Andiroo2 Posted January 23, 2021 Share Posted January 23, 2021 (edited) I set this docker up today and was pulling my hair out about why I couldn't get my apps set up correctly...the docker was complaining that the challenges were failing. I tried all kinds of things but noticed that while the docker settings showed ports 1880 and 18443 for the internal ports, the docker allocations section showed 8080 and 4443 instead. I changed my port forwards to those ports and BOOM, worked first try. Is this expected? Here are my docker settings, but 1880 and 18443 don't work for me: Edited January 23, 2021 by Andiroo2 Quote Link to comment
KrisMin Posted January 23, 2021 Share Posted January 23, 2021 (edited) OK, that was my issue too! Thanks! What an annoying bug, wasted a couple of hours digging in google and docs. Dno why I didn't double check if ports were mapped right in docker. Edited January 23, 2021 by KrisMin Quote Link to comment
mgutt Posted January 23, 2021 Share Posted January 23, 2021 This is not a bug. br0 simply does not use port mapping. Port mapping is for the bridge network. 1 Quote Link to comment
groggu Posted January 24, 2021 Share Posted January 24, 2021 (edited) I ran into the ports issue as well yesterday, I only noticed that 8080 and 4443 were the ports being used when I looked at the port mappings in the docker containers list. I looked at the dockerfile with this app, and the ports are hard coded to 8080 and 4443. I wish the developer had left them at 80 and 443 so I could use this for both external mapping via my firewall/router and internally on my LAN. Would it not make more sense to leave the ports as the default ones inside the docker and use -p to map them when you want to use a host instead of a bridge network? I don't want to discount the amount of effort that Djoss has out into this and I may just be running on at the mouth/keyboard. So I'll teach myself how to setup an Unraid docker app today and see if I can figure it out why. Edited January 24, 2021 by groggu Quote Link to comment
RedSpider Posted January 24, 2021 Share Posted January 24, 2021 I see the following error in my log Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 [1/24/2021] [10:02:29 PM] [Nginx ] › ℹ info Reloading Nginx Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 13 hours ago, groggu said: I ran into the ports issue as well yesterday, I only noticed that 8080 and 4443 were the ports being used when I looked at the port mappings in the docker containers list. I looked at the dockerfile with this app, and the ports are hard coded to 8080 and 4443. I wish the developer had left them at 80 and 443 so I could use this for both external mapping via my firewall/router and internally on my LAN. Would it not make more sense to leave the ports as the default ones inside the docker and use -p to map them when you want to use a host instead of a bridge network? I don't want to discount the amount of effort that Djoss has out into this and I may just be running on at the mouth/keyboard. So I'll teach myself how to setup an Unraid docker app today and see if I can figure it out why. Do you also need this due to IPv6? You can change it yourself if you want or you can use my fork: https://hub.docker.com/repository/docker/mattie112/docker-nginx-proxy-manager https://github.com/Mattie112/docker-nginx-proxy-manager/tree/default-ports Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 I have to renew my certificates, but i'm getting internal errors and timeouts? Also deleted the certificate and trying to get a new one, also same errors. What is the trick with nginx for renewal? I'm using letsencrypt certificates btw. Do i need to run the letsencrypt container as well for this to work? Or can i use some other certificate? From where? Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 39 minutes ago, jowi said: I have to renew my certificates, but i'm getting internal errors and timeouts? Also deleted the certificate and trying to get a new one, also same errors. What is the trick with nginx for renewal? I'm using letsencrypt certificates btw. Do i need to run the letsencrypt container as well for this to work? Or can i use some other certificate? From where? What errors exactly? You can also check: Quote Link to comment
