[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5637 posts in this topic Last Reply

Recommended Posts

Hi,

 

I've been tinkering around with SWAG today to set up a couple of Docker instances and a VM.

 

After watching SpaceInvader One's YouTube video I've changed my router to now point to the Unraid server instead of the VM and both the Docker instances work, but I'm really struggling with the VM.

 

I have, for a number of years, been using Mail-in-a-Box (https://mailinabox.email/) as my personal mail server on a Ubuntu VM.  It works really well and also has inbuilt letsencrypt to automate certificate renewal.

 

Obviously SWAG does this too, but I don't want to mess around with the VM config and break things.  I've been reading through this thread and trying to get it working, but I'm just stumped as nothing I do seems to work (which means I'm obviously not doing something right)!

 

For info, MiaB uses box.domain.com as its default and also manages the webserver at www.domain.com.  It also has an inbuilt DNS server which you point to from your registrar.

 

The comments I keep seeing from everyone is to change the app to an IP instead of a server name, so this is what my current config file looks like that I've copied from the _template.subdomain.conf and named mail.subdomain.conf.


 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mail.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.210;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

 

I haven't added anything to the SWAG Docker settings other than the initial settings to add the subdomains for the Docker instances, and I'm not sure what or where I should change there (if anything) if I don't want SWAG to manage the letsencrypt certificates for the mail server.

 

Help, please :)

Edited by Melawen
Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

Hi I can't get nextcloud to work anymore and I think I've messed up the config.php file.  Can someone share their config.php file please.

 

I can see the login page, but it won't let me login remotely.  Locally, I can login via a browser - it's all very weird.


Thanks in advance.

Link to post

Here's mine, with obvious bits edited for privacy :)

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'myinstanceid',
  'passwordsalt' => 'mypasswordsalt,
  'secret' => 'mysecret ... shhhh',
  'trusted_domains' =>
  array (
    0 => '10.10.0.25',
    1 => 'mydomain.com',
  ),
  'dbtype' => 'sqlite3',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'overwritehost' => 'mydomain.com',
  'overwriteprotocol' => 'https',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

 

Link to post
1 hour ago, Melawen said:

Here's mine, with obvious bits edited for privacy :)

 


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'myinstanceid',
  'passwordsalt' => 'mypasswordsalt,
  'secret' => 'mysecret ... shhhh',
  'trusted_domains' =>
  array (
    0 => '10.10.0.25',
    1 => 'mydomain.com',
  ),
  'dbtype' => 'sqlite3',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'overwritehost' => 'mydomain.com',
  'overwriteprotocol' => 'https',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

 

Thanks.  I think my problem isn't my config file.  It's weird - everything is fine locally, but remotely I get the login page, but it won't login.

Link to post

So trying to use Swag with nextcloud.  In the Proxy-Conf file, I am trying to modify the subdomain .conf.sample file.

 

I've made modifications, removed .sample from the end, but I cannot save due to "You need permission to perform this action".  I can't drag and drop the file from my computer to the server/appdata folder either.  I even tried to SSH / Midnight Commander move the file into appdata but the "proxy-conf" directory doesn't show up in MC.  How do i get a modified nextcloud .config file to save into the appdata folder?  Note I am logged in under my account with read/write access and SSH/MC under root login - no avail on either.

 

Thanks!

Link to post

Hey,

 

are there any swag experts out there that are willing to help me?

 

I had my whole system working with swag and i could access my docker over cloudflare and it worked perfectly.

 

after i had a problem with my VPN i deleted my portforwarding settings in my Router (Fritzbox) and redid them.

after i recreated my portforwarding settings northing worked anymore. and i dont know why.

 

when i open up a port for a docker directly it works with my static IP. But i want to use Cloudflare to give my selfe a bit more safety.

 

if anyone can wants to help me we could talk in discord. i dont want to clutter this thread any more 😃

 

Thank You :)

Link to post

Does rather seem that way at the moment unfortunately.  I'm relatively new to Unraid but notice the group do seem to put out a fair amount of dockers (and probably have real jobs too) so hopefully we'll get some responses when they have time.

Link to post
10 hours ago, stFfn said:

is noone here firm with swag to help? 😕

I´m really stuck and need some help 😕

 

 

may either start posting here how your setup is or revert your changes as its been working before as you statet.

 

using cloudflare with swag there is in the end only 1 port forwarding in your router necessary, so not much to help there ...

external 443 to your swag ssl port, thats it.

 

if you want help in discord, there are 2 active discords, community one and official one, did you try there ?

Link to post
3 hours ago, alturismo said:

may either start posting here how your setup is or revert your changes as its been working before as you statet.

 

using cloudflare with swag there is in the end only 1 port forwarding in your router necessary, so not much to help there ...

external 443 to your swag ssl port, thats it.

 

if you want help in discord, there are 2 active discords, community one and official one, did you try there ?

  

Hey i didnt know there are 2 communitys i could ask. where can i find them?

 

i´ve reverted the changes i made but it didnt fix anything.. and yes i know i only have to open that one port... but that didnt do anything. thats why im writing here

grafik.png.37b1959e70a82247241acc4d906c8173.png

 

grafik.png.1b499f32f145ff0d256d72c43c4407bc.png

 

grafik.thumb.png.050cf3c8314a59553c4c6df45f45d5f3.png

 

 

As you can See i even opened 443 and 1443

 

i dont know what elese to do :(

Link to post

as it looks like your docker is listening on port 1443, you should forward external 443 to swag 1443, remove the 1443 forward and may post a screen from your forwarding rule. like this

 

image.png.766a990269e3d65b96ee1d3ff3c48bf9.png

Link to post

A few questions pls.

 

My data:

 

- I have my own domain, but a dynamic IP.

 

- My hosting provider/domain registrar, seems to provide certification for my domains, although I haven't used it yet.

 

- I am currently using no-IP but I want to get off that service (as it needs manual intervention once a month or so) and also have duckdns.

 

- Right now on my registrar DNS service, I set CNAME for my server services with my domain that all go to my no-ip DNS. As I said I prefer to move this to duckdns.

 

Questions:

 

1) a) Can I configure SWAG both to refresh my duckdns (so not to use an additional container for that) AND provide letsencrypt certificates for my real domain? (and subdomains)
b) What is the correct config for that?

2) If I decide to use my domain host issued certs INSTEAD of letsencrypt, can SWAG help me with that (or is there something to be careful when configuring SWAG)?

3) Can NGINX rewrite URL that leads to subdomains or paths, irrelevant if the requested URL points to subdomain or path?
Two examples:

- User wants to go to https://myservice.mydomain.com... my provider DNS finds a CNAME to mydomain.duckdns.org (and all URL CNAME to same) and this reaches SWAG... can it point this to a service on myserver with https://internaldomain/myservice or https://myservice.internaldomain?

- Erm... the opposite. User wants to go to https://remote.mydomain.com/myservice... my provider CNAMEs remote.mydomain.com again to mydomain.duckdns.org. Can then SWAG rewrite this as https://internaldomain/myservice or https://myservice.internaldomain? 

 

EDIT: Note on examples above. I personally prefer for user to use https://myservice.mydomain.com notation (and appropriate DNS entry) than using a folder path, EVEN if end service requires folder path (like /webtop for example).

 

EDIT #2:
 

4) Is there appropriate documentation for the unRAID "version" of the container? (cannot look 222 pages) Also does unRAID "version" support zeroSSL like the "plain" container?

 

Thanks.

(please quote if replying to me and use numbers if possible)

 

Edited by NLS
Link to post
1 hour ago, alturismo said:

as it looks like your docker is listening on port 1443, you should forward external 443 to swag 1443, remove the 1443 forward and may post a screen from your forwarding rule. like this

 

image.png.766a990269e3d65b96ee1d3ff3c48bf9.png

wow thanks.. im an idiot... -.- that was it. jesus :D

Link to post
1 hour ago, NLS said:

A few questions pls.

 

My data:

 

- I have my own domain, but a dynamic IP.

 

- My hosting provider/domain registrar, seems to provide certification for my domains, although I haven't used it yet.

 

- I am currently using no-IP but I want to get off that service (as it needs manual intervention once a month or so) and also have duckdns.

 

- Right now on my registrar DNS service, I set CNAME for my server services with my domain that all go to my no-ip DNS. As I said I prefer to move this to duckdns.

