[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

11 hours ago, Taddeusz said:

 

This is true if you are on a provider that doesn't already have a supported API. If you look at the instructions for the acme.sh script to use the automated DNS validation you run it with the --dns <apiscript> parameter and select which api you wish to use (this can easily be a template variable). Prior to running the script, each supported provider API script has environment variables that must be set. All of this could easily be scripted. In the case of supported API's the user would just need to add the required environment variables to their Docker tempate. That's exactly what I did to get mine validated and working with regular nginx container.

 

I don't understand why it's so impossible. It's just not as plug and play and requires the user to look at the acme.sh script's documentation to figure out which api to select and which environment variables they need to add to their docker template. I do understand that from a support perspective it would be more of a burden because it's easier to get wrong. However, the alternative for many people whose ISP's block port 80 DNS validation is the only reasonable option.

 

If I had the time I would be willing to do the modification and do a pull request myself but my time is limited.

 

acme.sh is a 3rd party client. Its dev created a bunch of dns update scripts himself. We don't use that.

 

We use the official letsencrypt client, certbot. With that, you have to supply your own authenticator.sh and cleanup.sh scripts for your dns provider. 

 

Here's a dns validation mock up where it requires you to supply your own script: https://github.com/linuxserver/docker-letsencrypt/tree/dns

 

We haven't yet decided whether we will publish it or not

Link to comment
13 hours ago, aptalca said:

We haven't yet decided whether we will publish it or not

 

Publish it, please :) 

 

I think its fair to include this per https://github.com/linuxserver/docker-letsencrypt/tree/dns

"This option is only for advanced users. We will not answer any questions related to this setting. If you need to ask questions, this is not meant for you."

 

I understand it would be a huge support headache, however, the use of forums for support isn't the best either. How many times have people asked the same question because they didn't read or missed an earlier post? I'm certainly at fault for this too.

 

In any case, I don't think its wise to withhold features just because its too hard to support. 

Link to comment
19 hours ago, aptalca said:

 

acme.sh is a 3rd party client. Its dev created a bunch of dns update scripts himself. We don't use that.

 

We use the official letsencrypt client, certbot. With that, you have to supply your own authenticator.sh and cleanup.sh scripts for your dns provider. 

 

Here's a dns validation mock up where it requires you to supply your own script: https://github.com/linuxserver/docker-letsencrypt/tree/dns

 

We haven't yet decided whether we will publish it or not

 

+1

 

Right now we must go through the docker bash to add/edit the scripts, which is quite painful. Also the modification made to the 50-config script will be deleted whenever the container is updated. 

 

I would use this features for sure if it's added.

Link to comment
On 13/01/2018 at 4:40 AM, ebnerjoh said:

Ok, it is not working with the temporary workaround. 

 

I am getting: 

 


Error output from authenticator.sh:

Traceback (most recent call last):
File "<string>", line 1, in <module>
TypeError: 'NoneType' object has no attribute '__getitem__'
Traceback (most recent call last):
File "<string>", line 1, in <module>
TypeError: 'NoneType' object has no attribute '__getitem__'

 

 

I had this issue me too, but i've slightly modified the script and it's now working for me. The issue is happening when you try to create the txt file for the top domain. 

 

authenticator.sh

#!/bin/bash

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="SOMETHING"
EMAIL="SOMETHING"

echo "Currently creating a txt entry for $CERTBOT_DOMAIN."

# Strip only the top domain to get the zone id
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')

# If $CERTBOT_DOMAIN is already the top domain
if [ -z "$DOMAIN" ]; then
	DOMAIN="$CERTBOT_DOMAIN"
fi

# Get the Cloudflare zone id
ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all"
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \
     -H     "X-Auth-Email: $EMAIL" \
     -H     "X-Auth-Key: $API_KEY" \
     -H     "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])")

# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H     "X-Auth-Email: $EMAIL" \
     -H     "X-Auth-Key: $API_KEY" \
     -H     "Content-Type: application/json" \
     --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \
             | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])")

# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
        mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID

# Sleep to make sure the change has time to propagate over to DNS
sleep 15

 

Edited by matthope
add code
Link to comment

Hi All, 

I have been able to bash into the container and manually obtain certs with certbot and adding the DNS entries manually, as my domain provider doesnt have an API. 