Vulkan209 Posted January 25, 2021 Share Posted January 25, 2021 (edited) I can confirm I'm having the same issue as above. I tried the dry-run command, which produced the following logs: I then tried test cert as well, which gave me this: in the same log you can see I'm able to ping google, so it can get to the internet. as an addendum to this, this is what I get when trying to renew: and this is what I get when trying to create: Edited January 25, 2021 by Vulkan209 Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) just 'internal error' and ' timeout'. Probably logged somewhere but i dont know where. Not a guru certbot: command not found???? where is certbot? Edited January 25, 2021 by jowi Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 16 minutes ago, jowi said: just 'internal error' and ' timeout'. Probably logged somewhere but i dont know where. Not a guru certbot: command not found???? where is certbot? You have to run these commands within your NPM container, please see the posts here: and check a few posts before and after to see if you have the same issue Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 Ah ok, that works... now i get some more info, firewall issues? DNS records? Don't understand, all worked fine, why is it complaining about this for the certificates now all of a sudden? [code] /tmp # certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-2.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for nextcloud.20ten.nl Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain nextcloud.20ten.nl http-01 challenge for nextcloud.20ten.nl Cleaning up challenges Attempting to renew cert (npm-2) from /etc/letsencrypt/renewal/npm-2.conf produced an unexpected error: Some challenges have failed.. Skipping. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-3.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for documentserver.20ten.nl Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain documentserver.20ten.nl http-01 challenge for documentserver.20ten.nl Cleaning up challenges Attempting to renew cert (npm-3) from /etc/letsencrypt/renewal/npm-3.conf produced an unexpected error: Some challenges have failed.. Skipping. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-4.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for dehef.20ten.nl Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain dehef.20ten.nl http-01 challenge for dehef.20ten.nl Cleaning up challenges Attempting to renew cert (npm-4) from /etc/letsencrypt/renewal/npm-4.conf produced an unexpected error: Some challenges have failed.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-4/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-4/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: dehef.20ten.nl Type: connection Detail: Fetching http://dehef.20ten.nl/.well-known/acme-challenge/4fd7A4LKzcJxFvt4MYbLvSf6OxWUP5Mtd3xn4Su-HHA: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - The following errors were reported by the server: Domain: documentserver.20ten.nl Type: connection Detail: Fetching http://documentserver.20ten.nl/.well-known/acme-challenge/hNPkFB8MC8whRSBugq-sa9O73F0phkv1yRIHAzNAxDc: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - The following errors were reported by the server: Domain: nextcloud.20ten.nl Type: connection Detail: Fetching http://nextcloud.20ten.nl/.well-known/acme-challenge/uVRln4-qO9gV1eNfm2ys02uvieIT0GPN0SWe1fB-1F8: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. /tmp # [/code] Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 Dou you have an ACL configured? I cannot access nextcloud[dot]20ten[dot]nl from here. Or perhaps your external IP changed? Can you access your sites/services through 4G for example? (Here it resolves to 77.248.64.xx and I cannot ping that IP (timeout)) so it seems that indeed letsencrypt cannot access your NPM to verify it is correct. Quote Link to comment
mgutt Posted January 25, 2021 Share Posted January 25, 2021 9 minutes ago, jowi said: Detail: Fetching http://example.com/.well-known/acme-challenge/4fd7A4LKzcJxFvt4MYbLvSf6OxWUP5Mtd3xn4Su-HHA: Timeout during connect (likely firewall problem) Disable your wifi on your mobile phone and try to open your domain. As long this is not possible, the domain and specific deeplink can't be opened by lets encrypt to verify the certificate. Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) External ip is correct (77.248.64.xx) but i can't also ping to it... DNS A records are also correct and pointing to this ip. Nothing has changed as far as i can see. I will contact my hosting provider to see if there is something wrong there. Wouldnt be the first time. What is ACL? Edited January 25, 2021 by jowi Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 55 minutes ago, jowi said: External ip is correct (74.248.64.xx) but i can't also ping to it... DNS A records are also correct and pointing to this ip. Nothing has changed as far as i can see. I will contact my hosting provider to see if there is something wrong there. Wouldnt be the first time. What is ACL? ACL = access control list I thought perhaps you only allow certain IP's to connect. I don't know if this is just a private internet connection but you can do `curl ifconfig.me` to get your external IP through the commandline just to confirm. Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) External ip is correct. Also curl ifconfig.me shows the same. According to hosting provider my domains do resolve OK: https://dnschecker.org/#A/nextcloud.20ten.nl https://dnschecker.org/#A/dehef.20ten.nl Ip is a cable modem from a local ISP. For the rest everything is working fine here on my side of the modem... pinging to it works fine from my side: 77.248.64.xxroot@UNRAID:/etc# ping 77.248.64.xx PING 77.248.64.xx (77.248.64.xx) 56(84) bytes of data. 64 bytes from 77.248.64.xx: icmp_seq=1 ttl=64 time=0.140 ms 64 bytes from 77.248.64.xx: icmp_seq=2 ttl=64 time=0.150 ms 64 bytes from 77.248.64.xx: icmp_seq=3 ttl=64 time=0.122 ms 64 bytes from 77.248.64.xx: icmp_seq=4 ttl=64 time=0.137 ms 64 bytes from 77.248.64.xx: icmp_seq=5 ttl=64 time=0.124 ms 64 bytes from 77.248.64.xx: icmp_seq=6 ttl=64 time=0.166 ms 64 bytes from 77.248.64.xx: icmp_seq=7 ttl=64 time=0.131 ms ^C --- 77.248.64.xx ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6146ms rtt min/avg/max/mdev = 0.122/0.138/0.166/0.014 ms bit lost here on what is going on? Edited January 25, 2021 by jowi Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 (edited) 27 minutes ago, jowi said: External ip is correct. Also curl ifconfig.me shows the same. According to hosting provider my domains do resolve OK: https://dnschecker.org/#A/nextcloud.20ten.nl https://dnschecker.org/#A/dehef.20ten.nl But they can't ping the external ip as well. Ip is a cable modem from a local ISP. For the rest everything is working fine here on my side of the modem... bit lost here on what is going on? In case you have not done it before: perhaps reboot your modem? And if you have your own router also reboot that one. Or log in into your router to confirm the portforwarding / firewall settings are still correct. Perhaps Ziggo pushed an update and some settings got reset. edit: And just to confirm, I cannot ping your IP from home (t-mobiel) or from my VPSses (in NL, DE and USA) Edited January 25, 2021 by mattie112 Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) The ziggo modem is in bridge mode; so shouldn't have any port forwarding / firewall etc. I'm using pfsense as router, there is port fwding configured (1443/180 to https/http 443/80 internally on unraid for nginx proxymngr) Will reboot the modem anyway. Edited January 25, 2021 by jowi Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 5 minutes ago, jowi said: The ziggo modem is in bridge mode; so shouldn't have any port forwarding / firewall etc. I'm using pfsense as router, there is port fwding configured (1443/180 to https/http 443/80 internally on unraid for nginx proxymngr) Will reboot the modem anyway. You can confirm if it is indeed still in bridge mode. And just to confirm if I ping my parents (also Ziggo) I go get a ping reply (non-bridged modem). If you continue to have issues I think you should start a new topic as this issue is not related to NPM (feel free to tag me there). Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 But to be clear, if you ping nextcloud.20ten.nl , you get a timeout as well? Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 7 minutes ago, jowi said: But to be clear, if you ping nextcloud.20ten.nl , you get a timeout as well? Confirmed, from within NL, Germany and the USA all timeout Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) Weird, everything pings fine from here, also, all domains are working fine over 4G on my phone... nextcloud works, i’ve got a wordpress site that runs etc. all is good as far as i cab tell? I dont get it. Edited January 25, 2021 by jowi Quote Link to comment
mattie112 Posted January 25, 2021 Share Posted January 25, 2021 (edited) There really is a connectivity issue on your (providers) end. From my 4G (tele2) I cannot ping. So either something is wrong with your router/firewall or your provider has some issues. Also see tools like the one below but this is simply not a NPM issue letsencrypt can simply not reach your server. https://tools.keycdn.com/ping Oh and perhaps your mobile provider is in the same network (or is the same provider) as your internet connection perhaps they "simply" have some routing issues. edit: @jowi it seems to be working now! I do get your nextcloud login page (but I still cannot ping so guessing that is blocked?) Edited January 25, 2021 by mattie112 Quote Link to comment
jowi Posted January 25, 2021 Share Posted January 25, 2021 (edited) yeah i tried some more renewing and recreating certificates, and all of a sudden it worked. Well, for me it always worked, but i now have new certificates... still don’t understand why the ping doesnt work, but for me everything is fine... 👍 Edited January 25, 2021 by jowi Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.