[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

MrChunky Apprentice

MrChunky

Posted
Posted
2 minutes ago, EdgarWallace said:

Same here....everything was running fine until the todays container update:

 

 Apply the fix that Jasgud/ aptalca suggested above 

 

13 hours ago, aptalca said:

Just add a new environment variable in the gui where the key is HTTPVAL and the value is true similar to how there is already a variable for PUID and 99

 

Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

nikolsko Noob

nikolsko

Posted
Posted

I am having the same problem as well. 

I have the exact same problem with the HTTPVAL variable as well.

However I do not see how the HTTPVAL should make a difference, since it seems optional.  

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d ***** -d ******
E-mail address entered: ******
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
Link to comment
EdgarWallace Collaborator

EdgarWallace

Posted
Posted (edited)

I applied the fix...still not working:  

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
No subdomains defined
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxxxx.xxxxxx.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxxxxxxx.xxxxxx.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxxxxx.xxxxxx.org/.well-known/acme-challenge/igQwFM5uEZH-G1E1iS-R0v-GlcC3-xv-g9F1n-9r51g: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: xxxxxxxx.xxxxxx.org
Type: connection
Detail: Fetching
http://xxxxxxxx.xxxxxx.org/.well-known/acme-challenge/igQwFM5uEZH-G1E1iS-R0v-GlcC3-xv-g9F1n-9r51g:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Screen.jpg

Edited by EdgarWallace
Link to comment
jasgud Noob

jasgud

Posted
Posted
2 hours ago, Zero said:

I just did that, but it's still giving errors

If your getting the line below then the code wasn't applied correctly.  Try putting it in quotes like "HTTPVAL" and "true".  I did apply mine through extra parameters and it worked just fine, didn't even think about adding custom variables. 

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

 

Link to comment
jasgud Noob

jasgud

Posted
Posted
2 hours ago, EdgarWallace said:

I applied the fix...still not working:  


-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
No subdomains defined
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxxxx.xxxxxx.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxxxxxxx.xxxxxx.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxxxxx.xxxxxx.org/.well-known/acme-challenge/igQwFM5uEZH-G1E1iS-R0v-GlcC3-xv-g9F1n-9r51g: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: xxxxxxxx.xxxxxx.org
Type: connection
Detail: Fetching
http://xxxxxxxx.xxxxxx.org/.well-known/acme-challenge/igQwFM5uEZH-G1E1iS-R0v-GlcC3-xv-g9F1n-9r51g:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Screen.jpg

You're having some kind of access error to the http session from external servers.  You need to forward on your router publicip(publicdomain):80 - unraid:85 so they can test that you own http as well as https.  

Link to comment
jasgud Noob

jasgud

Posted
Posted
2 hours ago, MrChunky said:

Now you have the same error as me:) Welcome to the club.

applying this "fix" forces us to port forward http (tcp 80) through our router to access the nginx service so it can be evaluated by letsencrypt.  Make sure you have http and https available externally.

  • Like 1
Link to comment
sgt_spike Apprentice

sgt_spike

Posted
Posted

letsencrypt fails to start after recent update.  Not sure what has changed.

 

[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d bacnet.bacnet.duckdns.org -d btchriss.bacnet.duckdns.org
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Link to comment
Greygoose Enthusiast

Greygoose

Posted
Posted

just installed letsencrypt after 1 week to try again

 

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.website.com -d nextcloud.website.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Link to comment
sgt_spike Apprentice

sgt_spike

Posted
Posted
2 minutes ago, Greygoose said:

just installed letsencrypt after 1 week to try again

 

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.website.com -d nextcloud.website.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 134: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Looks like we are having the same issue. 

Link to comment
EdgarWallace Collaborator

EdgarWallace

Posted
Posted (edited)
1 hour ago, jasgud said:

applying this "fix" forces us to port forward http (tcp 80) through our router to access the nginx service so it can be evaluated by letsencrypt.  Make sure you have http and https available externally.

 

The was doing the trick: port forward http (tcp 80 -->> 85) as well as https (tcp 443 -->> 443) is required. 

 

Thanks a lot.

Edited by EdgarWallace
Link to comment
Londinium Noob

Londinium

Posted
Posted
8 minutes ago, EdgarWallace said:

 

The was doing the trick: port forward http (tcp 80 -->> 85) as well as https (tcp 443 -->> 443) is required. 

 

Thanks a lot.

 

Same here, solved by forwarding port 80 to 81 on my router (check the http port in Letsencrypt docker configuration).
The 401 unauthorized I was getting previously was probably coming from unRAID web UI -_-

Thanks!

Link to comment
Dhagon Noob

Dhagon

Posted
Posted

Hey guys, I've got a problem that I've somewhat narrowed down to being either reverse-proxy related and/or caused by my PC, but I got stuck, so now I'm hoping some of you may know what's wrong. I'm sure that there's some really simple solution that I'm just not seeing, but here goes;


I have a basic Unraid server running lets-encrypt, duckdns and a few others, with Nextcloud and Ombi setup on reverse-proxy. Everything has been working flawlessly so far, for almost a year, then suddenly a few days ago, I could no longer connect to Nextcloud or Ombi. I'm able to ping the server by IP and name "myserver.duckdns.org", but I get timeouts when trying to access Nextcloud both via the desktop app and web interface by url myserver.duckdns.org/nextcloud. At first I started looking through settings on the server and router, but then I got a friend of mine to test on his end, and he had no issues accessing either of them. Also found out that I had no issues on my phone connected to the home WiFi.. So my PC is basically the only device unable to connect? I hadn't made any changes on my PC or the server, so this is really confusing.