With the certs that are generated, i copied them into the letsencrypt folder, where the config files point. However, that doesnt seem to be enough, and i must still be missing a step. Restarting the container deletes the certs as expected. 

 

Can anyone shed any light on what i might be missing?

Link to comment

So I hate to add to the chaos...but I use this docker daily for my business in conjunction with NextCloud....

 

Basically I read about the problem and issued the fix (HTTPSVAR True & Router 80 to 81 & Router 443 to 444)

 

Upon UnRaid update and reboot I can't even start my container. I've attached images. (I know the email and domain are missing I took them out)

 

The log simply reads: "Error grabbing logs: EOF"

 

I've tried uninstalling and reinstalling the container.

 

Thanks for all you guys do to keep us running. I hope I included enough info.

 

 

Screen Shot 2018-01-18 at 10.48.12 PM.png

Screen Shot 2018-01-18 at 10.48.42 PM.png

Screen Shot 2018-01-18 at 10.52.10 PM.png

Edited by daniel329
Link to comment
16 hours ago, matthope said:

 

+1

 

Right now we must go through the docker bash to add/edit the scripts, which is quite painful. Also the modification made to the 50-config script will be deleted whenever the container is updated. 

 

I would use this features for sure if it's added.

 

Would you be willing to test that branch? It is currently untested. I can provide instructions, let me know

Link to comment

firstly, thanks CHBMB and aptalca for helping me get lets encrypt working.  it is now working great with sonar.  I have followed this guide

https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

 

however i am unable to get nextcloud work with letsencrypt. when i put these settings in and try nextcloud.mywebsite.com i get

502 Bad Gateway

 

 

EDIT.   Oh fricking yes.... boom ....... WORKING

 

I posted configs here, had another cuppa 'ive had several' and read through the config file and see i didnt change my unraid ip in nextcloud file under location/proxy pass...

 

that guide above works.... is it simple yes......... will it work if you dont put the correct paths NO.......

Edited by Greygoose
Link to comment
4 hours ago, daniel329 said:

I'm not sure how unRaid would be using port 81 or 444. I did, however, notice that my port 443 goes to port 444 for NextCloud - but it was that way before so I'm not sure why it would stop working now? :(

 

When I said unraid it also included other dockers. Your problem is that you use port 444 for both nextcloud and letsencrypt. You need to change one of them and then, do not use port 445 as it's used for behind the scenes stuff.

Link to comment

Hey Guys,

I upgraded to 6.4.0, and now my letsencrypt is broke as well.Which results in my nextcloud installation being unreachable. This was a working setup on 443 before the update. Then after the update, letsencrypt wouldn't start with an execution error. I then tried the following:

1) I changed the port of the Unraid GUI to 447. all the dockers came up and I could reach nextcloud but not the unraid gui. so I SSH'ed and changed it back.

2) Change the network to give letsencrypt its own IP, and updated the NAT to that IP in pfsense.  The docker would come up, but with the same errors shown as below.

3) That's when I changed it back to the same ip as the server with port 447 (updated pfsense too). And I still get the same error in log...

 

I looked through the last 5-6 pages, and tied some of the stuff noted, and I just can't get it to work again. I would like to get it up and running again and use the SSL certs for the unraid web gui too. Please Advise?!!

 

Where I am currently:

Changed letsencrypt to port 447 (HTTPS), and left it at port 81 (HTTP, my ISP locks port 80). I use pfsense for routing, and updated the NAT from 443 to 447 with. And I still cant get this to install my certs to work. Please see my configs and logs, to see if you can help.

 

image.thumb.png.a1fbc3185bf45bba38849e396d16fed4.png

 

Automatic Firewall Rules created from NAT

image.thumb.png.32ae60f2b01ec81ac98b45f1318a4e30.png

 

Unraid Docker tab:

image.png.91878148fb83c9b5f0cec3bb85949237.png

 

Docker GUI Config

image.thumb.png.cd0d2144fd85cbac35f6fa0e16e9b747.png

 

Letsencrypt Log:

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d nextcloud.XXXXXXX.XXXXXXXX.com
E-mail address entered: XXXXXXXXX@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Letsencrypt Config:

server {  
    listen 443 ssl;
    server_name nextcloud.XXXXX.XXXXXXXX.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://192.168.2.71:444/;
        proxy_max_temp_file_size 16000m;
        include /config/nginx/proxy.conf;
    }
}
 

 

Nextcloud Config:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => '192.168.2.71:444',
    1 => 'nextcloud.XXXXXXXXX.XXXXXXXXX.com',
  ),
  'overwrite.cli.url' => 'https://nextcloud.XXXXXXXX.XXXXXXX.com',
  'overwritehost' => 'nextcloud.XXXXX.XXXXXXXXXX.com',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '12.0.4.3',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.2.71:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXXXXXXX',
  'dbpassword' => 'XXXXXXXXXXX',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'XXXXXXXX',
  'mail_domain' => 'gmail.com',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'XXXXXXXX@gmail.com',
  'mail_smtppassword' => 'XXXXXXX',
  'loglevel' => 0,
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'theme' => '',
);

 

Thanks in advance!

 

 

 

 

 

 

 

Edited by 400killer
Link to comment

This helped me too.  I changed my server port away from 80 a while ago so I just had to change the setting to true.  So happy to have it working again.  Many thanks!

 

 

On 1/17/2018 at 5:09 PM, spamalot@aon.at said:

exact same problem here too, after updating the letsencrypt container.

the solution is posted a couple posts below.

tl:dr = letsencrypt changed something (auth method over port 443 disabled)

1. you have to make sure now that tcp port 80 is forwarded on your router (internet gateway) to your unraid server (be aware that unraid uses default tcp 80 for its webinterface, so map tcp port 80 extern to something else intern like tcp 81)

2. edit/update the container settings > edit letsencrypt in the unraid docker tab and set the http port to 81 or whatever to used for your portmapping on your router.

3. also change the variable HTTPVAL from false to true, its found in " show more settings"

HTTPVAL: true
Flag to switch validation method to HTTP (over port 80) if set to 'true'

 

Link to comment
7 hours ago, 400killer said:

Hey Guys,

I upgraded to 6.4.0, and now my letsencrypt is broke as well.Which results in my nextcloud installation being unreachable. This was a working setup on 443 before the update. Then after the update, letsencrypt wouldn't start with an execution error. I then tried the following:

1) I changed the port of the Unraid GUI to 447. all the dockers came up and I could reach nextcloud but not the unraid gui. so I SSH'ed and changed it back.

2) Change the network to give letsencrypt its own IP, and updated the NAT to that IP in pfsense.  The docker would come up, but with the same errors shown as below.

3) That's when I changed it back to the same ip as the server with port 447 (updated pfsense too). And I still get the same error in log...

 

I looked through the last 5-6 pages, and tied some of the stuff noted, and I just can't get it to work again. I would like to get it up and running again and use the SSL certs for the unraid web gui too. Please Advise?!!

 

Where I am currently:

Changed letsencrypt to port 447 (HTTPS), and left it at port 81 (HTTP, my ISP locks port 80). I use pfsense for routing, and updated the NAT from 443 to 447 with. And I still cant get this to install my certs to work. Please see my configs and logs, to see if you can help.

