you have is only for proxying http (web servers), not regular tcp traffic. For that you'd need to use the stream plugin

Link to comment
3 hours ago, aptalca said:

Isn't that a remote access port for postgre? There is no webserver there, is there? The conf you have is only for proxying http (web servers), not regular tcp traffic. For that you'd need to use the stream plugin

Ah, well that would make sense then. I wasn't aware of this. 

Two questions:
1. How would one determine when a docker does and does not come with a webserver? (in case I run into this again in the future)
2. Would you mind posting or linking some info on setting up the stream plugin/module and/or a .conf for these types of dockers? I did some forum searches, but it wasn't clear to me what the correct steps are. I saw you post on the subject elsewhere

but I don't think I have interpreted your instruction correctly. 

Thanks so much, yet again!

Link to comment
4 hours ago, aptalca said:

Correct. Don't forget to follow the directions at the top otherwise nginx won't start due to duplicate location blocks

Oh didnt see that thanks!

 

Would I still be able to use subdomain for other Dockers? under this top-domain?

The current version supports multiple domains like: domain1, domain2

Adding any subdomain to this in the configuration would then create cert. for these subdomain under both domains correct?

 

Is it problematic to also change Nextcloud to its own domain instead of using a subdomain?

(Have read many post in this thread about Nextcloud and that Subdomain is the way to get it working, not one about using a main domain)

 

Again thanks for your help! much appreciated

Link to comment

Hi can anyone help me figure out how to get pass this error?

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=serverjohn.com
SUBDOMAINS=deluge,duplicati,grafana,jacket,lidarr,netdata,nextcloud,ombi,plex,radarr,sonarr,tautulli,unraid,www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=http
DNSPLUGIN=
EMAIL=@serverjohn.com
STAGING=

DH parameters bit setting changed. Deleting old dhparams file.
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................................+.....................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................+.......+.....................................................................+........................................................................................................................................................................+...........................................................................................................................................................+.............................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................+.....................................................................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................................................................................................................................................................................................................................................+....................+..........................................................................+..................................................................................................................................................................................................................................................+..........................................................................................................................................................................................................................................................................................................................+................................................................+.....................................................................................................................................................................................................................................................................+...........................................................................................................+...................................................................................................+......................................................................................................................................+.........................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................+.......................................+.............................................................................................................+.....................................................................................................................................................................................................................................................++*++*++*
DH parameters successfully created - 4096 bits
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d deluge.serverjohn.com -d duplicati.serverjohn.com -d grafana.serverjohn.com -d jacket.serverjohn.com -d lidarr.serverjohn.com -d netdata.serverjohn.com -d nextcloud.serverjohn.com -d ombi.serverjohn.com -d plex.serverjohn.com -d radarr.serverjohn.com -d sonarr.serverjohn.com -d tautulli.serverjohn.com -d unraid.serverjohn.com -d www.serverjohn.com
E-mail address entered: stefan@serverjohn.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Waiting for verification...
Challenge failed for domain deluge.serverjohn.com
Challenge failed for domain duplicati.serverjohn.com
Challenge failed for domain grafana.serverjohn.com
Challenge failed for domain jacket.serverjohn.com
Challenge failed for domain lidarr.serverjohn.com
Challenge failed for domain netdata.serverjohn.com
Challenge failed for domain nextcloud.serverjohn.com
Challenge failed for domain ombi.serverjohn.com
Challenge failed for domain plex.serverjohn.com
Challenge failed for domain radarr.serverjohn.com
Challenge failed for domain serverjohn.com
Challenge failed for domain sonarr.serverjohn.com
Challenge failed for domain tautulli.serverjohn.com
Challenge failed for domain unraid.serverjohn.com
Challenge failed for domain www.serverjohn.com
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://deluge.serverjohn.com/.well-known/acme-challenge/8E4H5IDuYFjxlRZ7FL86Xdzaf_Vk-3Up0zTw1CyTDS8
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: duplicati.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://duplicati.serverjohn.com/.well-known/acme-challenge/lQLmdIzX8m3WM0tx24HXfVKGORWtOlBMVmB93ncP61g
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: grafana.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://grafana.serverjohn.com/.well-known/acme-challenge/CcXRaYWrjNHyPlleeYmJM1rtVNhg1czIZH6O4bQiXDg
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: jacket.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://jacket.serverjohn.com/.well-known/acme-challenge/2H2wGqtkdmkSZErQ5SUDJH3OA0K2EJUMYKKC9L45VkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: lidarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://lidarr.serverjohn.com/.well-known/acme-challenge/xBL_PgEnSbp9XrFS5mJKP3IEn2eUp96uMaXk8RnkykM
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: netdata.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://netdata.serverjohn.com/.well-known/acme-challenge/6EOzYpleuHVzQ7LrXNOMn6aN_KrOa_3butIiwsfWDd0
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: nextcloud.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.serverjohn.com/.well-known/acme-challenge/ik2SU9PAfQtcfvBqUByD14HQQ4skGLmB_7_MDFuY6-A
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: ombi.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://ombi.serverjohn.com/.well-known/acme-challenge/rtjrqFCDHlOXNfjmLQo1QlTERbeNTFHkLhqTlREsEA0
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: plex.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://plex.serverjohn.com/.well-known/acme-challenge/BID2vNE7WmlcDwO3JwQ0PNhhWjDWrMBUSxXhEUTD9EY
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: radarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://radarr.serverjohn.com/.well-known/acme-challenge/c4iFeq_CYWokLiWtGofA292kDGu5HrgyliJEBOH3V9o
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://serverjohn.com/.well-known/acme-challenge/_J2wAH3GZxcEfrC3GlE7fk1pHxXYLgDOOfNYUYpY7jg
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: sonarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.serverjohn.com/.well-known/acme-challenge/v3mVCVA_UJ5avFqcpSVIGRLhzMt_uGyuhRcV2m-srkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: tautulli.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://tautulli.serverjohn.com/.well-known/acme-challenge/A1xvnyKmyR9_x76KwOR3zWOnE6Hhdrvevq5IK0HUMW4
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: unraid.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://unraid.serverjohn.com/.well-known/acme-challenge/UrtTqcVJ0QpFaaPTytbLU6OBRyQZ4VUFkbn2Ijlx7Pw
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: www.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://www.serverjohn.com/.well-known/acme-challenge/VBomGHuZb9CQGQpDMKkYlqChznPbdsnbh4yJ0OT_b2U
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Inkedcloudflaredns_LI.jpg

Edited by STEFAN1987
added picture
Link to comment
On 4/7/2020 at 12:08 PM, drsparks68 said:

Hello all,

I am trying to configure f2b for permanent bans.  

 

I have started the container with "--cap-add=NET_ADMIN" and have set the bantime to "-1" for each jail (as noted under "Jail Options" at https://www.fail2ban.org/wiki/index.php/MANUAL_0_8).  

 

I am able to see IP's being detected:

2020-03-30 22:04:20,572 fail2ban.filter         [392]: INFO    [nginx-botsearch] Found 148.72.207.250 - 2020-03-30 22:04:20

2020-03-31 06:46:10,028 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 34.76.172.157 - 2020-03-31 06:46:09
2020-03-31 09:29:25,455 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 128.199.254.23 - 2020-03-31 09:29:25
2020-03-31 11:38:48,885 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 103.5.150.16 - 2020-03-31 11:38:48

 

But I'm not seeing those in the persistent DB (fail2ban.sqlite3):

 

image.png.ac586d1a2ea4c6c13cb0b63545754f6f.png

 

 

Curious if I'm missing something that is preventing this from working.

 

Thanks in advance,

 

D

 

Now it seems that Fail2Ban isn't working at all...or at least none of the default jails flagged this traffic and banned the source IP (and there were over 600 lines of it in the NGINX access.log):

 

image.thumb.png.0e4a78c957aa4a6341a93210423dec04.png

 

image.thumb.png.e318150770b71bf53f0b9139b35926fb.png

 

Link to comment
5 hours ago, STEFAN1987 said:

Hi can anyone help me figure out how to get pass this error?

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=serverjohn.com
SUBDOMAINS=deluge,duplicati,grafana,jacket,lidarr,netdata,nextcloud,ombi,plex,radarr,sonarr,tautulli,unraid,www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=http
DNSPLUGIN=
EMAIL=@serverjohn.com
STAGING=

DH parameters bit setting changed. Deleting old dhparams file.
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................................+.....................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................+.......+.....................................................................+........................................................................................................................................................................+...........................................................................................................................................................+.............................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................+.....................................................................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................................................................................................................................................................................................................................................+....................+..........................................................................+..................................................................................................................................................................................................................................................+..........................................................................................................................................................................................................................................................................................................................+................................................................+.....................................................................................................................................................................................................................................................................+...........................................................................................................+...................................................................................................+......................................................................................................................................+.........................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................+.......................................+.............................................................................................................+.....................................................................................................................................................................................................................................................++*++*++*
DH parameters successfully created - 4096 bits
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d deluge.serverjohn.com -d duplicati.serverjohn.com -d grafana.serverjohn.com -d jacket.serverjohn.com -d lidarr.serverjohn.com -d netdata.serverjohn.com -d nextcloud.serverjohn.com -d ombi.serverjohn.com -d plex.serverjohn.com -d radarr.serverjohn.com -d sonarr.serverjohn.com -d tautulli.serverjohn.com -d unraid.serverjohn.com -d www.serverjohn.com
E-mail address entered: stefan@serverjohn.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Waiting for verification...
Challenge failed for domain deluge.serverjohn.com
Challenge failed for domain duplicati.serverjohn.com
Challenge failed for domain grafana.serverjohn.com
Challenge failed for domain jacket.serverjohn.com
Challenge failed for domain lidarr.serverjohn.com
Challenge failed for domain netdata.serverjohn.com
Challenge failed for domain nextcloud.serverjohn.com
Challenge failed for domain ombi.serverjohn.com
Challenge failed for domain plex.serverjohn.com
Challenge failed for domain radarr.serverjohn.com
Challenge failed for domain serverjohn.com
Challenge failed for domain sonarr.serverjohn.com
Challenge failed for domain tautulli.serverjohn.com
Challenge failed for domain unraid.serverjohn.com
Challenge failed for domain www.serverjohn.com
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://deluge.serverjohn.com/.well-known/acme-challenge/8E4H5IDuYFjxlRZ7FL86Xdzaf_Vk-3Up0zTw1CyTDS8
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: duplicati.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://duplicati.serverjohn.com/.well-known/acme-challenge/lQLmdIzX8m3WM0tx24HXfVKGORWtOlBMVmB93ncP61g
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: grafana.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://grafana.serverjohn.com/.well-known/acme-challenge/CcXRaYWrjNHyPlleeYmJM1rtVNhg1czIZH6O4bQiXDg
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: jacket.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://jacket.serverjohn.com/.well-known/acme-challenge/2H2wGqtkdmkSZErQ5SUDJH3OA0K2EJUMYKKC9L45VkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: lidarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://lidarr.serverjohn.com/.well-known/acme-challenge/xBL_PgEnSbp9XrFS5mJKP3IEn2eUp96uMaXk8RnkykM
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: netdata.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://netdata.serverjohn.com/.well-known/acme-challenge/6EOzYpleuHVzQ7LrXNOMn6aN_KrOa_3butIiwsfWDd0
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: nextcloud.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.serverjohn.com/.well-known/acme-challenge/ik2SU9PAfQtcfvBqUByD14HQQ4skGLmB_7_MDFuY6-A
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: ombi.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://ombi.serverjohn.com/.well-known/acme-challenge/rtjrqFCDHlOXNfjmLQo1QlTERbeNTFHkLhqTlREsEA0
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: plex.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://plex.serverjohn.com/.well-known/acme-challenge/BID2vNE7WmlcDwO3JwQ0PNhhWjDWrMBUSxXhEUTD9EY
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: radarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://radarr.serverjohn.com/.well-known/acme-challenge/c4iFeq_CYWokLiWtGofA292kDGu5HrgyliJEBOH3V9o
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://serverjohn.com/.well-known/acme-challenge/_J2wAH3GZxcEfrC3GlE7fk1pHxXYLgDOOfNYUYpY7jg
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: sonarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.serverjohn.com/.well-known/acme-challenge/v3mVCVA_UJ5avFqcpSVIGRLhzMt_uGyuhRcV2m-srkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: tautulli.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://tautulli.serverjohn.com/.well-known/acme-challenge/A1xvnyKmyR9_x76KwOR3zWOnE6Hhdrvevq5IK0HUMW4
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: unraid.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://unraid.serverjohn.com/.well-known/acme-challenge/UrtTqcVJ0QpFaaPTytbLU6OBRyQZ4VUFkbn2Ijlx7Pw
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: www.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://www.serverjohn.com/.well-known/acme-challenge/VBomGHuZb9CQGQpDMKkYlqChznPbdsnbh4yJ0OT_b2U
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Inkedcloudflaredns_LI.jpg

Port forwarding issue

Link to comment
6 hours ago, casperse said:

Oh didnt see that thanks!

 

Would I still be able to use subdomain for other Dockers? under this top-domain?

The current version supports multiple domains like: domain1, domain2

Adding any subdomain to this in the configuration would then create cert. for these subdomain under both domains correct?

 

Is it problematic to also change Nextcloud to its own domain instead of using a subdomain?

(Have read many post in this thread about Nextcloud and that Subdomain is the way to get it working, not one about using a main domain)

 

Again thanks for your help! much appreciated

Sure you can. But you gotta read up and understand nginx configs. Server blocks are for matching and defining domains and subdomains, and location blocks are for uri (subfolder and rest).

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.