 

Also, on top of that, I just had the same problem occur as many of you got after the update, but after applying the fix, Ombi became completely inaccessible, this time also for everyone else.

 

Anyone know what could be wrong? Let me know if you need any logs or screenshots.

Link to comment
jasgud Noob

jasgud

Posted
Posted
5 hours ago, MrChunky said:

 

I have what seems like the same problem, so I applied the suggested fix. FYI the required variable is set to false by default in the docker config already. There is no need to add a new variable, just change the existing one.

 

But, I am getting connection refused on port 80. Should I change something in the nginx config as well?

  


Domain: www.xxx.com
Type: connection
Detail: Fetching
http://www.xxx.com/.well-known/acme-challenge/xxx:
Connection refused

Here is my current nginx config... port 80 listening seems to be enabled as per instructions. 


server {
	listen 80;
	server_name www.xxx.com;
	return 301 https://$host$request_uri;
}

server {

	listen 443 ssl default_server;
	
	root /config/www;
	index index.html index.htm index.php;

	server_name www.xxx.com;

Edit: I have figured out that the problem started after the last update of letsencrypt docker. Still don't know how to fix it.

I'm thinking comment out your 301 to https and allow the validator to hit http.

Link to comment
Quiks Noob

Quiks

Posted
Posted (edited)

image.png.969edc8de5ced20e2456cc8ed24e3265.png

 

Like others I'm also getting the challenge error as well as the no such file or directory problem

 

firstly, it's complaining about /config/keys/letsencrypt. 

This is a symlink that goes to /etc/letsencrypt/live/domain.com

I can't verify if this is correctly linked inside the container because the container immediately stops once started, no time to docker exec in and see what's wrong.

Has anyone come to a conclusion on what's going on this this file error?

 

I haven't tried the HTTPVAL fix yet as I'm dealing with the directory problem first. I also would prefer to not have to forward port 80.

Edited by Quiks
Link to comment
jasgud Noob

jasgud

Posted
Posted
2 minutes ago, Quiks said:

image.png.969edc8de5ced20e2456cc8ed24e3265.png

 

Like others I'm also getting the challenge error as well as the no such file or directory problem

 

firstly, it's complaining about /config/keys/letsencrypt. 

This is a symlink that goes to /etc/letsencrypt/live/domain.com

I can't verify if this is correctly linked inside the container because the container immediately stops once started, no time to docker exec in and see what's wrong.

Has anyone come to a conclusion on what's going on this this file error?

 

I haven't tried the HTTPVAL fix yet as I'm dealing with the directory problem first. I also would prefer to not have to forward port 80.

this looks like exactly what happened to me.  httpval fixes it all.

  • Upvote 1
Link to comment
Quiks Noob

Quiks

Posted
Posted (edited)
6 minutes ago, jasgud said:

this looks like exactly what happened to me.  httpval fixes it all.

Just tried HTTPVAL = true, forwarded port 80 to my exposed http port 90 > 80 and it did the trick.

 

Hopefully they fix this so i can close back up port 80.

 

edit: for anyone else that needs to know where to edit this, it's under advanced settings

 

image.thumb.png.0b33565cddf9789ae9e8d164d3ada2c7.png

Edited by Quiks
  • Upvote 1
Link to comment
BrandonG777 Apprentice

BrandonG777

Posted
Posted (edited)

I just got banned for a week for excessive registration attempts trying to resolve this. From my understanding you get 5 an hour. My ISP blocks port 80 so the HTTPVAL=true solution doesn't work for me.

 

EDIT: Rebooted my router and pulled another IP from my ISP to get around the rate limit.

Edited by BrandonG777
Link to comment
ffhelllskjdje Apprentice

ffhelllskjdje

Posted
Posted (edited)
4 minutes ago, kreene1987 said:

Phew this one is throwing me for a loop. I port forwarded my IP 80 --> 81 and now I can VPN in and get to all of my internal links and everything is working great, but the Unraid GUI connection is refused. Any reason the 2 would be related?

 

same thing happening to me, letsencrypt seems to be working but my nextcloud is not working at all anymore and I'm not sure why. Both http and https are open and forwarded to letsencrypt

 

I'm getting a 502 bad gateway error now whereas before it was working flawlessly

Edited by ffhelllskjdje
Link to comment
Quiks Noob

Quiks

Posted
Posted
4 minutes ago, ffhelllskjdje said:

 

same thing happening to me, letsencrypt seems to be working but my nextcloud is not working at all anymore and I'm not sure why. Both http and https are open and forwarded to letsencrypt

Are you accessing it the same way? What do you see instead of your nextcloud page?

 

My only issue was getting my certificate pushed. After that, everything worked per normal.

 

you should be able to go to your public ipaddress:port instead of the domain and have it work as well (albeit without the pretty "secure" icon) assuming you have this allowed in your conf.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing