[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

I set this docker up today and was pulling my hair out about why I couldn't get my apps set up correctly...the docker was complaining that the challenges were failing.  I tried all kinds of things but noticed that while the docker settings showed ports 1880 and 18443 for the internal ports, the docker allocations section showed 8080 and 4443 instead.  I changed my port forwards to those ports and BOOM, worked first try.  

 

Is this expected?  Here are my docker settings, but 1880 and 18443 don't work for me:

 

 

 

 

Nginx Settings.PNG

Nginx Settings 2.PNG

Edited by Andiroo2
Link to comment

I ran into the ports issue as well yesterday, I only noticed that 8080 and 4443 were the ports being used when I looked at the port mappings in the docker containers list.

I looked at the dockerfile with this app, and the ports are hard coded to 8080 and 4443.  I wish the developer had left them at 80 and 443 so I could use this for both external mapping via my firewall/router and internally on my LAN.

 

Would it not make more sense to leave the ports as the default ones inside the docker and use -p to map them when you want to use a host instead of a bridge network?

 

I don't want to discount the amount of effort that Djoss has out into this and I may just be running on at the mouth/keyboard. So I'll teach myself how to setup an Unraid docker app today and see if I can figure it out why.

Edited by groggu
Link to comment
13 hours ago, groggu said:

I ran into the ports issue as well yesterday, I only noticed that 8080 and 4443 were the ports being used when I looked at the port mappings in the docker containers list.

I looked at the dockerfile with this app, and the ports are hard coded to 8080 and 4443.  I wish the developer had left them at 80 and 443 so I could use this for both external mapping via my firewall/router and internally on my LAN.

 

Would it not make more sense to leave the ports as the default ones inside the docker and use -p to map them when you want to use a host instead of a bridge network?

 

I don't want to discount the amount of effort that Djoss has out into this and I may just be running on at the mouth/keyboard. So I'll teach myself how to setup an Unraid docker app today and see if I can figure it out why.

 

Do you also need this due to IPv6? You can change it yourself if you want or you can use my fork:

https://hub.docker.com/repository/docker/mattie112/docker-nginx-proxy-manager

https://github.com/Mattie112/docker-nginx-proxy-manager/tree/default-ports

Link to comment

I have to renew my certificates, but i'm getting internal errors and timeouts? 

Also deleted the certificate and trying to get a new one, also same errors.

What is the trick with nginx for renewal? I'm using letsencrypt certificates btw. Do i need to run the letsencrypt container as well for this to work? Or can i use some other certificate? From where?

Link to comment
39 minutes ago, jowi said:

I have to renew my certificates, but i'm getting internal errors and timeouts? 

Also deleted the certificate and trying to get a new one, also same errors.

What is the trick with nginx for renewal? I'm using letsencrypt certificates btw. Do i need to run the letsencrypt container as well for this to work? Or can i use some other certificate? From where?

 

What errors exactly?

 

You can also check: 

 

Link to comment

I can confirm I'm having the same issue as above. I tried the dry-run command, which produced the following logs:

 

image.png.65bec705373534cd9a3c91c67dd53672.png

 

I then tried test cert as well, which gave me this:

 

image.png.3610f8c1bbfd58bcea4b3939a70dc72e.png

 

in the same log you can see I'm able to ping google, so it can get to the internet.

 

as an addendum to this, this is what I get when trying to renew:

image.png.f6e703b0d1420ce46408c99e29759cc1.png

 

and this is what I get when trying to create:

 

image.png.2be259a642507f3f1176deda74b0e98a.png

Edited by Vulkan209
Link to comment
16 minutes ago, jowi said:

just 'internal error' and ' timeout'. Probably logged somewhere but i dont know where. Not a guru :(

 

certbot: command not found????

where is certbot?

You have to run these commands within your NPM container, please see the posts here:

 

 

and check a few posts before and after to see if you have the same issue

Link to comment

Ah ok, that works... now i get some more info, firewall issues? DNS records? Don't understand, all worked fine, why is it complaining about this for the certificates now all of a sudden?

 

[code]

/tmp # certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-2.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.20ten.nl
Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain nextcloud.20ten.nl
http-01 challenge for nextcloud.20ten.nl
Cleaning up challenges
Attempting to renew cert (npm-2) from /etc/letsencrypt/renewal/npm-2.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-3.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for documentserver.20ten.nl
Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain documentserver.20ten.nl
http-01 challenge for documentserver.20ten.nl
Cleaning up challenges
Attempting to renew cert (npm-3) from /etc/letsencrypt/renewal/npm-3.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-4.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dehef.20ten.nl
Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain dehef.20ten.nl
http-01 challenge for dehef.20ten.nl
Cleaning up challenges
Attempting to renew cert (npm-4) from /etc/letsencrypt/renewal/npm-4.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dehef.20ten.nl
   Type:   connection
   Detail: Fetching
  http://dehef.20ten.nl/.well-known/acme-challenge/4fd7A4LKzcJxFvt4MYbLvSf6OxWUP5Mtd3xn4Su-HHA:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: documentserver.20ten.nl
   Type:   connection
   Detail: Fetching
  http://documentserver.20ten.nl/.well-known/acme-challenge/hNPkFB8MC8whRSBugq-sa9O73F0phkv1yRIHAzNAxDc:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: nextcloud.20ten.nl
   Type:   connection
   Detail: Fetching
  http://nextcloud.20ten.nl/.well-known/acme-challenge/uVRln4-qO9gV1eNfm2ys02uvieIT0GPN0SWe1fB-1F8:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
/tmp # 

[/code]

 

Link to comment

Dou you have an ACL configured? I cannot access nextcloud[dot]20ten[dot]nl from here. Or perhaps your external IP changed? Can you access your sites/services through 4G for example?

