[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Oh my word it's 2AM and I'm SO close to getting this working. My other services like sonarr and such are working fine through my duckdns.org domain but NextCloud is throwing a bad gateway error through the domain and when I load the WebUI from UnRaid it just takes me back to the home page of the unraid screen. I have no idea what I'm doing wrong at this point and I would just pay someone to remote in and fix it for me if anyone is interested. Logs are clean.

Screen Shot 2018-01-21 at 2.08.05 AM.png

Screen Shot 2018-01-21 at 2.08.59 AM.png

Edited by daniel329
Link to comment
8 hours ago, strike said:

So I finally got around to updating this container. I've been following this thread and expected the container to throw errors and not start until I added the HTTPVAL variable. But it didn't, it started fine with no errors. But maybe this is because my cert is not yet due for renewal? It says so in the log anyway. Or am I missing something here?

 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d subdomain.domain.com
E-mail address entered: my@email.com
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Sun Jan 21 04:48:45 CET 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/subdomain.domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
/etc/letsencrypt/live/subdomain.domain.com/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

 

You're good until your cert is about to expire, or until you make changes to the subdomains, whichever comes first

Link to comment
5 hours ago, daniel329 said:

Oh my word it's 2AM and I'm SO close to getting this working. My other services like sonarr and such are working fine through my duckdns.org domain but NextCloud is throwing a bad gateway error through the domain and when I load the WebUI from UnRaid it just takes me back to the home page of the unraid screen. I have no idea what I'm doing wrong at this point and I would just pay someone to remote in and fix it for me if anyone is interested. Logs are clean.

Screen Shot 2018-01-21 at 2.08.05 AM.png

Screen Shot 2018-01-21 at 2.08.59 AM.png

 

It seems you changed the container port of nextcloud to 444, that should be 443

 

Can you access it directly? I bet not

Link to comment
11 minutes ago, Arndroid said:

If I'd request Composer to be added to this Docker, would that be out of line? :P

 

Since, if I would install it myself onto this Docker via Bash, it would be gone if I install a update of this Docker, right?

 

Yes, but you could get around this by mapping a script into the container.

An example of this would be here...

Edited by CHBMB
Link to comment

There doesn't seem to be an event for "after updating Docker X", only cron jobs or Array events, but I can run it manually.

 

But that might possibly kinda work, yea.

Let the script bash into the docker, and execute a install composer command again.

 

My familiarity with Composer is quite minimal still. I am not sure if it needs to retain some data (which would be lost) in order to keep working with some composer projects. ((Like globally) installed dependencies etc.) 

Link to comment
1 minute ago, Arndroid said:

There doesn't seem to be an event for "after updating Docker X", only cron jobs or Array events, but I can run it manually.

 

But that might possibly kinda work, yea.

Let the script bash into the docker, and execute a install composer command again.

 

My familiarity with Composer is quite minimal still. I am not sure if it needs to retain some data (which would be lost) in order to keep working with some composer projects. ((Like globally) installed dependencies etc.) 

 

Just make sure the script you use has all the dependencies you require.  Key after that will be making sure any user config data is kep in /config somewhere.  You can map files as well as directories, so it should be possible, but, like you I have no experience with composer.

 

Also I edited my first post with a different method that I originally suggested.

Edited by CHBMB
Link to comment
1 hour ago, CHBMB said:

 

Yes, but you could get around this by mapping a script into the container.

An example of this would be here...

Thanks!

 

So I should put something like:

-v /tmp/user.scripts/dockerScripts/Add Composer To Docker/script:/etc/cont-init.d/40-composer

Under "Post Arguments:" in the Letsencrypt Docker Template, right?

 

And than in the Bash script file to which I point it, just do something like:

#!/bin/sh
cd /tmp
php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
composer --version #echo composer version to log to verify installation

 

Link to comment
38 minutes ago, Arndroid said:

Thanks!

 

So I should put something like:


-v /tmp/user.scripts/dockerScripts/Add Composer To Docker/script:/etc/cont-init.d/40-composer

Under "Post Arguments:" in the Letsencrypt Docker Template, right?

 

And than in the Bash script file to which I point it, just do something like:


#!/bin/sh
cd /tmp
php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
composer --version #echo composer version to log to verify installation

 

 

God only knows what you actually need in the script, but -v means it can be mounted in the volume bit of your template, like this.....

 

0h4yP6R.png

 

Just make sure you've chmod +x and it has the right perms.

Edited by CHBMB
  • Like 1
Link to comment

Ok,  for the life of me,  following as many different guides as I could so far,  I still can not get this to work.

 

I own a domain name and have my.domain.com set to forward to my IP.    I have setup LE and keep getting this error:

 

Failed authorization procedure. my.xxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxx.com/.well-known/acme-challenge/1Eq0-WkG_ENPwv59yFCqtUfWQ2CqYo8F0-Bm4hXTheY: "<?xml version="1.0" encoding="iso-8859-1"?>
 
What causes this error?
Link to comment
4 minutes ago, fmp4m said:

Ok,  for the life of me,  following as many different guides as I could so far,  I still can not get this to work.

 

I own a domain name and have my.domain.com set to forward to my IP.    I have setup LE and keep getting this error:

 

Failed authorization procedure. my.xxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxx.com/.well-known/acme-challenge/1Eq0-WkG_ENPwv59yFCqtUfWQ2CqYo8F0-Bm4hXTheY: "<?xml version="1.0" encoding="iso-8859-1"?>
 
What causes this error?

 

 

Link to comment

Run Command:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Chicago" -e HOST_OS="unRAID" -e "EMAIL"="letsencrypt@fmp4m.com" -e "URL"=xxxxxx.com" -e "SUBDOMAINS"="my," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 7443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

Firewall fwding:

 

lan-interface eth1
 rule 1 {
     description encrypt
     forward-to {
         address 192.168.1.175
         port 81
     }
     original-port 80
     protocol tcp_udp
 }
 rule 2 {
     description encrypt2
     forward-to {
         address 192.168.1.175
         port 7443
     }
     original-port 443
     protocol tcp_udp
 }

 

 

Error:

 

Failed authorization procedure. my.xxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxx.com/.well-known/acme-challenge/1Eq0-WkG_ENPwv59yFCqtUfWQ2CqYo8F0-Bm4hXTheY: "<?xml version="1.0" encoding="iso-8859-1"?>

Link to comment
7 minutes ago, fmp4m said:

Run Command:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Chicago" -e HOST_OS="unRAID" -e "EMAIL"="letsencrypt@fmp4m.com" -e "URL"=xxxxxx.com" -e "SUBDOMAINS"="my," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 7443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

Firewall fwding:

 

lan-interface eth1
 rule 1 {
     description encrypt
     forward-to {
         address 192.168.1.175
         port 81
     }
     original-port 80
     protocol tcp_udp
 }
 rule 2 {
     description encrypt2
     forward-to {
         address 192.168.1.175
         port 7443
     }
     original-port 443
     protocol tcp_udp
 }

 

 

Error:

 

Failed authorization procedure. my.xxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxx.com/.well-known/acme-challenge/1Eq0-WkG_ENPwv59yFCqtUfWQ2CqYo8F0-Bm4hXTheY: "<?xml version="1.0" encoding="iso-8859-1"?>

 

You sure you got the correct WAN ip address allocated to your domain or dynamic DNS.

 

Link to comment

Yes,   I have forwarded from my subdomain.domain.com to my WAN ip.    I use this same setup different.domain.com with no issues.   If I went to http://sub.domain.com:anyport it will still resolve and is pingable.  Tracert shows it going to my machine.

 

 

Full Log (took a min to clean):

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d my.xxxxxxx.com
E-mail address entered: letsencrypt@xxxxxxx.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.xxxxxxx.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.xxxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxxx.com/.well-known/acme-challenge/dgTrPK7WHHxA87urYp9N1s12CdEYXcPhbZgOOsWEOag: "<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www."
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: my.xxxxxxx.com
Type: unauthorized
Detail: Invalid response from
http://my.xxxxxxx.com/.well-known/acme-challenge/dgTrPK7WHHxA87urYp9N1s12CdEYXcPhbZgOOsWEOag:
"<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www."

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Helpful or Useless info:

 

Going to http://127.0.0.1:81/ does not open any page... nor https://127.0.0.1:7443/

Edited by fmp4m
Link to comment
6 hours ago, fmp4m said:

Yes,   I have forwarded from my subdomain.domain.com to my WAN ip.    I use this same setup different.domain.com with no issues.   If I went to http://sub.domain.com:anyport it will still resolve and is pingable.  Tracert shows it going to my machine.

 

 

Full Log (took a min to clean):

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d my.xxxxxxx.com
E-mail address entered: letsencrypt@xxxxxxx.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.xxxxxxx.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.xxxxxxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.xxxxxxx.com/.well-known/acme-challenge/dgTrPK7WHHxA87urYp9N1s12CdEYXcPhbZgOOsWEOag: "<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www."
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: my.xxxxxxx.com
Type: unauthorized
Detail: Invalid response from
http://my.xxxxxxx.com/.well-known/acme-challenge/dgTrPK7WHHxA87urYp9N1s12CdEYXcPhbZgOOsWEOag:
"<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www."

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Helpful or Useless info:

 

Going to http://127.0.0.1:81/ does not open any page... nor https://127.0.0.1:7443/

 

Invalid response could mean letsencrypt is reaching a different web server through port 80. Is your router interface available on port 80 from the wan? 

 

Try going to your ip at port 80 from the outside and see what you get

Link to comment
46 minutes ago, aptalca said:

 

Invalid response could mean letsencrypt is reaching a different web server through port 80. Is your router interface available on port 80 from the wan? 

 

Try going to your ip at port 80 from the outside and see what you get

 This is exactly the same error I am currently getting. I have made the swap to verify over port 80 but the issue is that my ISP blocks inbound 80 traffic for some reason. Is there another way to verify this so I can get external access back up and running?

Link to comment
On 19/01/2018 at 9:15 AM, aptalca said:

 

Would you be willing to test that branch? It is currently untested. I can provide instructions, let me know

 

Yup, just tell me how. 

 

However, If you want me to try the dns branch on github, I almost certain it won't work, since you cannot use the parameters --non-interactive and --manual together with certbot. I suggest you to use thoses three parameters instead of --non-interactive : --agree-tos --manual-public-ip-logging-ok --no-eff-email. Also the parameter --preferred-challenges=http should be --preferred-challenges=dns instead.

 

Github: 50-config

[line 147] certbot certonly --non-interactive --renew-by-default --manual --preferred-challenges=http --manual-auth-hook /config/authenticator.sh --manual-cleanup-hook /config/cleanup.sh --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS

 

Link to comment
1 hour ago, IndianaJoe1216 said:

 This is exactly the same error I am currently getting. I have made the swap to verify over port 80 but the issue is that my ISP blocks inbound 80 traffic for some reason. Is there another way to verify this so I can get external access back up and running?

 

If your provider block the port 80, the only other way at the moment is the dns challenge, I suggest you to read the forum from this post. However, it require you to use a dns provider with an API, such as cloudflare, and 2 scripts specific to your dns provider.

 

 

 

 

 

Link to comment

I'm still getting timeouts when it's trying to validate. It's so close, and I've absolutely verified that port 80 externally shows the ACME challenge server from my phone's LTE connection. Of course, that only runs for a few moments, but I definitely see it. No idea why it might be timing out though.


domain is mydomain.duckdns.org, subdomains are a few domains I want (plex, etc). results are:

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: davos.mysubdomain.duckdns.org
Type: connection
Detail: Fetching
http://davos.mysubdomain.duckdns.org/.well-known/acme-challenge/6yEcc_agXaATurFQkpnroYJ92ttRYm8CFH917c3SFOA:
Timeout

Domain: mysubdomain.duckdns.org
Type: connection
Detail: Fetching
http://mysubdomain.duckdns.org/.well-known/acme-challenge/yrV6mb_tNYzND85MFhRIlyos_rQDJHJgDjoddQxAlL8:
Timeout

Domain: sonarr.mysubdomain.duckdns.org
Type: connection
Detail: Fetching
http://sonarr.mysubdomain.duckdns.org/.well-known/acme-challenge/uOwuhYS-vgDTDTBK-77wfo3SzaDxZe-i1tOgd0wW_P4:
Timeout

Domain: radarr.mysubdomain.duckdns.org
Type: connection
Detail: Fetching
http://radarr.mysubdomain.duckdns.org/.well-known/acme-challenge/GNBwPGr0Olj5UYcxJjsCI9xZj1gVTPeDRloYiq70elg:
Timeout

Domain: plex.mysubdomain.duckdns.org
Type: connection
Detail: Fetching
http://plex.mysubdomain.duckdns.org/.well-known/acme-challenge/zl35PWM5PciqgMhMJHbAzPityt2nifmpe-q2nGnv7WE:
Timeout


Verified that port 80 is not blocked by forwarding 80:80 on my router temporarily, and yep, there was my unraid config. What's going on here? Like I said, I've confirmed the server itself is accessible on port 80 from an external connection, so the only thing I can think of is the paths are borked -- how would I go about validating that things are where they're supposed to be?

Edited by drumstyx
Link to comment
6 hours ago, fmp4m said:

upnp was forcing a separate port 80 config

@fmp4m when you talk about upnp forcing a seperate config, how did you check / determine that? 

 

I've been using this LE container for months fine until the tls method was disabled.

 

I've been pulling the little hair I have left out trying to work out why HTTP val is failing for me.

 

I've tracked it down to, within the docker container for LE - when I look at the debug log, I see it throwing an error that it can't bind to the port that I have said to use for HTTP.

My next steps were to try and track down why the bind (for the LE webserver that is spun up for validation when --standalone is being used) is failing - I wonder if you are on to something.

 

(I've attached a screenshot of the error - I've had to fly out of town this morning so can't get to more log detail at this time, sorry.)

 

Based on having had this working previously (and "admin'ing" and unraid set up at a friends house where it is working fine there - I *haven't* upgraded their LE container just yet.....) I am very confident that I have my configs set up correctly. I must be doing something wrong/differently.

There is absolutely nothing listening on *any* port within the container itself (as you can also see from the screen shot below) - well you could if I hadn't snipped it in my rush to get out the door - but trust me, there was NOTHING returned from the command below.

 

 

 

5a65e81696339_ScreenShot2018-01-22at08_10_43.thumb.png.70f4ac9ce4cc2d0e0f6bde408c1fb62d.png

Link to comment
22 minutes ago, Ding Dong Del said:

@fmp4m when you talk about upnp forcing a seperate config, how did you check / determine that? 

 

I've been using this LE container for months fine until the tls method was disabled.

 

I've been pulling the little hair I have left out trying to work out why HTTP val is failing for me.

 

I've tracked it down to, within the docker container for LE - when I look at the debug log, I see it throwing an error that it can't bind to the port that I have said to use for HTTP.

My next steps were to try and track down why the bind (for the LE webserver that is spun up for validation when --standalone is being used) is failing - I wonder if you are on to something.

 

(I've attached a screenshot of the error - I've had to fly out of town this morning so can't get to more log detail at this time, sorry.)

 

Based on having had this working previously (and "admin'ing" and unraid set up at a friends house where it is working fine there - I *haven't* upgraded their LE container just yet.....) I am very confident that I have my configs set up correctly. I must be doing something wrong/differently.

There is absolutely nothing listening on *any* port within the container itself (as you can also see from the screen shot below) - well you could if I hadn't snipped it in my rush to get out the door - but trust me, there was NOTHING returned from the command below.

 

 

 

5a65e81696339_ScreenShot2018-01-22at08_10_43.thumb.png.70f4ac9ce4cc2d0e0f6bde408c1fb62d.png

 

Check if there's anything listening on the host

Link to comment
10 hours ago, matthope said:

 

Yup, just tell me how. 

 

However, If you want me to try the dns branch on github, I almost certain it won't work, since you cannot use the parameters --non-interactive and --manual together with certbot. I suggest you to use thoses three parameters instead of --non-interactive : --agree-tos --manual-public-ip-logging-ok --no-eff-email. Also the parameter --preferred-challenges=http should be --preferred-challenges=dns instead.

 

Github: 50-config


[line 147] certbot certonly --non-interactive --renew-by-default --manual --preferred-challenges=http --manual-auth-hook /config/authenticator.sh --manual-cleanup-hook /config/cleanup.sh --rsa-key-size 4096 $EMAILPARAM --agree-tos $URLS

 

 

Thanks for the heads up. Http/dns was a typo. 

 

With regards to the options, the certbot options make no sense because automation is always an afterthought for them. And their documentation is sub par. 

 

I added the noeffemail one (must be new, first I'm seeing it) as well as the ip logging one. But nowhere does it say you can't use non interactive with manual. Oh well. I removed it anyway. 

 

In order to test, you can clone the github repo, enter the folder, and do "git checkout dns" and then build a docker image locally with "docker build -t lednstest ." (don't forget the period at the end) it will build a local image with the name "lednstest" 

 

Then you can create a new container with the same options, but instead of using "linuxserver/letsencrypt" at the end, use "lednstest" (or in the unraid gui, change the image repo in advanced settings) Make sure you set the variable DNSVAL to true, and have your authenticator.sh and cleanup.sh scripts in the config folder. Let me know if that's clear

Edited by aptalca
Link to comment

Hey,

today I tried to switch my letsencrypt container from Bridge network mode to the new mode in unraid 6.4.0 where I can chose a dedicated IP for the container.

So far so good.

I've chosen a new ip 192.168.1.20 and changed the mapping of the ports 80 and 443 on my router to that new IP.

From then on I wasn't able to reach my domains from WAN anymore. 

trying to access them from LAN is giving me that error:

Quote

2018/01/22 18:18:14 [error] 351#351: *112 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.1.1, server: beast.joschamiddendorf.de, request: "GET / HTTP/2.0", upstream: "http://192.168.1.5:80/", host: "subdomain.domain.de"
2018/01/22 18:18:14 [error] 351#351: *112 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.1.1, server: subdomain.domain.de, request: "GET /plugins/ipmi/include/ipmi_temp.php?unit=C&dot=. HTTP/2.0", upstream: "http://192.168.1.5:80/plugins/ipmi/include/ipmi_temp.php?unit=C&dot=.", host: "subdomain.domain.de", referrer: "https://subdomain.domain.de/Main"

Furthermore I'm not able to ping any ip dresses on my local network from inside of the container. 

I already disabled every firewall rule on my Router.

 

Does anyone has an idea?

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.