DieFalse Posted December 14, 2020 Share Posted December 14, 2020 6 minutes ago, Tucubanito07 said: If you mean the /ETC/ it does not exist. Do you happen to know the specific directory and i can supply the permission? /mnt/cache/appdata/NginxProxyManager/letsencrypt/archive/npm-20 Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 (edited) 4 minutes ago, fmp4m said: /mnt/cache/appdata/NginxProxyManager/letsencrypt/archive/npm-20 This is for one of the certs. Based on this. seems to be permission issues correct? How would i be able to fix it or what permissions does it need? ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/ total 16 -rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem -rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem -rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem Edited December 14, 2020 by Tucubanito07 Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 1 minute ago, Tucubanito07 said: This is for one of the certs. Based on this. seems to be permission issues correct? How would i be able to fix it or what permissions does it need? ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/ total 16 -rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem -rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem -rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem Check certs 6,7,12,13,20 as those are erroring. Are those files there? I suspect not. In which case, you will have to delete those hosts and recreate or manually force those to regenerate. Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 3 minutes ago, fmp4m said: Check certs 6,7,12,13,20 as those are erroring. Are those files there? I suspect not. In which case, you will have to delete those hosts and recreate or manually force those to regenerate. Here is what i got. I would re-create those but i cant even get into the GUI. That is what i was going to try first. ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/ total 16 -rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem -rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem -rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-12/ total 16 -rw-rw-rw- 1 nobody users 1931 Jul 11 20:35 cert1.pem -rw-rw-rw- 1 nobody users 1647 Jul 11 20:35 chain1.pem -rw-rw-rw- 1 nobody users 3578 Jul 11 20:35 fullchain1.pem -rw------- 1 nobody users 1704 Jul 11 20:35 privkey1.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-13/ total 16 -rw-rw-rw- 1 nobody users 1923 Jul 11 20:47 cert1.pem -rw-rw-rw- 1 nobody users 1647 Jul 11 20:47 chain1.pem -rw-rw-rw- 1 nobody users 3570 Jul 11 20:47 fullchain1.pem -rw------- 1 nobody users 1704 Jul 11 20:47 privkey1.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-15/ total 16 -rw-r--r-- 1 nobody users 1879 Dec 14 11:21 cert4.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain4.pem -rw-r--r-- 1 nobody users 3465 Dec 14 11:21 fullchain4.pem -rw------- 1 nobody users 1708 Dec 14 11:21 privkey4.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-16/ total 16 -rw-r--r-- 1 nobody users 1866 Dec 14 11:21 cert2.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain2.pem -rw-r--r-- 1 nobody users 3452 Dec 14 11:21 fullchain2.pem -rw------- 1 nobody users 1704 Dec 14 11:21 privkey2.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-19/ total 16 -rw-r--r-- 1 nobody users 1866 Dec 14 11:21 cert2.pem -rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain2.pem -rw-r--r-- 1 nobody users 3452 Dec 14 11:21 fullchain2.pem -rw------- 1 nobody users 1704 Dec 14 11:21 privkey2.pem Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 So i did the ones you said and this is what i got. Seems to have the same files. ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-6/ total 16 -rw-rw-rw- 1 nobody users 1956 Oct 14 18:31 cert3.pem -rw-rw-rw- 1 nobody users 1647 Oct 14 18:31 chain3.pem -rw-rw-rw- 1 nobody users 3603 Oct 14 18:31 fullchain3.pem -rw------- 1 nobody users 1704 Oct 14 18:31 privkey3.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-7/ total 16 -rw-rw-rw- 1 nobody users 1952 Oct 14 18:31 cert3.pem -rw-rw-rw- 1 nobody users 1647 Oct 14 18:31 chain3.pem -rw-rw-rw- 1 nobody users 3599 Oct 14 18:31 fullchain3.pem -rw------- 1 nobody users 1704 Oct 14 18:31 privkey3.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-12/ total 16 -rw-rw-rw- 1 nobody users 1931 Jul 11 20:35 cert1.pem -rw-rw-rw- 1 nobody users 1647 Jul 11 20:35 chain1.pem -rw-rw-rw- 1 nobody users 3578 Jul 11 20:35 fullchain1.pem -rw------- 1 nobody users 1704 Jul 11 20:35 privkey1.pem root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-13/ total 16 -rw-rw-rw- 1 nobody users 1923 Jul 11 20:47 cert1.pem -rw-rw-rw- 1 nobody users 1647 Jul 11 20:47 chain1.pem -rw-rw-rw- 1 nobody users 3570 Jul 11 20:47 fullchain1.pem -rw------- 1 nobody users 1704 Jul 11 20:47 privkey1.pem Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 (edited) I resolved the issue by deleting the whole Container and recreating it. Thank you for your help @fmp4m Edited December 14, 2020 by Tucubanito07 Quote Link to comment