 

Questions:

 

1) a) Can I configure SWAG both to refresh my duckdns (so not to use an additional container for that) AND provide letsencrypt certificates for my real domain? (and subdomains)
b) What is the correct config for that?

2) If I decide to use my domain host issued certs INSTEAD of letsencrypt, can SWAG help me with that (or is there something to be careful when configuring SWAG)?

3) Can NGINX rewrite URL that leads to subdomains or paths, irrelevant if the requested URL points to subdomain or path?
Two examples:

- User wants to go to https://myservice.mydomain.com... my provider DNS finds a CNAME to mydomain.duckdns.org (and all URL CNAME to same) and this reaches SWAG... can it point this to a service on myserver with https://internaldomain/myservice or https://myservice.internaldomain?

- Erm... the opposite. User wants to go to https://remote.mydomain.com/myservice... my provider CNAMEs remote.mydomain.com again to mydomain.duckdns.org. Can then SWAG rewrite this as https://internaldomain/myservice or https://myservice.internaldomain? 

 

EDIT: Note on examples above. I personally prefer for user to use https://myservice.mydomain.com notation (and appropriate DNS entry) than using a folder path, EVEN if end service requires folder path (like /webtop for example).

 

EDIT #2:
 

4) Is there appropriate documentation for the unRAID "version" of the container? (cannot look 222 pages) Also does unRAID "version" support zeroSSL like the "plain" container?

 

Thanks.

(please quote if replying to me and use numbers if possible)

 

hey sorry i didnt read everything you wrote.. but if you dont have a static IP you could use cloudflare + a cloudflare docker to tell cloudflare your current IP.

i think there are some tutorials on youtube on that.

and spaceinvaders one ´s youtube videos on letsencrypt + swag help alot with that :)

Link to post
On 6/23/2021 at 7:57 PM, stFfn said:

is noone here firm with swag to help? 😕

I´m really stuck and need some help 😕

 

 

 

On 6/23/2021 at 8:49 PM, Melawen said:

Does rather seem that way at the moment unfortunately.  I'm relatively new to Unraid but notice the group do seem to put out a fair amount of dockers (and probably have real jobs too) so hopefully we'll get some responses when they have time.

 

We don't read much here anymore. If you want help, you can either use our discourse forum or Discord server.

https://www.linuxserver.io/support

Link to post

I want to start by saying letsencrypt/swag is amazing and i have been running it successfully for the last couple years....

i usually update every few weeks or so...
i ran an update today like normal... no recent config changes... and the container keeps crashing... 

i backed up the container and made a new folder to start from scratch and the container keeps crashing....

Here are the logs... no idea what to do now....

 

 


 -------------------------------------
swag              |           _         ()
swag              |          | |  ___   _    __
swag              |          | | / __| | |  /  \ 
swag              |          | | \__ \ | | | () |
swag              |          |_| |___/ |_|  \__/
swag              | 
swag              | 
swag              | Brought to you by linuxserver.io
swag              | -------------------------------------
swag              | 
swag              | To support the app dev(s) visit:
swag              | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag              | 
swag              | To support LSIO projects visit:
swag              | https://www.linuxserver.io/donate/
swag              | -------------------------------------
swag              | GID/UID
swag              | -------------------------------------
swag              | 
swag              | User uid:    1000
swag              | User gid:    1000
swag              | -------------------------------------
swag              | 
swag              | [cont-init.d] 10-adduser: exited 0.
swag              | [cont-init.d] 20-config: executing... 
swag              | [cont-init.d] 20-config: exited 0.
swag              | [cont-init.d] 30-keygen: executing... 
swag              | using keys found in /config/keys
swag              | [cont-init.d] 30-keygen: exited 0.
swag              | [cont-init.d] 50-config: executing... 
swag              | Variables set:
swag              | PUID=1000
swag              | PGID=1000
swag              | TZ=America/New_York
swag              | URL=*MY MAIN DOMAIN*
swag              | SUBDOMAINS=*QUICK EDIT*
swag              | EXTRA_DOMAINS=
swag              | ONLY_SUBDOMAINS=false
swag              | VALIDATION=dns
swag              | CERTPROVIDER=
swag              | DNSPLUGIN=cloudflare
swag              | EMAIL=*QUICK EDIT MY EMAIL IS HERE*
swag              | STAGING=false
swag              | 
swag              | Using Let's Encrypt as the cert provider
swag              | SUBDOMAINS entered, processing
swag              | SUBDOMAINS entered, processing
swag              | Sub-domains processed are:  *QUICK EDIT THERE ARE LOTS OF SUBDOMAINS*
swag              | E-mail address entered: *QUICK EDIT MY EMAIL IS THERE*
swag              | dns validation via cloudflare plugin is selected
swag              | Certificate exists; parameters unchanged; starting nginx
swag              | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag              | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag              | [cont-init.d] 50-config: exited 0.
swag              | [cont-init.d] 60-renew: executing... 
swag              | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag              | [cont-init.d] 60-renew: exited 0.
swag              | [cont-init.d] 70-templates: executing... 
swag              | [cont-init.d] 70-templates: exited 0.
swag              | [cont-init.d] 90-custom-folders: executing... 
swag              | chown: changing ownership of '/config/custom-cont-init.d': Operation not permitted
swag              | chown: changing ownership of '/config/custom-services.d': Operation not permitted
swag              | [cont-init.d] 90-custom-folders: exited 1.
swag              | [cont-finish.d] executing container finish scripts...
swag              | [cont-finish.d] done.
swag              | [s6-finish] waiting for services.
swag              | [s6-finish] sending all processes the TERM signal.
swag              | [s6-finish] sending all processes the KILL signal and exiting.
swag exited with code 1
 

