colsw Posted June 1, 2019 Share Posted June 1, 2019 Couldn't see a mention of it in the thread yet, is there any support for DNS authentication for letsencrypt certs? Quote Link to comment
WannabeMKII Posted June 2, 2019 Share Posted June 2, 2019 (edited) I needed to carry out an AppData restore last night, but since then, I'm seeing the following in the nginx logs; [nginx] starting... nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/npm-22/fullchain.pem") failed (SSL: error:********:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE) Any ideas what's caused this and how to resolve it, as I can't access remotely at the moment? Thanks. Edited June 2, 2019 by WannabeMKII Quote Link to comment
WannabeMKII Posted June 2, 2019 Share Posted June 2, 2019 I can't even delete and create new keys? Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 On 5/30/2019 at 11:40 AM, EmilionDK said: But it is possible that you can change SSL Protocols and Cipher Suite yourself? And use letsencrypt 4096 bit key? These settings are currently not configurable... Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 On 5/30/2019 at 2:16 PM, alturismo said: may a question about a default www folder, sample, put something there for web downloads ... for an tip, thanks ahead Under settings, you can configure the behaviour of the default site. Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 On 5/30/2019 at 3:21 PM, eds said: Any idea where I should start looking? I have an asus RT-AC68W router running Merlin. What configurations should I have (note the same domain name is being used as dnns in the router)? dnns? Do you mean dynamic DNS? Do you have anything special in your DNS settings? Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 On 6/1/2019 at 11:59 AM, colsw said: Couldn't see a mention of it in the thread yet, is there any support for DNS authentication for letsencrypt certs? There is currently no support for DNS authentication. Quote Link to comment
eds Posted June 3, 2019 Share Posted June 3, 2019 Just now, Djoss said: dnns? Do you mean dynamic DNS? Do you have anything special in your DNS settings? Yes. Yes. No. But believe it or not this problem appears to be resolved (for now). I made no changes to my router, but I did change around my nic and by mistake I may have fixed this problem. So far so good. Will update if I have new issues (right now I am about to post to the forum for your cloudberry docker ) Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 On 5/30/2019 at 2:51 PM, BlueLight said: All my subdomains stopped working suddenly. I went through the whole container and could not find anysettings that were off. also, checked my cloudflare account, CDN is off and only running on DNS. I get this error when it starts, and it continually shows that error the rest of the time container is running. nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/npm-12/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/etc/letsencrypt/live/npm-12/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file) any ideas on how to get this file? I don't even have a lettsencrypt folder in my /etc/ dir /etc/letsencrypt in the container is mapped to /mnt/user/appdata/NginxProxyManager/letsencrypt/ in unRAID. Do you see certs there? Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 15 hours ago, WannabeMKII said: I needed to carry out an AppData restore last night, but since then, I'm seeing the following in the nginx logs; [nginx] starting... nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/npm-22/fullchain.pem") failed (SSL: error:********:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE) Any ideas what's caused this and how to resolve it, as I can't access remotely at the moment? Thanks. Looks like the file is not a valid certificate chain. You can verify the file content at /mnt/user/appdata/NginxProxyManager/letsencrypt/live/npm-22/fullchain.pem Quote Link to comment
alturismo Posted June 3, 2019 Share Posted June 3, 2019 4 hours ago, Djoss said: Under settings, you can configure the behaviour of the default site. ok, so 1st it has to be an unknown host when i read correctly, makes sense. tried and ended always up like this with adding /config/www Setting Browser when using http://ip/blabla <- while blabla is located at /config/www For an Tipp thanks ahead Quote Link to comment
WannabeMKII Posted June 3, 2019 Share Posted June 3, 2019 (edited) 7 hours ago, Djoss said: Looks like the file is not a valid certificate chain. You can verify the file content at /mnt/user/appdata/NginxProxyManager/letsencrypt/live/npm-22/fullchain.pem Sorry, beginner question, but how do I verify it? Ignore this - I started again from scratch and all is now working fine. Edited June 3, 2019 by WannabeMKII Issue resolved Quote Link to comment
