The Complete UnRAID reverse proxy, Duck DNS (dynamic dns) and letsencrypt guide


140 posts in this topic Last Reply

Recommended Posts

On 1/26/2018 at 2:02 AM, unRaide said:

Hi @Fma965!

 

I’m looking to take a stab at setting this up based on your guide and I’m wondering if anything’s change with the latest 6.4 release?

  1. Do we still need to install the LE docker?
  2. Should we use the Unraid UI to provision th SSL certificate? 

Still trying to figure this all out :)

Any luck?  I am not able to get this working with 6.4 so far and I wonder if the new SSL capabilities and native nginx is fighting with it.

Link to post
  • 3 weeks later...
  • Replies 139
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hi, i recently asked on the unRAID reddit what people wanted guides for, this was the top answer. i want to add further info about the nginx config but for now this should get most people up and runni

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username> add: auth_basic_user_file /config/nginx/.htpasswd; to the default file under each service I wanted to protect.

no you need to access it from your external IP or from your DNS not from the 192.168.1.104 address   so you need to forward port 80 on your router to 85 and then try it from your duck dns ad

Posted Images

Hi @Fma965,

 

Thank you very much for writing this guide.   

 

I have reached step 6 on the Nginx configuration page, and was curious what was meant by:

"You also need to set the settings for these services, the webdir, webroot or base directory need to be set to the relevant paths."

 

Best,

Rob

Link to post
15 hours ago, cablecutter said:

Hi @Fma965,

 

Thank you very much for writing this guide.   

 

I have reached step 6 on the Nginx configuration page, and was curious what was meant by:

"You also need to set the settings for these services, the webdir, webroot or base directory need to be set to the relevant paths."

 

Best,

Rob

 

You just need to make sure you have the "URL Base" set correctly, sometimes called a webroot or base url in the settings for the application, e.g sonarr is URL Base

image.png.676c3c4bb56eaaa3d3f3941fda717281.png

Link to post
On 02/03/2018 at 8:48 PM, Timbiotic said:

Any luck?  I am not able to get this working with 6.4 so far and I wonder if the new SSL capabilities and native nginx is fighting with it.

i have tested this on 6.4 fine, make sure you aren't using ports 80 or 443 and instead use like port 444 and 81 and then in your router forward external port 80/443 to 81/444 on your device ip.

Link to post
16 hours ago, Yak said:

Thanks for updating your guide, but I'm facing an issue with the port numbers. You suggest using port 444 but that is used by Nextcloud. Will any other port number do? 

it can be any port so for example 5363 to 443 is fine, but you then need to pass port 443 on your router to 5363 aswell.

Edited by Fma965
Link to post
  • 3 weeks later...

Well I've been round the houses with this one and it's doing my head in. DuckDNS is set up and I've verified the IP address is correct, ports are all forwarded correctly on the router but when I try to start letsencrypt I get the following:

 

Failed authorization procedure. mydomain.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.duckdns.org/.well-known/acme-challenge/E3ZN95mMHuiQsHBzilKsymto0f6ybp756Ov40EKvXkY: "<html>

 

I've searched the web for days and I'm getting nowhere

 

Any ideas?

Link to post
12 hours ago, Yak said:

Well I've been round the houses with this one and it's doing my head in. DuckDNS is set up and I've verified the IP address is correct, ports are all forwarded correctly on the router but when I try to start letsencrypt I get the following:

 

Failed authorization procedure. mydomain.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.duckdns.org/.well-known/acme-challenge/E3ZN95mMHuiQsHBzilKsymto0f6ybp756Ov40EKvXkY: "<html>

 

I've searched the web for days and I'm getting nowhere

 

Any ideas?

you either have your domain not working correctly on duckdns or your router ports are not forwarded correctly or your docker ports are not correct. to clarify you need to forward port 80 and 443 to the ports of your letsencrypt docker

Link to post
  • 2 weeks later...
On 9/14/2017 at 5:08 PM, isvein said:

have anyone tried this with the Minio docker and make it work?

I get it to work from a browser, but when I try to connect a backup client to the proxy adress I get " cause="Signature does not match" source="[auth-handler.go:122:checkRequestAuthType()]" "

 

Edit: I found the answer here: https://docs.minio.io/docs/setup-nginx-proxy-with-minio

 

so I added this:

server {
    listen 443 ssl default_server;
    server_name domain.name.;

 

location / {
       # include /config/nginx/proxy.conf;
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.0.2:50001;
    }

 

 

I have not made it work with an /location

 

 ISvein,

Would you be willing to post a screenshot of your LetsEncrypt settings that makes it work with Minio?

Thanks,

Ari

Link to post
On 16/04/2018 at 10:05 AM, Fma965 said:

you either have your domain not working correctly on duckdns or your router ports are not forwarded correctly or your docker ports are not correct. to clarify you need to forward port 80 and 443 to the ports of your letsencrypt docker

 

Yeah, had my port forwarding arse about face. All working now, thank you

Link to post
  • 2 months later...

Hi,

I've got all this setup and working great with my own domain - thanks Fma965!!  

 

One question I can't seem to find an answer to is simply: Is there a way to force https for all sites?  So, right now if I go to my site http://www.mydomain.com/sonarr - it works just fine.  Likewise, if I go to https://www.mydomain.com/sonarr - it also works.  I want the http to redirect to https for all of my /WhateverAppsAreInstalled - can someone point me in the right direction?  I tried changing my default conf file from:

location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.1.21:8989/sonarr;

}

 

to

 

location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass https://10.0.1.21:9898/sonarr;

}

 

 

But that didn't work! Any ideas?

 

Thanks everyone!!!!

Link to post
21 minutes ago, mbezzo said:

Hi,

I've got all this setup and working great with my own domain - thanks Fma965!!  

 

One question I can't seem to find an answer to is simply: Is there a way to force https for all sites?  So, right now if I go to my site http://www.mydomain.com/sonarr - it works just fine.  Likewise, if I go to https://www.mydomain.com/sonarr - it also works.  I want the http to redirect to https for all of my /WhateverAppsAreInstalled - can someone point me in the right direction?  I tried changing my default conf file from:

location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.1.21:8989/sonarr;

}

 

to

 

location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass https://10.0.1.21:9898/sonarr;

}

 

 

But that didn't work! Any ideas?

 

Thanks everyone!!!!

 

https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/default#L4

Link to post
  • 2 weeks later...

Hi.  I can't get this to work.  Logs on letsencrypt says:

 

 

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d jxxxx1.duckdns.org
E-mail address entered: jang430@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jxxxxx1.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxxx1.duckdns.org/.well-known/acme-challenge/PwoD5ycQWe5M5Azj-oXI-x0v60wOQmwllxm-fXr4Iio: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxxx1.duckdns.org/.well-known/acme-challenge/PwoD5ycQWe5M5Azj-oXI-x0v60wOQmwllxm-fXr4Iio:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

image.thumb.png.4b10c7e663136035ef02de54091897f3.png

image.png.5f521778130433b98714195928df4d66.png

 

Hope some of you can shed some light.

Link to post
12 minutes ago, jang430 said:

Hi.  I can't get this to work.  Logs on letsencrypt says:

 

 

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d jxxxx1.duckdns.org
E-mail address entered: jang430@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jxxxxx1.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxxx1.duckdns.org/.well-known/acme-challenge/PwoD5ycQWe5M5Azj-oXI-x0v60wOQmwllxm-fXr4Iio: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxxx1.duckdns.org/.well-known/acme-challenge/PwoD5ycQWe5M5Azj-oXI-x0v60wOQmwllxm-fXr4Iio:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

image.thumb.png.4b10c7e663136035ef02de54091897f3.png

image.png.5f521778130433b98714195928df4d66.png

 

Hope some of you can shed some light.

 

Firstly thanks for adding so much info

 

You have your port forwards backward. should be 443 to 444 and 80 to 81 not the other way around.

Link to post
11 minutes ago, jang430 said:

Hi.  Sorry for adding so much info.  BTW, inverted the order, still the same error.

don't be sorry it's good.

 

Then your dynamic dns may not be up to date with your IP. or your unraid isn't 192.168.1.104

Link to post
7 minutes ago, jang430 said:

Anything I can do with it?  Any other confirmation I can do?  I'd really like to get this working.  Did I do everything right so far from posts above?  Maybe I made some slight mistake :D

contact your ISP, everything else looks fine, send me a updated screenshot of your router port forwarding just to be sure.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.