 

(Here it resolves to 77.248.64.xx and I cannot ping that IP (timeout)) so it seems that indeed letsencrypt cannot access your NPM to verify it is correct.

Link to comment

External ip is correct (77.248.64.xx) but i can't also ping to it... DNS A records are also correct and pointing to this ip. Nothing has changed as far as i can see. I will contact my hosting provider to see if there is something wrong there. Wouldnt be the first time.

 

What is ACL?

Edited by jowi
Link to comment
55 minutes ago, jowi said:

External ip is correct (74.248.64.xx) but i can't also ping to it... DNS A records are also correct and pointing to this ip. Nothing has changed as far as i can see. I will contact my hosting provider to see if there is something wrong there. Wouldnt be the first time.

 

What is ACL?

 

ACL = access control list I thought perhaps you only allow certain IP's to connect.

 

I don't know if this is just a private internet connection but you can do `curl ifconfig.me` to get your external IP through the commandline just to confirm.

Link to comment

External ip is correct. Also curl ifconfig.me shows the same. According to hosting provider my domains do resolve OK:

https://dnschecker.org/#A/nextcloud.20ten.nl

https://dnschecker.org/#A/dehef.20ten.nl

 

Ip is a cable modem from a local ISP.

For the rest everything is working fine here on my side of the modem...

 

pinging to it works fine from my side:

77.248.64.xxroot@UNRAID:/etc# ping 77.248.64.xx

PING 77.248.64.xx (77.248.64.xx) 56(84) bytes of data.

64 bytes from 77.248.64.xx: icmp_seq=1 ttl=64 time=0.140 ms

64 bytes from 77.248.64.xx: icmp_seq=2 ttl=64 time=0.150 ms

64 bytes from 77.248.64.xx: icmp_seq=3 ttl=64 time=0.122 ms

64 bytes from 77.248.64.xx: icmp_seq=4 ttl=64 time=0.137 ms

64 bytes from 77.248.64.xx: icmp_seq=5 ttl=64 time=0.124 ms

64 bytes from 77.248.64.xx: icmp_seq=6 ttl=64 time=0.166 ms

64 bytes from 77.248.64.xx: icmp_seq=7 ttl=64 time=0.131 ms

^C

--- 77.248.64.xx ping statistics ---

7 packets transmitted, 7 received, 0% packet loss, time 6146ms

rtt min/avg/max/mdev = 0.122/0.138/0.166/0.014 ms

 

bit lost here on what is going on?

Edited by jowi
Link to comment
27 minutes ago, jowi said:

External ip is correct. Also curl ifconfig.me shows the same. According to hosting provider my domains do resolve OK:

https://dnschecker.org/#A/nextcloud.20ten.nl

https://dnschecker.org/#A/dehef.20ten.nl

 

But they can't ping the external ip as well. Ip is a cable modem from a local ISP.

For the rest everything is working fine here on my side of the modem... bit lost here on what is going on?

 

In case you have not done it before: perhaps reboot your modem? And if you have your own router also reboot that one. Or log in into your router to confirm the portforwarding / firewall settings are still correct. Perhaps Ziggo pushed an update and some settings got reset.

 

edit:

And just to confirm, I cannot ping your IP from home (t-mobiel) or from my VPSses (in NL, DE and USA)

Edited by mattie112
Link to comment

The ziggo modem is in bridge mode; so shouldn't have any port forwarding / firewall etc.

I'm using pfsense as router, there is port fwding configured (1443/180 to https/http 443/80 internally on unraid for nginx proxymngr)

Will reboot the modem anyway.

Edited by jowi
Link to comment
5 minutes ago, jowi said:

The ziggo modem is in bridge mode; so shouldn't have any port forwarding / firewall etc.

I'm using pfsense as router, there is port fwding configured (1443/180 to https/http 443/80 internally on unraid for nginx proxymngr)

Will reboot the modem anyway.

 

You can confirm if it is indeed still in bridge mode. And just to confirm if I ping my parents (also Ziggo) I go get a ping reply (non-bridged modem).

 

If you continue to have issues I think you should start a new topic as this issue is not related to NPM (feel free to tag me there).

Link to comment

There really is a connectivity issue on your (providers) end. From my 4G (tele2) I cannot ping. So either something is wrong with your router/firewall or your provider has some issues. Also see tools like the one below but this is simply not a NPM issue letsencrypt can simply not reach your server.

 

https://tools.keycdn.com/ping

 

image.thumb.png.a4d351a8c6455b00ca90fa06d14c2387.png

 

Oh and perhaps your mobile provider is in the same network (or is the same provider) as your internet connection perhaps they "simply" have some routing issues.

 

edit:

@jowi it seems to be working now! I do get your nextcloud login page (but I still cannot ping so guessing that is blocked?)

Edited by mattie112
Link to comment

yeah i tried some more renewing and recreating certificates, and all of a sudden it worked. Well, for me it always worked, but i now have new certificates... still don’t understand why the ping doesnt work, but for me everything is fine... 👍

Edited by jowi
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.