BlueLight Posted June 3, 2019 Share Posted June 3, 2019 6 hours ago, Djoss said: /etc/letsencrypt in the container is mapped to /mnt/user/appdata/NginxProxyManager/letsencrypt/ in unRAID. Do you see certs there? I saw a some folders and files, in them were some .pem files. Did not investigate further.. I ended up solving my issue by completely uninstalling and reinstalling. I thought I had tried it without any luck, but I just tried again, and I can add certs now, the container is working again. Before figuring this out, I checked dynamic dns, cloudflare DNS Cnames, and my router settings, denying it was the container throwing error. I'm glad it was as simple as uninstalling and reinstalling. Here' what I did: -Delete container -Delete appdata (I needed to do it through krusader) -Delete from "previous apps" in apps tab. -Reinstall The first time around, I did everything except clear it from Previous Apps. I was thinking about copying files over from old appdata folder, but this container is so easy to use, I'm just going to keep it clean and reinput all the certs and proxies again. Hope this helps someone! Quote Link to comment
Djoss Posted June 3, 2019 Author Share Posted June 3, 2019 4 hours ago, alturismo said: ok, so 1st it has to be an unknown host when i read correctly, makes sense. tried and ended always up like this with adding /config/www Setting Browser when using http://ip/blabla <- while blabla is located at /config/www For an Tipp thanks ahead The "Custom Page" option allows you to directly put the HTML content of the page to display. You cannot point to a folder. Quote Link to comment
alturismo Posted June 3, 2019 Share Posted June 3, 2019 OK, thanks for the Info, means a simple download folder is not possible.Gesendet von meinem SM-G950F mit Tapatalk Quote Link to comment
bertrandr Posted June 10, 2019 Share Posted June 10, 2019 Hi All - sorry if this has been asked, I did search and did not see an answer... How can I reduce logging or enforce log rotation? After only a few weeks NginxProxyManager is generating and keeping a LOT of log files. especially in "appdata\NginxProxyManager\log\letsencrypt\" Thanks, BR Quote Link to comment
Djoss Posted June 12, 2019 Author Share Posted June 12, 2019 On 6/10/2019 at 12:52 PM, bertrandr said: Hi All - sorry if this has been asked, I did search and did not see an answer... How can I reduce logging or enforce log rotation? After only a few weeks NginxProxyManager is generating and keeping a LOT of log files. especially in "appdata\NginxProxyManager\log\letsencrypt\" Thanks, BR There is no log rotation done currently. I agree it would be nice to do it. Could you create an issue for this at https://github.com/jlesage/docker-nginx-proxy-manager/issues ? Quote Link to comment
Adam64 Posted June 27, 2019 Share Posted June 27, 2019 Love this docker so far! Having read this article: https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/ I'm wondering about docker security. Any thoughts on that for this docker (as it's internet facing). Thanks! Quote Link to comment
tmchow Posted June 30, 2019 Share Posted June 30, 2019 (edited) I've been digging into this trying to get SSL to work for the some of my soon to be externally accessible sites. I have a mixture of things I want exposed and how to expose them. Some things, I want to only expose over my ZeroTier network. Examples are Node Red and Nzbget since all the devices I access those things from (basically my laptop) can have the zero tier client installed and works seamlessly. I really don't need SSL on these but why not? Other containers I want exposed over regular internet (non-ZeroTier network) since I need them accessible from other internet devices (e.g. my MQTT broker which needs to be accessible from internet attached devices not on my LAN). My ZeroTier addresses are in 10.241.0.0/16. When creating proxy hosts in Nginx Proxy Server, is this just a matter of adding those addresses as aliases? (e.g. 10.241.1.1 and 192.168.1.5 both for same proxy host?) Or am I just totally confused? Would appreciate help in understanding the above. Edited June 30, 2019 by tmchow Quote Link to comment
tmchow Posted June 30, 2019 Share Posted June 30, 2019 (edited) I've tried to get his going by mucking around. I have the container setup to port 2080 for HTTP and 20443 for HTTPS. I've forwarded ports 80 and 443 on my router to those ports. When I try to create an SSL cert through the Nginx reverse proxy dashboard, I get an "Internal error" dialog after a few seconds. In the error.log there isn't a 1:1 corresponding line for when this error occurs other than: 2019/06/29 18:37:01 [notice] 1037#1037: signal process started If I hit "OK" on that error modal and refresh the page, there is a line for the SSL cert. If I then try to use that cert, it fails because it can' tfind the cert on the disk (presumably due to the "internal error"). How do i debug this and get this working? Edited June 30, 2019 by tmchow Quote Link to comment
bdillahu Posted July 2, 2019 Share Posted July 2, 2019 Anybody managed to get Airsonic working behind nginxproxymanager? The web site comes up, and will play music, but some features don't work (settings tab, downloading to a mobile device). Seems like it's related to a "location" setting, but I haven't found the winner. Quote Link to comment
Djoss Posted July 2, 2019 Author Share Posted July 2, 2019 On 6/26/2019 at 8:36 PM, Adam64 said: Love this docker so far! Having read this article: https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/ I'm wondering about docker security. Any thoughts on that for this docker (as it's internet facing). Thanks! By running the same tool as the article: trivy --clear-cache jlesage/nginx-proxy-manager:latest 2019-07-02T07:20:28.768-0400 INFO Removing image caches... 2019-07-02T07:20:28.826-0400 INFO Updating vulnerability database... 2019-07-02T07:20:35.328-0400 INFO Detecting Alpine vulnerabilities... jlesage/nginx-proxy-manager:latest (alpine 3.8.4) ================================================= Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0) +---------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------+------------------+----------+-------------------+---------------+--------------------------------+ | mariadb | CVE-2019-2628 | MEDIUM | 10.2.24-r0 | 10.2.24.r0 | mysql: InnoDB unspecified | | | | | | | vulnerability (CPU Apr 2019) | + +------------------+ + + +--------------------------------+ | | CVE-2019-2627 | | | | mysql: Server: Security: | | | | | | | Privileges unspecified | | | | | | | vulnerability (CPU Apr 2019) | + +------------------+----------+ + +--------------------------------+ | | CVE-2019-2614 | LOW | | | mysql: Server: Replication | | | | | | | unspecified vulnerability (CPU | | | | | | | Apr 2019) | +---------+------------------+----------+-------------------+---------------+--------------------------------+ Quote Link to comment
Djoss Posted July 2, 2019 Author Share Posted July 2, 2019 On 6/29/2019 at 9:40 PM, tmchow said: I've tried to get his going by mucking around. I have the container setup to port 2080 for HTTP and 20443 for HTTPS. I've forwarded ports 80 and 443 on my router to those ports. When I try to create an SSL cert through the Nginx reverse proxy dashboard, I get an "Internal error" dialog after a few seconds. In the error.log there isn't a 1:1 corresponding line for when this error occurs other than: 2019/06/29 18:37:01 [notice] 1037#1037: signal process started If I hit "OK" on that error modal and refresh the page, there is a line for the SSL cert. If I then try to use that cert, it fails because it can' tfind the cert on the disk (presumably due to the "internal error"). How do i debug this and get this working? Double check that accessing port 80 from the Internet reaches the container. You can use https://www.yougetsignal.com/tools/open-ports/. Then make sure that your DNS name is properly mapped to the Internet IP of your router. Quote Link to comment
Djoss Posted July 2, 2019 Author Share Posted July 2, 2019 9 hours ago, bdillahu said: Anybody managed to get Airsonic working behind nginxproxymanager? The web site comes up, and will play music, but some features don't work (settings tab, downloading to a mobile device). Seems like it's related to a "location" setting, but I haven't found the winner. You can have a look at the corresponding log file under /mnt/user/appdata/NginxProxyManager/log/nginx/ to have a better understanding of what's happening when you access these locations. Quote Link to comment
Adam64 Posted July 2, 2019 Share Posted July 2, 2019 1 hour ago, Djoss said: By running the same tool as the article: trivy --clear-cache jlesage/nginx-proxy-manager:latest 2019-07-02T07:20:28.768-0400 INFO Removing image caches... 2019-07-02T07:20:28.826-0400 INFO Updating vulnerability database... 2019-07-02T07:20:35.328-0400 INFO Detecting Alpine vulnerabilities... jlesage/nginx-proxy-manager:latest (alpine 3.8.4) ================================================= Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0) +---------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------+------------------+----------+-------------------+---------------+--------------------------------+ | mariadb | CVE-2019-2628 | MEDIUM | 10.2.24-r0 | 10.2.24.r0 | mysql: InnoDB unspecified | | | | | | | vulnerability (CPU Apr 2019) | + +------------------+ + + +--------------------------------+ | | CVE-2019-2627 | | | | mysql: Server: Security: | | | | | | | Privileges unspecified | | | | | | | vulnerability (CPU Apr 2019) | + +------------------+----------+ + +--------------------------------+ | | CVE-2019-2614 | LOW | | | mysql: Server: Replication | | | | | | | unspecified vulnerability (CPU | | | | | | | Apr 2019) | +---------+------------------+----------+-------------------+---------------+--------------------------------+ Thanks! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.