CorneliousJD Posted December 14, 2020 Share Posted December 14, 2020 4 hours ago, fmp4m said: Have you created/configured "proxy.conf" and placed it where it wants it? An alternative to the proxy.conf file is setting those options in the advanced nginx settings of the advanced location (gear cog). However I am not proficient with how to format them for this location. This doesn't apply to NPM. 5 hours ago, mattie112 said: Perhaps you need to also add some other directories? For example I found this post: https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/cy9l9fj/?utm_source=reddit&utm_medium=web2x&context=3 I can add those directories but the /plex part isn't even working, it's just giving me a 401 error in the first place. I can't even get anywhere with it. https://github.com/jc21/nginx-proxy-manager/issues/40 Seems like an extremely common (and long-term open) request. The way custom locations portrays itself, everything should already work like this but it just doesn't...? If someone actually has domain.com hosting Organizr and domain.com/plex working please let me know - I'd love to take a look at your exact config. right now while I appreciate everyone's help they seem to just be saying "it's possible" when they may not have it working the way I need it to? Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 As I have said, I have mine configured and working. One thing I am thinking you may have an issue with /plex/ goes to a ".plex.direct" url by translation. Do you have DNS Rebinding allowed for "plex.direct"? If not, ONLY IP:32400/plex will work. If so, then domain.com/plex/ will work. Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 4 hours ago, Tucubanito07 said: So i did the ones you said and this is what i got. Seems to have the same files. You're welcome. It appears somehow your fullchain.pem became corrupted (likely blanked out). Rebuilding would fix this. Quote Link to comment
CorneliousJD Posted December 14, 2020 Share Posted December 14, 2020 26 minutes ago, fmp4m said: As I have said, I have mine configured and working. One thing I am thinking you may have an issue with /plex/ goes to a ".plex.direct" url by translation. Do you have DNS Rebinding allowed for "plex.direct"? If not, ONLY IP:32400/plex will work. If so, then domain.com/plex/ will work. How would I check/know if I have DNS rebinding allowed for plex.direct? If you mean internally and NAT loopback, then yes that is enabled and working. For what it's worth. i'm getting same 401 unauthorized when testing via my phone off of WiFi. I don't understand what would be different about our configs since there's almost zero config in NPM. Quote Link to comment
Tucubanito07 Posted December 15, 2020 Share Posted December 15, 2020 4 hours ago, fmp4m said: You're welcome. It appears somehow your fullchain.pem became corrupted (likely blanked out). Rebuilding would fix this. How would you rebuild it? Just in case it happens again I know what I can do to try to fix it. Quote Link to comment
DieFalse Posted December 15, 2020 Share Posted December 15, 2020 11 hours ago, Tucubanito07 said: How would you rebuild it? Just in case it happens again I know what I can do to try to fix it. Hi Tucubanito07, The npm-01 that had the corrupt PEM would need its "conf" file deleted from the app data. You can copy the conf to another folder and review it to recreate that proxy host. When you delete that conf, NGINXProxyManager will load all but that host that is corrupted. (which sometimes can be more than one) you would then re-add that proxy host. Example: npm-01 = jimmy.domain.com Delete conf (/etc/letsencrypt/renewal/npm-1.conf) Load NPM Review hosts for missing one or review the conf file for the missing host info and re-add. However, if its multiple, then you will have to delete the others in the log with the same error of nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-1/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) Alternatively you can go to each PEM (certificate folder) and check the fullchainX.PEM (x being whatever number it is in the dir) for validity. https://ma.ttias.be/nginx-ssl-certificate-errors-pem_read_bio_x509_aux-pem_read_bio_x509-ssl_ctx_use_privatekey_file/ openssl x509 -text -noout -in /etc/letsencrypt/live/npm-1/fullchain.pem Quote Link to comment