 

image.thumb.png.a1fbc3185bf45bba38849e396d16fed4.png

 

Automatic Firewall Rules created from NAT

image.thumb.png.32ae60f2b01ec81ac98b45f1318a4e30.png

 

Unraid Docker tab:

image.png.91878148fb83c9b5f0cec3bb85949237.png

 

Docker GUI Config

image.thumb.png.cd0d2144fd85cbac35f6fa0e16e9b747.png

 

Letsencrypt Log:

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d nextcloud.XXXXXXX.XXXXXXXX.com
E-mail address entered: XXXXXXXXX@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Letsencrypt Config:

server {  
    listen 443 ssl;
    server_name nextcloud.XXXXX.XXXXXXXX.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://192.168.2.71:444/;
        proxy_max_temp_file_size 16000m;
        include /config/nginx/proxy.conf;
    }
}
 

 

Nextcloud Config:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => '192.168.2.71:444',
    1 => 'nextcloud.XXXXXXXXX.XXXXXXXXX.com',
  ),
  'overwrite.cli.url' => 'https://nextcloud.XXXXXXXX.XXXXXXX.com',
  'overwritehost' => 'nextcloud.XXXXX.XXXXXXXXXX.com',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '12.0.4.3',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.2.71:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXXXXXXX',
  'dbpassword' => 'XXXXXXXXXXX',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpsecure' => 'ssl',
  'mail_from_address' => 'XXXXXXXX',
  'mail_domain' => 'gmail.com',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'XXXXXXXX@gmail.com',
  'mail_smtppassword' => 'XXXXXXX',
  'loglevel' => 0,
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'theme' => '',
);

 

Thanks in advance!

 

 

 

 

 

 

 

 

Read the last few pages again because you set the HTTPVAL to false

Link to comment
1 hour ago, aptalca said:

 

Read the last few pages again because you set the HTTPVAL to false

 

Yes, I have it set that way, as my ISP blocks port 80. So I cant get the cert verified that way. That's why it was false, and was set that way before the update. I changed it to true, and you can see from the log below it was not able to verify the cert. Additionally I looked at the Dynamic DNS server in pfsense, and it shows my DNS does have the correct IP.

 

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d nextcloud.XXXXXX.XXXXXXXX.com
E-mail address entered: XXXXXXXXXXX@gmail.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for XXXXXX.XXXXXXXX.com
http-01 challenge for nextcloud.XXXXXXX.XXXXXXXXX.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.XXXXXXXX.XXXXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXXXX.XXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs: Timeout, nextcloud.XXXXXXXXXXX.XXXXXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nextcloud.XXXXXXX.XXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: XXXXX.XXXXXXX.com
Type: connection
Detail: Fetching
http://XXXXXXX.XXXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs:
Timeout

Domain: nextcloud.XXXXXXXX.XXXXXXXX.com
Type: connection
Detail: Fetching
http://nextcloud.XXXXXXXX.XXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
Failed authorization procedure. XXXXXX.XXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXXXX.XXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs: Timeout, nextcloud.XXXXXX.XXXXXXXX.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nextcloud.XXXXXX.XXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: XXXXXX.XXXXXXXX.com
Type: connection
Detail: Fetching
http://XXXXXX.XXXXXXXX.com/.well-known/acme-challenge/hIsYRpVfEauZNG_Kjmb93l56jOekjFA6yvhFAgfOlcs:
Timeout

Domain: nextcloud.XXXXX.XXXXXXXX.com
Type: connection
Detail: Fetching
http://nextcloud.XXXXXXXX.XXXXXXXXXXX.com/.well-known/acme-challenge/bfNzXaIHEnIYLcrFMtlg7Ab0U6GeHILYE8cfwdauEC4:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
On 2018-01-19 at 9:15 AM, aptalca said:

 

Would you be willing to test that branch? It is currently untested. I can provide instructions, let me know

I would be willing to test it as the current container doesn’t work for me. I can’t find an answer to the question of does my ISP block port 80. 

Link to comment

So I finally got around to updating this container. I've been following this thread and expected the container to throw errors and not start until I added the HTTPVAL variable. But it didn't, it started fine with no errors. But maybe this is because my cert is not yet due for renewal? It says so in the log anyway. Or am I missing something here?

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d subdomain.domain.com
E-mail address entered: my@email.com
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Sun Jan 21 04:48:45 CET 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/subdomain.domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
/etc/letsencrypt/live/subdomain.domain.com/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.