[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5529 posts in this topic Last Reply

Recommended Posts

6 hours ago, aptalca said:

 

Could be browser cache (301 redirect from an earlier try). Try in a different browser, or mobile and see if it works

 

It does appear to be working now except for one critical factor I have just noticed.

 

Letencrypt log when starting the docker states it has seen the extra domains but I don't find their keys in the /config/keys directory?

 

As I am referencing the same certs for domain 2 as I am for domain 1 and oddly the new second domain is getting securred with no errors in the browser lock.

 

As well /etc/letsencrypt/live/ only contains a domain1 directory.

 

It seems like doamin2 is using domain1 certs with no errors, but that doesn;t seem right?

 

Have I misunderstood what should be happening.

 

Edit I have my extra domain setup with a variable called EXTRA_DOMAINS and it is set to domain2, www.domain2, cloud.domain2

 

Log:

 

EXTRA_DOMAINS entered, processing
Extra domains processed are: -d domain2 -d www.domain2 -d cloud.domain2

 

SO Is this correct and I shouldn't expect another directory with the domain2 cert in?

 

 

Edited by local.bin
Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

Please advise, i have no hair remaining.

 

Im following this guide

https://linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

 

 

Prior to editing the nextcloud config.php and creating the nextcloud file nextcloud worked fine.... lets encrypt looked to be doing its thing (docker stayed open) and when I entered nextcloud.mywebsite.com it would ask to accept certifate then show the letsencrypt page. I also pinged my nextcloud.website.com and it come back with my static ip address.

 

When i goto webbrowser and try https://nextcloud.mywebsite.com i get 502 bad gateway

 

CONFIG.PHP
root@unraid:/mnt/cache/appdata/nextcloud/www/nextcloud/config#

 

 


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => '254v24v42',
  'passwordsalt' => '425v24v42v',
  'secret' => '324rt23gwevewg45v',
  'trusted_domains' =>
  array (
    0 => '192.168.1.200:446',
    1 => 'nextcloud.mywebsite.com',
  ),
  'overwrite.cli.url' => 'https://nextcloud.mywebsite.com',
  'overwritehost' => 'nextcloud.mywebsite',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '12.0.4.3',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.200:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'Bond',
  'dbpassword' => 'SECRETPASSWORD',
  'installed' => true,
);

 

---------------------------------------------------------------------------------------

nextcloud

root@unraidserver:/mnt/cache/appdata/letsencrypt/nginx/site-confs#

 

server {
    listen 443 ssl;
    server_name nextcloud.mywebsite.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE$

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://192.168.1.200:444/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

----------------------------------------------------------------------------------------------------------------------------

 

EDIT:

this is my nextcloud/nginx/site-confs/ default

 

upstream php-handler {
  server 127.0.0.1:9000;
# server unix:/var/run/php/php7.0-fpm.sock;
}

server {
  listen 80;
  server_name _;
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name _;

  ssl_certificate /config/keys/cert.crt;
  ssl_certificate_key /config/keys/cert.key;

  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  # add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # Path to the root of your installation
  root /config/www/nextcloud/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
  rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }


^G Get Help       ^O Write Out      ^W Where Is       ^K Cut Text       ^J Justify        ^C Cur Pos        M-U Undo          M-A Mark Text     M-] To Bracket    M-↑ Previous      ^B Back           ^← Prev Word      ^A Home           ^P Prev Line
^X Exit           ^R Read File      ^\ Replace        ^U Uncut Text     ^T To Spell  

 

--------------------------------------------------------------------------

 

This is my namecheap dns

 

 

namecheap.png

Edited by Greygoose
Link to post
On 1/5/2018 at 10:45 AM, testtubetony said:

Has anyone gotten this to work with a noip.com domain? Here's the errors i keep getting...

 


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d mydomain.ddns.net
E-mail address entered: myemail@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ddns.net
tls-sni-01 challenge for mydomain.ddns.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ddns.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ddns.net
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

That was my last attempt. of course i edited out my personal infos... seems just having mydomain.ddns.net isn't enough, and in the noip panel I cant seem to add a www to my domain. any suggestions?

 

EDIT:

I got it to start finally. had to change the subdomains only flag. now i have webserver access. is there supposed to be a user interface, or do i have to configure the proxies manually via terminal?

 

Looks like somebody didn't read the instructions. 

 

"Url" should be the top level you control. If you're using dynamic dns, your "url" will be "yoursubdomain.ddns.net"

 

You do not control ddns.net and letsencrypt cannot validate it. That's the error. 

