mrangryoven Posted January 14, 2018 Share Posted January 14, 2018 My Letsencrypt docker isnt working after the new OS update. I have removed it and re-added it and got it to start up but it wont generate the certificate. All my settings are the same as previous however ive had to set the port 80 to 81 and 443 to 444 as unraid now uses Nginx so i assume these have been taken already as it wasnt mapping them natively. Any help is appreciated, i need this docker working asap! Thanks, Quote Link to comment
bonienl Posted January 14, 2018 Share Posted January 14, 2018 Instead of port translations you can change the network type of the letsencrypt container to br0 and assign a different IP address to the container. This allows the container to keep using the original ports 80 and 443. Quote Link to comment
Codeh Posted January 14, 2018 Share Posted January 14, 2018 Make sure you redo your port forwarding after changing the mapping. Quote Link to comment
mrangryoven Posted January 14, 2018 Author Share Posted January 14, 2018 7 minutes ago, Codeh said: Make sure you redo your port forwarding after changing the mapping. Have done that already. Still not working sadly. Quote Link to comment
Codeh Posted January 14, 2018 Share Posted January 14, 2018 Just now, mrangryoven said: Have done that already. Still not working sadly. What does the docker log say? Quote Link to comment
mrangryoven Posted January 14, 2018 Author Share Posted January 14, 2018 14 minutes ago, Codeh said: What does the docker log say? Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container This is the error that im getting, it says cert does not exist? It hasnt tried to create it yet. Quote Link to comment
CHBMB Posted January 14, 2018 Share Posted January 14, 2018 11 minutes ago, mrangryoven said: Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container This is the error that im getting, it says cert does not exist? It hasnt tried to create it yet. There's a support thread for the LetsEncrypt container and lots of information in the last couple of days as to why it's not working. See the last post I made in the last 5 minutes. Quote Link to comment
realies Posted January 24, 2018 Share Posted January 24, 2018 On 1/14/2018 at 4:54 PM, CHBMB said: There's a support thread for the LetsEncrypt container and lots of information in the last couple of days as to why it's not working. See the last post I made in the last 5 minutes. Leaving a link would have saved us time @CHBMB. Quote Link to comment
CHBMB Posted January 24, 2018 Share Posted January 24, 2018 Leaving a link would have saved us time [mention=6219]CHBMB[/mention].If people read a support thread it would save me even more, seriously look back through the letsencrypt thread and count how many times over the last couple of weeks I've posted the same link. It's not always practical for me to post the link as I may be on mobile or shock/horror have something else going on.Would it have been better to post nothing at all and just leave you all to figure it out / not figure it out for yourselves? Because that would be easier for me to be honest.Sent from my LG-H815 using Tapatalk 1 3 Quote Link to comment
realies Posted January 24, 2018 Share Posted January 24, 2018 Having to post the same thing over and over again sounds inefficient. It gets easily lost in the support thread. Maybe information like this should be included in the first post of the support thread. Quote Link to comment
CHBMB Posted January 24, 2018 Share Posted January 24, 2018 (edited) 1 hour ago, realies said: Having to post the same thing over and over again sounds inefficient. It gets easily lost in the support thread. Maybe information like this should be included in the first post of the support thread. Yeah, funny thing is, we update all our documentation on github, there's a link to it on that opening post of the support thread. Guess what, people don't read it. Just like how people don't post in the support thread in the first place. You want to do better? Step up.... Whole reason I kept posting the same link over and over is because a lot of people can't be arsed to read the last couple of pages to check if their issue has been covered. Edited January 24, 2018 by CHBMB Quote Link to comment
vortexrap Posted January 29, 2018 Share Posted January 29, 2018 Here is the resolution since Google brought me first to this page instead of any let's encrypt support pages and the official support thread did not link to any support thread or post any resolutions: https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/ Quote Following a very recent announcement by the Let's Encrypt team regarding a vulnerability that has surfaced relating to the use of the TLS-SNI-01 challenge when validating certificates, we have had to make an emergency change to our image. In short, they have disabled that method of verification until they can properly mitigate the issue. This means that our Let's Encrypt container will not work as we only make use of the TLS-SNI method of certificate validation. With this in mind, we have made the decision to (hopefully) lessen the impact of this issue to our users by making a change to our image which allows certificate validation via HTTP (port 80). We're just awaiting final peer review before we push these changes through our pipeline, so in the mean time, we stress that our users try their best not to restart their Let's Encrypt container until we have pushed this change up. We will update you once the new image is available, and what you need to do to enable HTTP validation. Update: The changes to our image have now been merged. In order to get certificate validation working, you'll need to add the following environment variable to your docker create/run command: -e HTTPVAL=true In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true' 1 Quote Link to comment
CHBMB Posted January 29, 2018 Share Posted January 29, 2018 2 minutes ago, vortexrap said: In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true' It's not always that simple, but in essence yes. And there is plenty of discussion about all this in the actual support thread, the situation is complicated by concurrent use of ports for the Unraid gui, some people have port 80 blocked by their ISP and in general a poor understanding of port forwarding and docker port allocation. 1 Quote Link to comment
LordShad0w Posted June 1, 2018 Share Posted June 1, 2018 Just to update and add, I had similar issue after the 6.5.1 update. All I had to do was re-map the port bindings so that there was no conflict. (In this case the contested port was 443 which is also used by nginx, even though it was not an issue before.) Rebuilt the image and now all is well. TL:DR Check your port mappings and bindings before complaining about stuff not working. Also, support threads FTW./ Quote Link to comment
jang430 Posted July 14, 2018 Share Posted July 14, 2018 (edited) @vortexrap, @LordShad0w, I'm seeing the following: But still getting Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused IMPORTANT NOTES: - The following errors were reported by the server: Domain: jxxxx1.duckdns.org Type: connection Detail: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Edited July 14, 2018 by jang430 Quote Link to comment
JonathanM Posted July 14, 2018 Share Posted July 14, 2018 4 hours ago, jang430 said: @vortexrap, @LordShad0w, I'm seeing the following: But still getting Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused IMPORTANT NOTES: - The following errors were reported by the server: Domain: jxxxx1.duckdns.org Type: connection Detail: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container You don't own or control duckdns.org, only jXXXX1.duckdns.org. Read the descriptions of the docker fields carefully. Quote Link to comment
jang430 Posted July 14, 2018 Share Posted July 14, 2018 @jonathanm, ok. Changed settings to the following: Same error persists. I tried to go to www.jxxxx1.duckdns.org, still the same error. Cleaning up challengesFailed authorization procedure. www.jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.jxxxx1.duckdns.org/.well-known/acme-challenge/ib2mhAZlmQIeMYjkM3Bg6gX0uIhwzoGfoFVcbRzpri8: Connection refusedIMPORTANT NOTES:- The following errors were reported by the server:Domain: www.jxxxx1.duckdns.orgType: connectionDetail: Fetchinghttp://www.jxxxx1.duckdns.org/.well-known/acme-challenge/ib2mhAZlmQIeMYjkM3Bg6gX0uIhwzoGfoFVcbRzpri8:Connection refusedTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A/AAAA record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Quote Link to comment
jang430 Posted July 15, 2018 Share Posted July 15, 2018 Hi! Any more suggestions on how to fix this? Thanks! Quote Link to comment
saarg Posted July 15, 2018 Share Posted July 15, 2018 How is your port forwarding? Quote Link to comment
jang430 Posted July 15, 2018 Share Posted July 15, 2018 @saarg, port forwarding is ok. Tested already. Quote Link to comment
saarg Posted July 15, 2018 Share Posted July 15, 2018 (edited) It can't connect on port 80, so it seems that the issue is port forwarding. How did you test it? Or the dns is not pointing to the correct IP. Edited July 15, 2018 by saarg Quote Link to comment
jang430 Posted July 15, 2018 Share Posted July 15, 2018 I turned off the LE docker container, and started an nginx docker container, mapping exactly on the same ports as LE. Without changing any port forwarding in the router (already pre-adjusted), I can see that it's forwarded to the nginx page. Quote Link to comment
saarg Posted July 15, 2018 Share Posted July 15, 2018 Looks correct if your IP is correct. Can you try to remove the two http and https port mappings that are empty in the bottom of your template? That might be the issue. Quote Link to comment
jang430 Posted July 15, 2018 Share Posted July 15, 2018 didn't notice it popped up again. I did try deleting it earlier, and still not working. Quote Link to comment
jang430 Posted July 16, 2018 Share Posted July 16, 2018 Finally got it working. All I did was delete the whole docker container, then recreated it with exactly the same values. I reached the following page: Welcome to our server The website is currently being setup under this address. For help and support, please contact: [email protected] I get to access the page above by typing https://jxxxx1.duckdns.org. By typing http://jxxxx1.duckdns.org, I don't reach that page. Why is this the case? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.