Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

15 minutes ago, CHBMB said:

 

There are two issues at play.  Firstly LetsEncrypt have changed the method used to issue certs.  The second issue is Unraid itself on v6.4.0 has implemented a system using LetsEncrypt.

 

It sounds like you've sorted the first issue, in that your certs have been issued.  Whether the second issue is contributing to your ongoing problem I couldn't say, but it may be worth delving into.

 

Yeah, I read about unraid 6.4 using port 443, but I changed that to another port right away to avoid conflicts. I still don't get how my own PC is the only client unable to connect when I had no issues prior to this, though.. I don't think upgrading to 6.4 had any impact on me not being able to connect, as it was happening before that.. Haven't made any changes to my router either, so I don't think NAT is the issue either.. I just tested again, as I was using local ip:port before, but hadn't tried public ip:port, and seems I can't connect using public ip:port either, but using the same method works for other devices. All attempts from my PC except local ip:port results in timeout errors.. I can ping both the url and public ip as well, so it seems like it just doesn't redirect from my IP or my PC is blocked somehow? if that even makes sense..

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

publicip:port will only work if you have forwarded the relevant port.

 

To be honest I'm confused, what I think the situation is, is this.

 

From a WAN connection everything is working as expected.

When on your LAN you can't connect via domainname.com/service

 

Is that's the case, and it was happening before, still sounds like NAT reflection / hairpin NAT issues to me.

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

17 minutes ago, jonathanm said:

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

 

That was originally what was planned, unfortunately, due to the fact template changes are now propagated from our github repo by some CA skullduggery, once we introduced the option of HTTPVAL it came down and affected everyone, if it hadn't been for that, the issue would have been just simmering once in a while for everyone over the next 3 months......

 

I'll point @aptalca this way, see what he thinks.

29 minutes ago, jonathanm said:

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

 

If you're not using unraid 6.4.0, there won't be revalidation until your certs expire. But as chbmb mentioned, new unraid pushes template updates, including newly added variables, which I wasn't aware of. That caused revalidation. 

 

Or, you can switch the image to nginx instead of letsencrypt and it will start without the letsencrypt bits. 

Can anyone help me understand why I can access mydomain.duckdns.org/ombi on LTE using my cell phone, but when I try to access that using my laptop connected to my network, I get a privacy error on chrome or a 404 error (from my edgerouter) when I use firefox?

1 minute ago, PaDadof2 said:

Can anyone help me understand why I can access mydomain.duckdns.org/ombi on LTE using my cell phone, but when I try to access that using my laptop connected to my network, I get a privacy error on chrome or a 404 error (from my edgerouter) when I use firefox?

Most likely an issue with your router not accepting loopback connections.

 

I initially had this issue with my PFsense setup and had to enable 1:1 NAT Reflection to get this to work.

 

Might want to take a look here: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

3 hours ago, riffles21 said:

 

I have exactly the same issue. It was running fine last week and now all of a sudden it stopped working.

 

Maybe it has something to do with this: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

 

Edit: solved the problem, thanks @CHBMB. Set HTTPVAL to 'true' and forwarded external port 80 to internal 81.

 

image.thumb.png.9d4cf5c49e54d089280165782a8fae5e.png

 

@riffles21 where is this HTTPVAL? I cant find it?

 

Edit: ignore me. Found it.

Edited by mrangryoven

Just now, mrangryoven said:

 

@riffles21 where is this HTTPVAL? I cant find it?

 

Look right at the bottom edge of the image you quoted...

 

Just now, FreeMan said:

 

Look right at the bottom edge of the image you quoted...

 

Thank you, I did find it. Did not have advanced view on.

2 minutes ago, IndianaJoe1216 said:

Most likely an issue with your router not accepting loopback connections.

 

I initially had this issue with my PFsense setup and had to enable 1:1 NAT Reflection to get this to work.

 

Might want to take a look here: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

I have and Edgerouter X, and when I click the Hairpin Nat, I get an error, Failed to apply the configuration ("lan-interface" is required when hairpin NAT .  I have nothing checked under lan interface, but have Wan interface set to eth0.  I tried to add eth0 to Lan interface, but get another error.  I'm an idiot and I'm not sure what I'm doing with my router

I see the last update made it though for most of us... I've read about the last 5 pages and I seem to be the first with this issue "port already in use".

I get "Execution Error" which means I cannot even start the docker. I've updated to unraid 6.4.0, does it have something to do with it?

 

See below in box and/or screenshot. I've tried to change the 443 port to like 445 but same error then... 

 

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="*****@******.***" -e "URL"="********" -e "SUBDOMAINS"="www,*******," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
078c988ab78bd5a856f7a2781cadaaca44e54611c5f91b03c896236175364696
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (8c666828f2c390c48772f4d9a78444293262b1bd6cf74c3aaf9edc400a71f669): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use.

The command failed.

 

 

alreadyinuse.PNG

Edited by truetype

1 minute ago, truetype said:

I see the last update made it though for most of us... I've read about the last 5 pages and I seem to be the first with this issue "port already in use".

I get "Execution Error" which means I cannot even start the docker. I've updated to unraid 6.4.0, does it have something to do with it?

 

See below in box and/or screenshot. I've tried to change the 443 port to like 445 but same error then... I

 


Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="*****@******.***" -e "URL"="********" -e "SUBDOMAINS"="www,*******," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
078c988ab78bd5a856f7a2781cadaaca44e54611c5f91b03c896236175364696
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (8c666828f2c390c48772f4d9a78444293262b1bd6cf74c3aaf9edc400a71f669): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use.

