[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

17 hours ago, aptalca said:

Sure you can. But you gotta read up and understand nginx configs. Server blocks are for matching and defining domains and subdomains, and location blocks are for uri (subfolder and rest).

 

I have been reading! And thanks to you and this very long thread I am almost there

 

Exercise "Setup Ombi with main domain":

0) Confirm in the log that Letsencrypt gets certificates for everything

1) Change Docker to use custom Proxynet (Networktype)
2) Use template heimdall.subfolder.conf.sample and add your docker name (This case: ombi)

rename it "ombi.subfolder.conf"

 

\rootshare\appdata\letsencrypt\nginx\proxy-confs\ombi.subfolder.conf

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app ombi;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

3) Comment out location / in:

appdata\letsencrypt\nginx\site-confs\default

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _; <--- Add my domains here?

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }
 
     location ~ \.php$ {
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
     }


4) Port setup on docker its the proxy that forwards the port 443 -> Dockers
   And it look like it gets the port from the docker itself  "proxy_pass $upstream_proto://$upstream_app:$upstream_port;"
   So not sure if I need to specify the Ombi port:3579 somewhere


   But where do I specify which main domain"1" should be used for Ombi?
   This should be in the # main server block in the default file above right?
   
   server_name domain1;
   server_name domain2;

 

5) I also found this "Add your domain name to the trusted domains array?" (Don't know what that's about)

 

I apologize for not figuring this out myself - I have spent a lot of time on trial & error

Most on Google use linux and command lines not these very nice configuration files 

Edited by casperse
Link to comment
1 hour ago, casperse said:

 

I have been reading! And thanks to you and this very long thread I am almost there

 

Exercise "Setup Ombi with main domain":

0) Confirm in the log that Letsencrypt gets certificates for everything

1) Change Docker to use custom Proxynet (Networktype)
2) Use template heimdall.subfolder.conf.sample and add your docker name (This case: ombi)

rename it "ombi.subfolder.conf"

 

\rootshare\appdata\letsencrypt\nginx\proxy-confs\ombi.subfolder.conf


location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app ombi;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

3) Comment out location / in:

appdata\letsencrypt\nginx\site-confs\default


# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _; <--- Add my domains here?

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }
#
#    location ~ \.php$ {
#        fastcgi_split_path_info ^(.+\.php)(/.+)$;
#        fastcgi_pass 127.0.0.1:9000;
#        fastcgi_index index.php;
#        include /etc/nginx/fastcgi_params;
#    }


4) Port setup on docker its the proxy that forwards the port 443 -> Dockers
   And it look like it gets the port from the docker itself  "proxy_pass $upstream_proto://$upstream_app:$upstream_port;"
   So not sure if I need to specify the Ombi port:3579 somewhere


   But where do I specify which main domain"1" should be used for Ombi?
   This should be in the # main server block in the default file above right?
   
   server_name domain1;
   server_name domain2;

 

5) I also found this "Add your domain name to the trusted domains array?" (Don't know what that's about)

 

I apologize for not figuring this out myself - I have spent a lot of time on trial & error

Most on Google use linux and command lines not these very nice configuration files 

$upstream_port is defined two lines above

Link to comment
5 hours ago, aptalca said:

$upstream_port is defined two lines above

Yes its defined in the "ombi.subfolder.conf" and I left it as default, like in the Nextcloud conf. (subdomain) video setup to the default port 443:

set $upstream_port 443; right? (I tried changing it to 3579 makes no difference)

 

Just thought that I would need some configuration "link" between the two dockers and the 2 domains:

domain_1 --> ombi IP:3579

image.png.6e5f29fb004e4dd96c33fd68eb47218c.png

(I am waiting with domain_2 until I have cracked the first main domain_2--> nextcloud IP:  (PHP config.php)

 

Getting the sub.domain working was so simple, would it be better and easier to setup a DNS verification instead using a wildcard SSL Certificate?

The cert. is working for both main and sub domains so I guess it doesn't really matter

 

Update: I also found this guide - https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#usingheimdallasthehomepageatdomainroot

And it's exactly like you told me, cant see any errors - but for some reason it doesn't work... must be missing something

Edited by casperse
Link to comment
35 minutes ago, aptalca said:

Fyi, 443 is not the correct port for ombi. Also ombi does not use https, it's http

 

Dam it was right in front of me! missed it didn't have https ! (I did try swapping ports)

I think I understand how it works now!

 

So if I copy the Heimdahl template to use with nextcloud

Then how to I set the right domain to point to each?

Domain_1 --> Ombi (THIS WORKS NOW! :-)

Domain_2 --> Nextcloud

 

I can't see how Letsencrypt can tell which domain should point to each specific docker?

Thanks again! this is awesome!

 

Link to comment
2 hours ago, casperse said:

 

Dam it was right in front of me! missed it didn't have https ! (I did try swapping ports)

I think I understand how it works now!

 

So if I copy the Heimdahl template to use with nextcloud

Then how to I set the right domain to point to each?

Domain_1 --> Ombi (THIS WORKS NOW! 🙂

Domain_2 --> Nextcloud

 

I can't see how Letsencrypt can tell which domain should point to each specific docker?

Thanks again! this is awesome!

 

Server name directive.

 

Create a new subdomain conf for the new server name

Edited by aptalca
Link to comment
On 4/11/2020 at 3:19 AM, aptalca said:

Server name directive.

 

Create a new subdomain conf for the new server name

 So again copying the sample from Heimdahl.subfolder.conf.sample and creating the "nextcloud.subfolder.conf"

Quote

# In order to use this location block you need to edit the default file one folder up and comment out the / location

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app nextcloud;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

Than adding the two servers to the appdata\letsencrypt\nginx\site-confs\defaults conf

(Removing the two lines for the htpassword in the example below)

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

 

Quote

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above

# notice this is a new server block, you need a new server block for each subdomain

 

server {

 listen 443 ssl http2;

 listen [::]:443 ssl http2;

 

 root /config/www;

 index index.html index.htm index.php;

 

 server_name domain_1;

 include /config/nginx/ssl.conf;

 client_max_body_size 0;

 

 location / {

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;

  proxy_pass http://192.168.0.6:3579;

 }

}

 

server {

 listen 443 ssl http2;

 listen [::]:443 ssl http2;

 

 root /config/www;

 index index.html index.htm index.php;

 

 server_name domain_2;

 include /config/nginx/ssl.conf;

 client_max_body_size 0;

 

 location / {

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;

  proxy_pass http://192.168.0.6:443;

 }

}

Then of course updating the nextcloud PHP configuration to the domain and not the sub.domian

I have been reading your old posts today :-)

Did I forget something?

 

Would sub.domains still work? bitwarden.domain_2

Or would I need to define them as servers also?

 

Update: Adding domain should be like this right?

image.thumb.png.d3ccce284067c7011678062f3921efa9.png

 

I thought I had made some A record wrong but if I just enter one domain it works, but if I add more domains I get this error:

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

On page 167 I found a note about creating this extra field for more domains?

But it talks about subdomains? would I be able to do as shown below?

image.png.c0dc63a155d066c2f8ddb8970c2259dd.png

Edited by casperse
Link to comment

@aptalca, after digging around further, I stumbled on some resources for setting up the stream module (e.g., https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/. However, I still haven't been able to get it up and running, mainly because I'm not sure what the proxy-conf file should look like for a docker needing to utilize the stream module. 

I added the following to my nginx.conf (previous was default nginx.conf that comes with the letsencrypt docker):

http{
#default stuff
}

stream {
    upstream stream_backend {
		# 10.20.30.222:5432 is the postgres docker address that is functioning on local network
        server 10.20.30.222:5432;
    }
    server {
    listen 5432;
    proxy_pass stream_backend;
    }
}

I tried many variations of "postgres.subdomain.conf" files, however none of them worked. My naive thinking is that nginx would be taking traffic from 443 and the stream module would somehow map that to a local address as if the remote location was inside the local network (10.20.30.222:5432 in this case). So, I expected it to look something like the below code. Attempting to connect remotely with pgadmin4 requires a hostname and a specified port. If I pass "5432" I get "Unable to connect to server: timeout expired" and passing port "443" gives me "Unable to connect to server: received invalid response to SSL negotiation: H" (this one is probably not surprising). 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name postgres.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        #TCP traffic should be forwarded to the "stream_backend" upstream group
        set $upstream_postgres stream_backend;
         proxy_pass http://$upstream_postgres;
    }
}

I don't understand how to tell nginx to take in an address like "postgres.mydomain.com" and resolve that as if it were localhost:5432 on my local network.

I really appreciate any guidance! I'm excited to learn how the stream module works, because I think it will open up a lot of new potential for my server. Thanks!

Link to comment
On 4/11/2020 at 3:19 AM, aptalca said:

Server name directive.

 

Create a new subdomain conf for the new server name

 

Ok I have almost read through the entire thread and on page 167 I found the missing parameter to insert the extra domain names! LOL

I now have 3 domains added and getting certificates!

 

Domain_1 --> Nextcloud (OK)

Domain_2 --> Ombi (Not working)

sub-domain.Domain_2 (OK)

sub-domain.Domain_3 (OK)

 

But I still can't get the two main domains to co-exist...

I know it's how I add the two servers to the default conf?

 

I have created the two main domain on the sample from Heimdahl.subfolder.conf.sample and created:

 

"nextcloud.subfolder.conf"

"ombi.subfolder.conf"

 

I just need some help on how to define the servers in the appdata\letsencrypt\nginx\site-confs\defaults (conf)

My addition in Yellow

Quote

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }


}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain 

server {

 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 root /config/www;
 index index.html index.htm index.php;

 server_name DOMAIN_Ombi;
 include /config/nginx/ssl.conf;
 client_max_body_size 0;

 location / {

#  auth_basic "Restricted";
#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;
  proxy_pass http://192.168.0.6:3579;

 }

}

server {

 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 root /config/www;
 index index.html index.htm index.php;

 server_name DOMAIN_Nextcloud";
 include /config/nginx/ssl.conf;
 client_max_body_size 0;

 location / {

#  auth_basic "Restricted";
#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;
  proxy_pass http://192.168.0.6:443;

 }

}

 

Link to comment
3 hours ago, casperse said:

 

Ok I have almost read through the entire thread and on page 167 I found the missing parameter to insert the extra domain names! LOL

I now have 3 domains added and getting certificates!

 

Domain_1 --> Nextcloud (OK)

Domain_2 --> Ombi (Not working)

sub-domain.Domain_2 (OK)

sub-domain.Domain_3 (OK)

 

But I still can't get the two main domains to co-exist...

I know it's how I add the two servers to the default conf?

 

I have created the two main domain on the sample from Heimdahl.subfolder.conf.sample and created:

 

"nextcloud.subfolder.conf"

"ombi.subfolder.conf"

 

I just need some help on how to define the servers in the appdata\letsencrypt\nginx\site-confs\defaults (conf)

My addition in Yellow

 

The heimdall subfolder method is only for setting the homepage of the main domain. You don't need to do that for the homepage of a secondary domain because it is not already set up.

 

For ombi as the homepage of the second domain, just use the ombi subdomain conf, and edit the server name to read "seconddomain.com"

Edited by aptalca
Link to comment
4 hours ago, aptalca said:

The heimdall subfolder method is only for setting the homepage of the main domain. You don't need to do that for the homepage of a secondary domain because it is not already set up.

 

For ombi as the homepage of the second domain, just use the ombi subdomain conf, and edit the server name to read "seconddomain.com"

Perfect that did it!  - So NO need to change anything in the default conf for the: # main server block? I thought you said that was needed?

 

Is there any security implications, I can see that any subdomain I can think of will now always point to domain_1

 

anything*.domain_1

anything*.domain_2

anything*.domain_3

 

all --> will point to the domain set for the "Heimdal subfolder sample" which was for domain_1 (Nextcloud)

Normally I guess you would get a "This site can’t be reached"

Or is this because each domain have a A record and a C name *.domain1-> A record? so Letsencrypt just forwards everything to the domain_1

 

I have been playing with this all day :-) hoping to remove my old Synology setup

 

[UPDATE]: Nextcloud works but cant connect to the IOS app, switching Nextcloud to Domain_2 and using Domain_1 with Emby resolved that, Nextcloud wants the sample file for the Subdomain not the subfolder?

 

Everything seem to work!

But I am getting alot of Unraid log errors?

I can see that the IP is from my Laptop that I used to test whit

 


Apr 12 20:52:59 SERVER nginx: 2020/04/12 20:52:59 [error] 10389#10389: *34579 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:01 SERVER nginx: 2020/04/12 20:53:01 [error] 10389#10389: *34593 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:02 SERVER nginx: 2020/04/12 20:53:02 [error] 10389#10389: *34599 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34604 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34607 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34612 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34615 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:04 SERVER nginx: 2020/04/12 20:53:04 [error] 10389#10389: *34618 recv() failed (104: Connection reset by peer) while reading upstre
Apr 12 21:59:13 SERVER nginx: 2020/04/12 21:59:13 [error] 10389#10389: *56034 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET /admin/api.php?version HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "127.0.0.1"
Apr 12 21:59:13 SERVER nginx: 2020/04/12 21:59:13 [error] 10389#10389: *56036 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: ::1, server: , request: "GET /admin/api.php?version HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"

Edited by casperse
Link to comment

Hi GUys- 

 

Quick question. I've tried researching this question all morning but seems like most items that touch on it just assume this as common knowledge.. i'm trying to get my cloudflare dns A record to point to my root domain, but it doesn't let me use my duckdns.. It wants an external ip. problem iS my external ip is dynamic (hence why i use duckns).  See image below.

 

image.thumb.png.19f8ea69fe7501c12f81c5c5098bfc55.png

 

How do i satisfy this requirement with a dynamic ip?

 

Thanks!

Edited by pimogo
Link to comment
2 hours ago, pimogo said:

Hi GUys- 

 

Quick question. I've tried researching this question all morning but seems like most items that touch on it just assume this as common knowledge.. i'm trying to get my cloudflare dns A record to point to my root domain, but it doesn't let me use my duckdns.. It wants an external ip. problem iS my external ip is dynamic (hence why i use duckns).  See image below.

 

image.thumb.png.19f8ea69fe7501c12f81c5c5098bfc55.png

 

How do i satisfy this requirement with a dynamic ip?

 

Thanks!

A records point to IP addresses

Link to comment
9 hours ago, pimogo said:


I can give it my external wan ip but it’ll likely change at some point. Am I stuck manually changing it everytime if I want the root to my domain resolved?

There are a multitude of options to update ip on dns. Many routers provide that feature. We also have a ddclient image that does just that

Link to comment

I have been struggling with getting letsencrypt to work for a while. I've used Spaceinvader One's tutorials but I haven't been successful with either http or dns validation. I've messed with cloudflare settings and the proxy configs and it still seems that cloudflare is unable to communicate with my server. On Chrome I get Error 525 and on Firefox I get Error 521 from cloudflare.

Sometimes I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome, although I'm not able to consistently reproduce this error.

 

Cloudflare settings:1165021995_CloudflareConfig.thumb.png.ecdf27e2311ca76556f1cea63a437dfd.png

My A record IP is my weebly site

 

Docker Settings:682139160_Dockersettings.thumb.png.24e5b1bc55126480805ada55f4ef293b.png

 

Ports 80 and 443 are forwarded to 180 and 1443

 

 

And my deluge.subdomain.conf file (I'm using the binhex-delugevpn docker container but I've changed the title of the docker container to deluge):

# make sure that your dns has a cname set for deluge and that your deluge container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name deluge.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app deluge;
        set $upstream_port 8112;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Also a new issue I've been having is that _acme-challenge continues to fail with the following error:

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.deluge.mydomain.com

Domain: sonarr.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.sonarr.mydomain.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

I've checked the cloudflare.ini file and it has the correct email and API token.