 

Once you fix your url, your subdomains then will allow your cert to cover www.yoursubdomain.ddns.net and such as well

Link to post
On 1/5/2018 at 2:37 PM, local.bin said:

 

It does appear to be working now except for one critical factor I have just noticed.

 

Letencrypt log when starting the docker states it has seen the extra domains but I don't find their keys in the /config/keys directory?

 

As I am referencing the same certs for domain 2 as I am for domain 1 and oddly the new second domain is getting securred with no errors in the browser lock.

 

As well /etc/letsencrypt/live/ only contains a domain1 directory.

 

It seems like doamin2 is using domain1 certs with no errors, but that doesn;t seem right?

 

Have I misunderstood what should be happening.

 

Edit I have my extra domain setup with a variable called EXTRA_DOMAINS and it is set to domain2, www.domain2, cloud.domain2

 

Log:

 

EXTRA_DOMAINS entered, processing
Extra domains processed are: -d domain2 -d www.domain2 -d cloud.domain2

 

SO Is this correct and I shouldn't expect another directory with the domain2 cert in?

 

 

 

This container only generates one cert, which covers all the domains and subdomains you select

Link to post
On 12/18/2017 at 9:32 AM, GilbN said:

 

Hm, when looking at what I posted I just see the same? 

 

 

GilbN (and others), 

 

I'm not sure if you got this working or not, but I'm going to post this here to help others that may be struggling as much as I did with letsencrypt/fail2ban and email notifications.  Here are my working configs and steps for letsencrypt/fail2ban and email notifications using gmail.

 

Copy sendmail-whois.conf to sendmail-whois.local 

copy sendmail-common.conf to sendmail-common.local

Make changes to both .local files outlined below.

Edit jail.local with changes outlined below.

 

 

sendmail-common.local (if you don't care about fail2ban start notifications, I think you can skip this)

actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auSOMEONE@gmail.com -apPASSWORD <dest>

Only need to change the last line.  Replace the UPPERCASE with your username and password.  Leave all else.

 

 

 

sendmail-whois.local

actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `/usr/bin/whois <ip> || echo missing whois program`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auSOMEONE@gmail.com -apPASSWORD <dest>

Same thing... Only need to change the last line of the actionban.  Insert your username and password where the UPPERCASE is.

 

 

 

 

 

jail.local

[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 10.1.1.0/24
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=SOMEONE@gmail.com]
		iptables-multiport[name=letsencrypt, port="http,https", protocol=tcp]

ignoreip is my local home subnet.

mta - set it to sendmail

action - If you want fail2ban to notify AND add a block to iptables, you need both actions.  I couldn't get it to block and send an email without adding both actions.  

 

These settings finally worked for me.

Link to post
18 hours ago, noties said:

 

GilbN (and others), 

 

I'm not sure if you got this working or not, but I'm going to post this here to help others that may be struggling as much as I did with letsencrypt/fail2ban and email notifications.  Here are my working configs and steps for letsencrypt/fail2ban and email notifications using gmail.

 

Copy sendmail-whois.conf to sendmail-whois.local 

copy sendmail-common.conf to sendmail-common.local

Make changes to both .local files outlined below.

Edit jail.local with changes outlined below.

 

 

sendmail-common.local (if you don't care about fail2ban start notifications, I think you can skip this)


actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auSOMEONE@gmail.com -apPASSWORD <dest>

Only need to change the last line.  Replace the UPPERCASE with your username and password.  Leave all else.

 

 

 

sendmail-whois.local


actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `/usr/bin/whois <ip> || echo missing whois program`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auSOMEONE@gmail.com -apPASSWORD <dest>

Same thing... Only need to change the last line of the actionban.  Insert your username and password where the UPPERCASE is.

 

 

 

 

 

jail.local


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 10.1.1.0/24
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=SOMEONE@gmail.com]
		iptables-multiport[name=letsencrypt, port="http,https", protocol=tcp]

ignoreip is my local home subnet.

mta - set it to sendmail

action - If you want fail2ban to notify AND add a block to iptables, you need both actions.  I couldn't get it to block and send an email without adding both actions.  

 

These settings finally worked for me.

Thanks, will try this!

Link to post

@noties

 

I've added what you've posted and the it works but it doesn't seem to actually ban the IP. It logs that the IP is banned but I can still access the site (using LTE on mobile). If I remove the mta/action/iptables-multiport lines it bans like normal. 

 

Did you test that access is blocked?

Link to post
1 minute ago, GilbN said:

@noties

 

I've added what you've posted and the it works but it doesn't seem to actually ban the IP. It logs that the IP is banned but I can still access the site (using LTE on mobile). If I remove the mta/action/iptables-multiport lines it bans like normal. 

 

Did you test that access is blocked?

 

Yes, I tested.  I couldn't get a ban to work without adding the iptables-multiport.  

 

Are you restarting the docker every time you make a change to jail.local?  I found strange behavior unless I restarted the docker.  I can test again and report.

 

Link to post
1 minute ago, noties said:

 

Yes, I tested.  I couldn't get a ban to work without adding the iptables-multiport.  

 

Are you restarting the docker every time you make a change to jail.local?  I found strange behavior unless I restarted the docker.  I can test again and report.

 

 

Yeah, restarting after every edit

Link to post
2 hours ago, GilbN said:

 

Yeah, restarting after every edit

I just re-tested and confirmed.  If I don't have iptables-multiport as well as sendmail, I won't get a ban.  These configs definitely work for my setup.  I am only running .htpasswd on one of my NGINX locations if that changes anything.

 

I did notice that the ban can potentially take a second or two to take effect, meaning I was able to get a username/password prompt once or twice more beyond my 5 fail threshold.  I figured this is because i was entering wrong users pretty quickly.

 

My default file is below if it helps.  I only have security on my /cops/ URL.

upstream backend {
	server 10.1.1.99:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name SOMESERVER.duckdns.org;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

#	location = / {
#		return 301 /sonarr;
#	}


location /ombi/ {
    proxy_pass http://10.1.1.99:3579;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout  90;
    proxy_redirect http://10.1.1.99:3579 https://$host;
}
if ($http_referer ~* /ombi/) {
        rewrite ^/dist/([0-9\d*]).js /ombi/dist/$1.js last;
}
	location /cops {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://10.1.1.99:8008/;
	}

 

Link to post

I'm working my way through some of the support threads on the emby boards and one of them recommends some tweaks to the nginx.conf. I'd like to get some input from the folks here, as I trust them more than the people on the emby forum. (Nothing against emby users, but I've been there for about 15 minutes and I've been hanging out here for years.)

 

This is recommended

server_tokens off;   

because "This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses."

 

He's added these items as "further security tweaks", but doesn't indicate what they do:

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';

        add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;";

 

Are these legitimate things to consider adding to my config file or are they more security theater (particularly the server_tokens off; setting)?

Link to post
1 hour ago, FreeMan said:

I'm working my way through some of the support threads on the emby boards and one of them recommends some tweaks to the nginx.conf. I'd like to get some input from the folks here, as I trust them more than the people on the emby forum. (Nothing against emby users, but I've been there for about 15 minutes and I've been hanging out here for years.)

 

This is recommended

server_tokens off;   

because "This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses."

 

He's added these items as "further security tweaks", but doesn't indicate what they do:

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';

        add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;";

 

Are these legitimate things to consider adding to my config file or are they more security theater (particularly the server_tokens off; setting)?

 

Never heard of the server tokens one, but most of the rest are legit and fairly common security related settings. If you Google them you'll see tons of mentions. We didn't set those in the default config because some sites won't work with them. 

Link to post
3 hours ago, jasgud said:

Any suggestion as to how we can deal with the TLS-SNI-01 security flaw detailed below.  They seem to have disabled their renew and request system on it.  

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

 

They re-enabled it for some providers. It is unclear what the long term action will be. But we already have a PR on github to add the option of http validation through port 80

Edited by aptalca
Link to post

I upgraded to 6.4 and it screwed up my reverse proxy setup after adding the new cert to unraid itself. I saw earlier in this thread the suggestion to give the letsencrypt docker its own IP and to forward 443 to the new IP.

 

This fixed it not loading, but I still couldn't access some of my dockers (emby, ubooquity, etc) via my duckdns reverse proxy. I then found that giving each docker its own IP address and updating the "nginx\site-confs\default" file with the new addresses fixed the issue. Is this the "correct" way of doing things or is there a better way? 

Link to post
4 hours ago, lespaul said:

I upgraded to 6.4 and it screwed up my reverse proxy setup after adding the new cert to unraid itself. I saw earlier in this thread the suggestion to give the letsencrypt docker its own IP and to forward 443 to the new IP.

 

This fixed it not loading, but I still couldn't access some of my dockers (emby, ubooquity, etc) via my duckdns reverse proxy. I then found that giving each docker its own IP address and updating the "nginx\site-confs\default" file with the new addresses fixed the issue. Is this the "correct" way of doing things or is there a better way? 

 

I had to do the exact same thing. I've been looking into this for the past few days and apparently this is the only way of doing things "properly" on 6.4. 

 

Also, if you want to for your dockers to communicate with eachother at a certain point, don't for get that you have to select the same network when assigning the IPs

Link to post

I am having issues getting the container to start. I had this working yesterday but I needed to remove and readd the container as I was no longer getting updates for it. Port forward is working. I know I ran into this issue when I first set this up but I am at a loss. Can someone take a look?

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d sonarr.mydomain.com -d nzbget.mydomain.com -d radarr.mydomain.com -d hydra.mydomain.com -d lazy.mydomain.com -d books.mydomain.com -d hass.mydomain.com
E-mail address entered: myname@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Link to post
13 hours ago, aptalca said:

 

They re-enabled it for some providers. It is unclear what the long term action will be. But we already have a PR on github to add the option of http validation through port 80

Thanks for that.  
For anyone struggling with this, under extra parameters enter in the below paramater

 

-e "HTTPVAL"="true"

 

Link to post
4 hours ago, Caboose20 said:

I am having issues getting the container to start. I had this working yesterday but I needed to remove and readd the container as I was no longer getting updates for it. Port forward is working. I know I ran into this issue when I first set this up but I am at a loss. Can someone take a look?

 


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d sonarr.mydomain.com -d nzbget.mydomain.com -d radarr.mydomain.com -d hydra.mydomain.com -d lazy.mydomain.com -d books.mydomain.com -d hass.mydomain.com
E-mail address entered: myname@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Your issue is the same one I was having.  its because letsencrypt disabled a service.  under your container, hit advanced options add the below code into your extra parameters.  restart/start the service.  Note that this means http (tcp 80) will need to be forwarded as well as https (tcp 443) for validation.

-e "HTTPVAL"="true"

 

Edited by jasgud
Link to post

Extra parameter makes things a little more complicated because it is hidden in advanced view and such. 

 

Just add a new environment variable in the gui where the key is HTTPVAL and the value is true similar to how there is already a variable for PUID and 99

Link to post
17 hours ago, jasgud said:

Your issue is the same one I was having.  its because letsencrypt disabled a service.  under your container, hit advanced options add the below code into your extra parameters.  restart/start the service.  Note that this means http (tcp 80) will need to be forwarded as well as https (tcp 443) for validation.


-e "HTTPVAL"="true"

 

 

I have what seems like the same problem, so I applied the suggested fix. FYI the required variable is set to false by default in the docker config already. There is no need to add a new variable, just change the existing one.

 

But, I am getting connection refused on port 80. Should I change something in the nginx config as well?

 

Domain: www.xxx.com
Type: connection
Detail: Fetching
http://www.xxx.com/.well-known/acme-challenge/xxx:
Connection refused

Here is my current nginx config... port 80 listening seems to be enabled as per instructions.

server {
	listen 80;
	server_name www.xxx.com;
	return 301 https://$host$request_uri;
}

server {

	listen 443 ssl default_server;
	
	root /config/www;
	index index.html index.htm index.php;

	server_name www.xxx.com;

Edit: I have figured out that the problem started after the last update of letsencrypt docker. Still don't know how to fix it.

Edited by MrChunky
Link to post

Hi!  

 

I have the same exact problem as MrChunky.  Letsencrypt docker stopped working very recently.

I have already : 

  • set the HTTPVAL variable to true
  • uncommented the port 80 server section in my default nginx file
  • opened the port 80 on my router
  • restarted Letsencrypt docker

And I get a 401 unauthorized in the docker log file : 

 


Failed authorization procedure. foobar.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://foobar.duckdns.org/.well-known/acme-challenge/xxx [xx.xxx.xx.xxx]: 401

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: foobar.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://foobar.duckdns.org/.well-known/acme-challenge/UzrREGhzZemotfGsM076gy9aQdCi--8H_2OcGBMM-T4
[xx.xxx.xx.xxx]: 401

 

Anyone else got this ?  Could it be linked to the tls-sni challenge problem ?

 

FYI, this docker has been working fine for the last 2 months (thanks by the way!)

 

Londinium

Link to post

Same here....everything was running fine until the todays container update:

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
No subdomains defined
E-mail address entered: email@gmx.net
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

 

Edited by EdgarWallace
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.