Link to post
25 minutes ago, Cytomax said:

I want to start by saying letsencrypt/swag is amazing and i have been running it successfully for the last couple years....

i usually update every few weeks or so...
i ran an update today like normal... no recent config changes... and the container keeps crashing... 

i backed up the container and made a new folder to start from scratch and the container keeps crashing....

Here are the logs... no idea what to do now....

 

 


 -------------------------------------
swag              |           _         ()
swag              |          | |  ___   _    __
swag              |          | | / __| | |  /  \ 
swag              |          | | \__ \ | | | () |
swag              |          |_| |___/ |_|  \__/
swag              | 
swag              | 
swag              | Brought to you by linuxserver.io
swag              | -------------------------------------
swag              | 
swag              | To support the app dev(s) visit:
swag              | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag              | 
swag              | To support LSIO projects visit:
swag              | https://www.linuxserver.io/donate/
swag              | -------------------------------------
swag              | GID/UID
swag              | -------------------------------------
swag              | 
swag              | User uid:    1000
swag              | User gid:    1000
swag              | -------------------------------------
swag              | 
swag              | [cont-init.d] 10-adduser: exited 0.
swag              | [cont-init.d] 20-config: executing... 
swag              | [cont-init.d] 20-config: exited 0.
swag              | [cont-init.d] 30-keygen: executing... 
swag              | using keys found in /config/keys
swag              | [cont-init.d] 30-keygen: exited 0.
swag              | [cont-init.d] 50-config: executing... 
swag              | Variables set:
swag              | PUID=1000
swag              | PGID=1000
swag              | TZ=America/New_York
swag              | URL=*MY MAIN DOMAIN*
swag              | SUBDOMAINS=*QUICK EDIT*
swag              | EXTRA_DOMAINS=
swag              | ONLY_SUBDOMAINS=false
swag              | VALIDATION=dns
swag              | CERTPROVIDER=
swag              | DNSPLUGIN=cloudflare
swag              | EMAIL=*QUICK EDIT MY EMAIL IS HERE*
swag              | STAGING=false
swag              | 
swag              | Using Let's Encrypt as the cert provider
swag              | SUBDOMAINS entered, processing
swag              | SUBDOMAINS entered, processing
swag              | Sub-domains processed are:  *QUICK EDIT THERE ARE LOTS OF SUBDOMAINS*
swag              | E-mail address entered: *QUICK EDIT MY EMAIL IS THERE*
swag              | dns validation via cloudflare plugin is selected
swag              | Certificate exists; parameters unchanged; starting nginx
swag              | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag              | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag              | [cont-init.d] 50-config: exited 0.
swag              | [cont-init.d] 60-renew: executing... 
swag              | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag              | [cont-init.d] 60-renew: exited 0.
swag              | [cont-init.d] 70-templates: executing... 
swag              | [cont-init.d] 70-templates: exited 0.
swag              | [cont-init.d] 90-custom-folders: executing... 
swag              | chown: changing ownership of '/config/custom-cont-init.d': Operation not permitted
swag              | chown: changing ownership of '/config/custom-services.d': Operation not permitted
swag              | [cont-init.d] 90-custom-folders: exited 1.
swag              | [cont-finish.d] executing container finish scripts...
swag              | [cont-finish.d] done.
swag              | [s6-finish] waiting for services.
swag              | [s6-finish] sending all processes the TERM signal.
swag              | [s6-finish] sending all processes the KILL signal and exiting.
swag exited with code 1
 

Are you using unraid? It doesn't look like you are and then this is not the place for support.

The container doesn't crash, it's stopped by something.

Link to post

Sorry i thought this was for all the linuxserver.io containers... 

 

im just running it in a manjaro box using docker... 

 

So i figured it out... 

1.16.0-ls67 and 1.16.0-ls68 dont work for me

1.16.0-ls66 does work for me...

 

Something changed between 

1.16.0-ls66 and 

1.16.0-ls67 that causes the container to crash 

 

Hopefully its just me and its not some bigger problem... 

Edited by Cytomax
Link to post
On 6/13/2021 at 3:46 PM, Melawen said:

Hi,

 

I've been tinkering around with SWAG today to set up a couple of Docker instances and a VM.

 

After watching SpaceInvader One's YouTube video I've changed my router to now point to the Unraid server instead of the VM and both the Docker instances work, but I'm really struggling with the VM.

 

I have, for a number of years, been using Mail-in-a-Box (https://mailinabox.email/) as my personal mail server on a Ubuntu VM.  It works really well and also has inbuilt letsencrypt to automate certificate renewal.

 

Obviously SWAG does this too, but I don't want to mess around with the VM config and break things.  I've been reading through this thread and trying to get it working, but I'm just stumped as nothing I do seems to work (which means I'm obviously not doing something right)!

 

For info, MiaB uses box.domain.com as its default and also manages the webserver at www.domain.com.  It also has an inbuilt DNS server which you point to from your registrar.

 

The comments I keep seeing from everyone is to change the app to an IP instead of a server name, so this is what my current config file looks like that I've copied from the _template.subdomain.conf and named mail.subdomain.conf.


 





server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mail.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.210;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

 

I haven't added anything to the SWAG Docker settings other than the initial settings to add the subdomains for the Docker instances, and I'm not sure what or where I should change there (if anything) if I don't want SWAG to manage the letsencrypt certificates for the mail server.

 

Help, please :)

 

OK, so I've managed to get slightly further with this, but it still doesn't work properly.  My VM has a capital M for Mail, so I've changed the server_name to Mail.* and can now get to domain.com or even box.domain.com, but if I try to visit any of the other pages on the website (domain.com/games.html for instance) I get the security error.  The same goes for the webmail at box.domain.com/mail.  Even worse, if I try www.domain.com it goes straight to the Unraid web frontend.

 

Additionally, Thunderbird keeps popping up with certificate errors asking me to add an exception.

 

I'm not sure what I'm doing wrong.  Every place where I see people talk about this, they say all you have to change is the upstream_app to the IP address, and this clearly doesn't seem to be the case.

 

[Edit] Ignore the Unraid web frontend bit.  I forgot to change port 80 to the alternate port for SWAG in my router port forwarding.  www.domain.com now just gives the same certificate error that all the other pages do.

Edited by Melawen
Link to post
2 hours ago, Cytomax said:

Sorry i thought this was for all the linuxserver.io containers... 

 

im just running it in a manjaro box using docker... 

 

So i figured it out... 

1.16.0-ls67 and 1.16.0-ls68 dont work for me

1.16.0-ls66 does work for me...

 

Something changed between 

1.16.0-ls66 and 

1.16.0-ls67 that causes the container to crash 

 

Hopefully its just me and its not some bigger problem... 

https://linuxserver.io/support

Edited by saarg
Link to post

Hi all,

 

Basic setup is Unraid 6.9.2 with the Swag docker installed and running away perfectly (I use it for a reverse proxy for my family to use Unraid, having followed SpaceInvaderOne's guide to set up.) The docker itself works perfectly, My family and I can access my Emby library from on and off the lan (duckdns used also.) However, I received an email recently from expiry@letsencrypt.org, stating my Swag certificates were expiring soon. 