DieFalse Posted December 15, 2020 Share Posted December 15, 2020 16 hours ago, CorneliousJD said: How would I check/know if I have DNS rebinding allowed for plex.direct? If you mean internally and NAT loopback, then yes that is enabled and working. For what it's worth. i'm getting same 401 unauthorized when testing via my phone off of WiFi. I don't understand what would be different about our configs since there's almost zero config in NPM. NAT Loopback and DNS Rebinding are completely different. Plex uses "HASH".plex.direct to create dns entries or proxy to your server. the domain.com/plex service uses this. You can verify this is being done by visiting the /plex location and reviewing the certificate, which you will find is issued to plex.direct. I feel that something is interrupting the connection to /plex (XML-Plugins-API) interface causing you this issue. Can you create another /anything and point it to a known working interface? sonarr/radarr/npm If this works, then the config is working and creating the location properly. It would show that its something needed in advanced config or your router. If its not working, it shows that its NPM not creating the location correctly. Notes: DNS Rebinding Some routers or modems have a feature known as “DNS rebinding protection”, some implementations of which can prevent an app from being able to connect to a Plex Media Server securely on the local network. For most users, this won’t be an issue, but some users of higher-end routers (or those provided by some ISPs) may run into problems. Similarly, some DNS providers (including some ISPs) may have this feature. DNS rebinding protection is meant as a security feature, to protect insecurely-designed devices on the local network against attacks. It provides no benefit for devices that are designed and configured correctly. Quote Link to comment
CorneliousJD Posted December 15, 2020 Share Posted December 15, 2020 52 minutes ago, fmp4m said: NAT Loopback and DNS Rebinding are completely different. Plex uses "HASH".plex.direct to create dns entries or proxy to your server. the domain.com/plex service uses this. You can verify this is being done by visiting the /plex location and reviewing the certificate, which you will find is issued to plex.direct. I feel that something is interrupting the connection to /plex (XML-Plugins-API) interface causing you this issue. Can you create another /anything and point it to a known working interface? sonarr/radarr/npm If this works, then the config is working and creating the location properly. It would show that its something needed in advanced config or your router. If its not working, it shows that its NPM not creating the location correctly. thank you so much for continuing to reply and trying to help. I really do appreciate it very much! So I added a few other /locations for testing and pretty much nothing works like that. I can get some pages to load their title in the browser, but no contents, and I can get some to show their authentication pages but then fail to load once logged in, etc. ALL of these services work fine on sub.domain.com however with no issues. So it seems like it's trying to load the proper site, but for whatever reason having them at a /location vs a subdomain is breaking things. I used to have a /plex location working in a SWAG/LetsEncrypt config, but it was pretty simple, so I'm not sure what I'm missing here. Here's my old SWAG/LetsEncyrpt config # PLEX CONTAINER location /plex/ { proxy_pass http://10.0.0.10:32400/; include /config/nginx/SSO.conf; } if ($http_referer ~* /plex/) { rewrite ^/web/(.*) /plex/web/$1? redirect; } And SSO.conf was all of this client_max_body_size 10m; client_body_buffer_size 128k; proxy_bind $server_addr; proxy_buffers 32 4k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_no_cache $cookie_session; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; If I add all that into the custom config for the location then I'm still not getting anywhere unfortuantely. Something really weird the the /plex location happens too where sometimes it will try to load domain.com:4443/plex (where 4443 is the port NPM runs with my internal network) - Nothing should be configured to ever add port 4443 in there so I'm not sure why that's getitng added either. So weird. Quote Link to comment
DieFalse Posted December 15, 2020 Share Posted December 15, 2020 2 hours ago, CorneliousJD said: thank you so much for continuing to reply and trying to help. I really do appreciate it very much! So I added a few other /locations for testing and pretty much nothing works like that. I can get some pages to load their title in the browser, but no contents, and I can get some to show their authentication pages but then fail to load once logged in, etc. ALL of these services work fine on sub.domain.com however with no issues. So it seems like it's trying to load the proper site, but for whatever reason having them at a /location vs a subdomain is breaking things. I used to have a /plex location working in a SWAG/LetsEncrypt config, but it was pretty simple, so I'm not sure what I'm missing here. Here's my old SWAG/LetsEncyrpt config # PLEX CONTAINER location /plex/ { proxy_pass http://10.0.0.10:32400/; include /config/nginx/SSO.conf; } if ($http_referer ~* /plex/) { rewrite ^/web/(.*) /plex/web/$1? redirect; } And SSO.conf was all of this client_max_body_size 10m; client_body_buffer_size 128k; proxy_bind $server_addr; proxy_buffers 32 4k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_no_cache $cookie_session; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; If I add all that into the custom config for the location then I'm still not getting anywhere unfortuantely. Something really weird the the /plex location happens too where sometimes it will try to load domain.com:4443/plex (where 4443 is the port NPM runs with my internal network) - Nothing should be configured to ever add port 4443 in there so I'm not sure why that's getitng added either. So weird. Do you have Discord or some other online messenger? Can you PM me your info so I can troubleshoot directly with you. I feel we can solve this rapidly that way. Quote Link to comment