I've noticed that an _acme-challenge TXT record occasionally appears in my cloudflare dns settings but it will disappear, and the server doesn't start after it has disappeared. This has only started recently and the server has started in the past without a TXT record present in my dns settings.

Regardless of whether the server starts or not, I continue to receive 525 and 521 errors from cloudflare

 

I feel like there's some vital step I'm missing here but I've been unable to figure out what it is.

Link to comment
2 hours ago, kage1414 said:

I have been struggling with getting letsencrypt to work for a while. I've used Spaceinvader One's tutorials but I haven't been successful with either http or dns validation. I've messed with cloudflare settings and the proxy configs and it still seems that cloudflare is unable to communicate with my server. On Chrome I get Error 525 and on Firefox I get Error 521 from cloudflare.

Sometimes I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome, although I'm not able to consistently reproduce this error.

 

Cloudflare settings:1165021995_CloudflareConfig.thumb.png.ecdf27e2311ca76556f1cea63a437dfd.png

My A record IP is my weebly site

 

Docker Settings:682139160_Dockersettings.thumb.png.24e5b1bc55126480805ada55f4ef293b.png

 

Ports 80 and 443 are forwarded to 180 and 1443

 

 

And my deluge.subdomain.conf file (I'm using the binhex-delugevpn docker container but I've changed the title of the docker container to deluge):


# make sure that your dns has a cname set for deluge and that your deluge container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name deluge.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app deluge;
        set $upstream_port 8112;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Also a new issue I've been having is that _acme-challenge continues to fail with the following error:


IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.deluge.mydomain.com

Domain: sonarr.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.sonarr.mydomain.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

I've checked the cloudflare.ini file and it has the correct email and API token.

I've noticed that an _acme-challenge TXT record occasionally appears in my cloudflare dns settings but it will disappear, and the server doesn't start after it has disappeared. This has only started recently and the server has started in the past without a TXT record present in my dns settings.

Regardless of whether the server starts or not, I continue to receive 525 and 521 errors from cloudflare

 

I feel like there's some vital step I'm missing here but I've been unable to figure out what it is.

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

Link to comment

Hey, since i didn't know how to install my wildcard-certificate on the nextcloud-image I installed this container and its working. 🙂

But I do not really feel comfortable with having my router port 80 open AND answering it. Is it possible to turn off answering http requests?

 

Unbenannt.PNG.949f44ef835b7d2c6c680141cd782338.PNG

Edited by Greyberry
Link to comment
5 hours ago, Greyberry said:

Hey, since i didn't know how to install my wildcard-certificate on the nextcloud-image I installed this container and its working. 🙂

But I do not really feel comfortable with having my router port 80 open AND answering it. Is it possible to turn off answering http requests?

 

Unbenannt.PNG.949f44ef835b7d2c6c680141cd782338.PNG

Edit the default site conf and comment out the block with listen 80 

 

Also, if you use dns validation, you don't have to forward port 80

Edited by aptalca
  • Like 1
Link to comment
8 hours ago, aptalca said:

Edit the default site conf and comment out the block with listen 80 

 

Also, if you use dns validation, you don't have to forward port 80

thank you, i will try that.

unfortunately i have to use http because my dns-provider is not listed in the "DNSPLUGIN" variable section.

Link to comment
58 minutes ago, Greyberry said:

thank you, i will try that.

unfortunately i have to use http because my dns-provider is not listed in the "DNSPLUGIN" variable section.

I guarantee cloudflare is a better option than your current dns provider. Do yourself a favor, get a free account, point your nameservers there and do dns validation with wildcard

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.