 

My server turns off every evening at midnight, and starts back up every day at 16:00, so having googled this problem, most advice was that simply restarting the Swag docker would renew the certs (obviously this isn't happening for me, as my whole server restarts daily.) 

 

I found some info which allowed me to renew my certificates manually, by using the following instructions:

Open console for the specific docker (Swag) by clicking the docker name, and then choosing the console.
Type: certbot renew

 

^^ This seems to have resolved the issue of the cert not renewing automatically. However I'm concerned that I'll have to do this every few months & maybe forget altogether. So my question is this, how on earth can I automate the renewal myself? I can access the terminal through the Unraid GUI, but after that I'm lost. I'm comfortable typing in commands, but automating this process is a step beyond my knowledge. 

 

I have the User Scripts plugin installed, and I use this to shutdown my system every night. As for how I'd use this plugin though to automate cert renewal, I'm not sure. I think I'd have to write a script, and then point to that script in the plugin & then set the schedule? Can anyone help?

 

EDIT:

 

This is from my Swag docker log

 

[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.

 

So perhaps the docker is set to renew automatically at 02:08 - and therein lies the problem because my Server is offline at that time?

Link to post
9 hours ago, Unrayed said:

Hi all,

 

Basic setup is Unraid 6.9.2 with the Swag docker installed and running away perfectly (I use it for a reverse proxy for my family to use Unraid, having followed SpaceInvaderOne's guide to set up.) The docker itself works perfectly, My family and I can access my Emby library from on and off the lan (duckdns used also.) However, I received an email recently from expiry@letsencrypt.org, stating my Swag certificates were expiring soon. 

 

My server turns off every evening at midnight, and starts back up every day at 16:00, so having googled this problem, most advice was that simply restarting the Swag docker would renew the certs (obviously this isn't happening for me, as my whole server restarts daily.) 

 

I found some info which allowed me to renew my certificates manually, by using the following instructions:


Open console for the specific docker (Swag) by clicking the docker name, and then choosing the console.
Type: certbot renew

 

^^ This seems to have resolved the issue of the cert not renewing automatically. However I'm concerned that I'll have to do this every few months & maybe forget altogether. So my question is this, how on earth can I automate the renewal myself? I can access the terminal through the Unraid GUI, but after that I'm lost. I'm comfortable typing in commands, but automating this process is a step beyond my knowledge. 

 

I have the User Scripts plugin installed, and I use this to shutdown my system every night. As for how I'd use this plugin though to automate cert renewal, I'm not sure. I think I'd have to write a script, and then point to that script in the plugin & then set the schedule? Can anyone help?

 

EDIT:

 

This is from my Swag docker log

 


[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.

 

So perhaps the docker is set to renew automatically at 02:08 - and therein lies the problem because my Server is offline at that time?

You either need to modify when the Cron job is running or leave your server running.

Link to post
23 hours ago, saarg said:

You either need to modify when the Cron job is running or leave your server running.

Cheers, I've got this far with Unraid but cron is something I've no experience of (other than a predefined user script to shut the server down for me at night.) Is the file to control this a global file, or specific to each docker? I'm comfortable editing, & using a cron calculator to figure out what time I'd like, I just don't know what to actually edit! Would appreciate any help you might throw my way :)

 

EDIT:

I'm looking at the file located at /mnt/cache/appdata/swag/crontabs/root

 

Using Notepad++, I can open this file on Windows and it shows:

 

# do daily/weekly/monthly maintenance
# min   hour    day     month   weekday command
*/15    *       *       *       *       run-parts /etc/periodic/15min
0       *       *       *       *       run-parts /etc/periodic/hourly
0       2       *       *       *       run-parts /etc/periodic/daily
0       3       *       *       6       run-parts /etc/periodic/weekly
0       5       1       *       *       run-parts /etc/periodic/monthly
# renew letsencrypt certs
8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

 

Is it case of editing one of these values, to change renewal time from the default of 2am to a time of my choosing?

Edited by Unrayed
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.