Voss Posted December 18, 2020 Share Posted December 18, 2020 Hi, perhaps I missunderstood something, I'm not that familiar with unraid or NPM. Is there any wa to connect to the WebUI through https? Quote Link to comment
CorneliousJD Posted December 18, 2020 Share Posted December 18, 2020 1 hour ago, Voss said: Hi, perhaps I missunderstood something, I'm not that familiar with unraid or NPM. Is there any wa to connect to the WebUI through https? The unRAID Web UI? I wouldn't recommend opening that up. There's somethign that will help with this coming soon anways Quote Link to comment
Voss Posted December 19, 2020 Share Posted December 19, 2020 (edited) 9 hours ago, CorneliousJD said: The unRAID Web UI? I wouldn't recommend opening that up. There's somethign that will help with this coming soon anways I think I have not expressed myself very well I want to access the Nginx Proxy Manager WebUI through https. Currently I just can access through http://myserverip:7818. If it's possible I want to access it through https://myserverip:7818. For this case it doesn't matter for me if it's verified through a selfmade certificate, as I only access it through the LAN. Edited December 19, 2020 by Voss wrong portnumber Quote Link to comment
CorneliousJD Posted December 21, 2020 Share Posted December 21, 2020 On 12/19/2020 at 2:22 AM, Voss said: I think I have not expressed myself very well I want to access the Nginx Proxy Manager WebUI through https. Currently I just can access through http://myserverip:7818. If it's possible I want to access it through https://myserverip:7818. For this case it doesn't matter for me if it's verified through a selfmade certificate, as I only access it through the LAN. Just reverse proxy the NPM interace itself at proxymanager or npm.domain.com instead. I do not believe you can access locally via HTTPS. Quote Link to comment
Voss Posted December 21, 2020 Share Posted December 21, 2020 (edited) 21 hours ago, CorneliousJD said: Just reverse proxy the NPM interace itself at proxymanager or npm.domain.com instead. I do not believe you can access locally via HTTPS. Couldn't see the wood for the trees Thank you! Just to add something that helped me, found some useful tips with access list here using an access list. Edited December 21, 2020 by Voss Quote Link to comment
njdowdy Posted December 22, 2020 Share Posted December 22, 2020 I "resolved" the issue described in my previous post. For those facing similar errors renewing certificates, check your ISP policies. My new ISP has a stricter port policy than my previous one. This ISP blocks port 80, which breaks the Let'sEncrypt certificate renewal process. My solution was to integrate CloudFlare with NPM. That allows for a work around to the ISP blocking port 80. I hope that helps others. Quote Link to comment
cagemaster Posted December 22, 2020 Share Posted December 22, 2020 When i try to add an SSL cert i get this error: Can you help me? Quote Link to comment
CorneliousJD Posted December 22, 2020 Share Posted December 22, 2020 On 12/15/2020 at 1:13 PM, fmp4m said: Do you have Discord or some other online messenger? Can you PM me your info so I can troubleshoot directly with you. I feel we can solve this rapidly that way. So I did PM you but ended up plugging away at this today and I got it... I updated NPM's GitHub issue #40 about this. https://github.com/jc21/nginx-proxy-manager/issues/40#issuecomment-749770892 In short, /plex sitll woudn't work for me, but adding /web DID work. I think it's because the way the plex container expects /web at the end of everything that it worked like this, but regardless, it allows me to fix my issue! I now have Organizr setup with Plex OAuth, SSO across Plex, Ombi, Tautulli, and "watch on plex" buttons working, all via NPM hope this comment helps someone else in the future! Quote Link to comment
CorneliousJD Posted December 23, 2020 Share Posted December 23, 2020 (edited) On 12/22/2020 at 9:30 AM, cagemaster said: When i try to add an SSL cert i get this error: Can you help me? I am getting the same error as of today when trying to add certs. Anyone else also getting this issue? EDIT: I let the container sit for 15 minutes or so and tried again and it worked... lol Edited December 23, 2020 by CorneliousJD Quote Link to comment
IKWeb Posted December 24, 2020 Share Posted December 24, 2020 Hello All Can I ask for confirmation? I assume I would either use NginxProxyManager or SWAG - you wouldnt use both? I assume NginxProxyManager has a copy of SWAG within it? TIA Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.