The command failed.

 

 

alreadyinuse.PNG

 

Don't use 445 as it's used for something else. Don't ask me what, as I don't remember. 

Change it to 4443 and check that it's not in use. Remember to also change the port forward in your router.

Edited by saarg

1 minute ago, saarg said:

 

Don't use 445 as it's used for something else. Don't ask me what, as I don't remember.

 

Dope..... Thanks, tried with 442 and now running at least! :)

3 minutes ago, truetype said:

-p 443:443/tcp

 

Try mapping the port to 444 or some other number. 6.4 runs the WebGUI on 443 now so you're trying to compete with the OS's main method of communicating with you. Don't forget to update your router's port-forwarding, too.

I'm really struggling with this as well guys.  Been doing all the required reading and browsing through everyone's comments without luck.  I've done the following:

 

  • Upgraded to 6.4.0 (was previously on 6.3.5 and it wasn't working then either)
  • Due to 6.4.0 upgrade, I changed the default SSL port for UNRAID to 444
  • Ensured HTTPVAL is set to true.
  • Removed and re-added http container port
  • Changed container http container port to 8083
  • Ensured port forwarding is working for port 8083 via telnet

 

What am I missing guys?  This shouldn't be this difficult...

UNRAID - B.png

UNRAID - C.png

UNRAID - D.png

UNRAID - E.png

UNRAID - A.png

@irandumi - it's hard to tell from your port-forward screen shot, but it looks like you're not forwarding 443 to your unRAID server, but you are forwarding 8083(?) to 80. Try adding the 443 forward to 192.168.0.122 (?).

 

(adjust the numbers as necessary - I'm squinting at a small, blurry screen shot and my eyes aren't quite as good as they used to be)

@irandumi

 

You don't control duckdns.org, so try using subdomain.duckdns.org in DOMAIN NAME, remove SUBDOMAIN from SUBDOMAINS and set ONLY SUBDOMAINS to false if @FreeMan's suggestion doesn't work.

Edited by CHBMB

8 minutes ago, irandumi said:
  • Changed container http container port to 8083
  • Ensured port forwarding is working for port 8083 via telnet

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

3 minutes ago, CHBMB said:

@irandumi

 

You don't control duckdns.org, so try using subdomain.duckdns.org in DOMAIN NAME, remove SUBDOMAIN from SUBDOMAINS and set ONLY SUBDOMAINS to false if @FreeMan's suggestion doesn't work.

 

Dang! missed that one.

 

Just now, jonathanm said:

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

 

and that one....

 

maybe I should go back to sleep. Sorry @irandumi...

Just now, FreeMan said:

 

Dang! missed that one.

 

 

and that one....

 

maybe I should go back to sleep. Sorry @irandumi...

 

Don't worry I misread what you said and thought you'd actually said what @jonathanm suggested.

4 hours ago, upthetoon said:

Sorry to add to the list of people with probably obvious issues but I'm having trouble getting this working too.

 

I've been using it through the RC's and have unraid set to port 444 to avoid the clash.  It was working fine before the CA change.

 

I've followed the instructions above (thank you) and set the HTTPVAL flag to true.

 

I'm using port 81 for the docker and have port 80 fwd to 81 in my router.

 

I'm getting this error which I can't see is happening for anyone else...

 


Failed authorization procedure. <redacted>.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://<redacted>.unraid.net:444/.well-known/acme-challenge/QaX0x01RBkOvVSiPIP5VlKlhGyQDYNZXTuanOrzQ-n0: Invalid port in redirect target. Only ports 80 and 443 are supported, not 444

 


Startup command;

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/London" -e HOST_OS="unRAID" -e "EMAIL"="<redacted>" -e "URL"="duckdns.org" -e "SUBDOMAINS"="<redacted>" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

 

This got lost in all the replies I think. 

 

Invalid port in redirect target. Only ports 80 and 443 are supported, not 444

 error anyone?

11 minutes ago, FreeMan said:

@irandumi - it's hard to tell from your port-forward screen shot, but it looks like you're not forwarding 443 to your unRAID server, but you are forwarding 8083(?) to 80. Try adding the 443 forward to 192.168.0.122 (?).

 

(adjust the numbers as necessary - I'm squinting at a small, blurry screen shot and my eyes aren't quite as good as they used to be)

 

443 is forwarded.  If there is no input for Int (Internal port), then it uses the same port (443).  Regardless, I added 443 just to be safe.  No luck.

 

10 minutes ago, CHBMB said:

@irandumi

 

You don't control duckdns.org, so try using subdomain.duckdns.org in DOMAIN NAME, remove SUBDOMAIN from SUBDOMAINS and set ONLY SUBDOMAINS to false if @FreeMan's suggestion doesn't work.

 

As you suggested, I modified the DOMAIN NAME to include my subdomain,  I removed the SUBDOMAIN(S) variable, changed 'ONLY SUBDOMAINS' to 'false' and restarted the docker.  Same results.

 

7 minutes ago, jonathanm said:

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

 

I just did what you suggested and still no luck...

12 minutes ago, upthetoon said:

error anyone?

Follow irandumi's lead, and post screenshots showing  the docker, GUI and router configurations. What he posted allowed us to quickly and easily parse through and figure out what could be the issue.

Edited by jonathanm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.