Jump to content
Djoss

[Support] Djoss - Nginx Proxy Manager

493 posts in this topic Last Reply

Recommended Posts

Couldn't see a mention of it in the thread yet, is there any support for DNS authentication for letsencrypt certs?

Share this post


Link to post
Posted (edited)

I needed to carry out an AppData restore last night, but since then, I'm seeing the following in the nginx logs;

[nginx] starting...
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/npm-22/fullchain.pem") failed (SSL: error:********:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

Any ideas what's caused this and how to resolve it, as I can't access remotely at the moment?

 

Thanks.

Edited by WannabeMKII

Share this post


Link to post
On 5/30/2019 at 11:40 AM, EmilionDK said:

But it is possible that you can change SSL Protocols and Cipher Suite yourself?


And use letsencrypt 4096 bit key?

These settings are currently not configurable...

Share this post


Link to post
On 5/30/2019 at 2:16 PM, alturismo said:

may a question about a default www folder, sample, put something there for web downloads ...

 

for an tip, thanks ahead

Under settings, you can configure the behaviour of the default site.

Share this post


Link to post
On 5/30/2019 at 3:21 PM, eds said:

Any idea where I should start looking?  I have an asus RT-AC68W router running Merlin.    What configurations should I have (note the same domain name is being used as dnns in the router)?

dnns? Do you mean dynamic DNS? Do you have anything special in your DNS settings?

Share this post


Link to post
On 6/1/2019 at 11:59 AM, colsw said:

Couldn't see a mention of it in the thread yet, is there any support for DNS authentication for letsencrypt certs?

There is currently no support for DNS authentication.

Share this post


Link to post
Just now, Djoss said:

dnns? Do you mean dynamic DNS? Do you have anything special in your DNS settings?

Yes.  Yes. No.  

 

But believe it or not this problem appears to be resolved (for now).   I made no changes to my router, but I did change around my nic and by mistake I may have fixed this problem. 

 

So far so good.  Will update if I have new issues (right now I am about to post to the forum for your cloudberry docker :) )

Share this post


Link to post
On 5/30/2019 at 2:51 PM, BlueLight said:

All my subdomains stopped working suddenly. I went through the whole container and could not find anysettings that were off. also, checked my cloudflare account, CDN is off and only running on DNS. 

I get this error when it starts, and it continually shows that error the rest of the time container is running.


nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/npm-12/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/etc/letsencrypt/live/npm-12/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

any ideas on how to get this file? I don't even have a lettsencrypt folder in my /etc/ dir

/etc/letsencrypt in the container is mapped to /mnt/user/appdata/NginxProxyManager/letsencrypt/ in unRAID.  Do you see certs there?

Share this post


Link to post
15 hours ago, WannabeMKII said:

I needed to carry out an AppData restore last night, but since then, I'm seeing the following in the nginx logs;


[nginx] starting...
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/npm-22/fullchain.pem") failed (SSL: error:********:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

Any ideas what's caused this and how to resolve it, as I can't access remotely at the moment?

 

Thanks.

Looks like the file is not a valid certificate chain.  You can verify the file content at /mnt/user/appdata/NginxProxyManager/letsencrypt/live/npm-22/fullchain.pem

Share this post


Link to post
4 hours ago, Djoss said:

Under settings, you can configure the behaviour of the default site.

ok, so 1st it has to be an unknown host when i read correctly, makes sense.

 

tried and ended always up like this with adding /config/www

 

image.png.5482fa98f15dea4c1aacd14ec60c0be9.pngSetting

image.png.934e31af9f3141ff28fa83ef96941c2d.pngBrowser when using http://ip/blabla <- while blabla is located at /config/www

 

For an Tipp thanks ahead

Share this post


Link to post
Posted (edited)
7 hours ago, Djoss said:

Looks like the file is not a valid certificate chain.  You can verify the file content at /mnt/user/appdata/NginxProxyManager/letsencrypt/live/npm-22/fullchain.pem

Sorry, beginner question, but how do I verify it?

 

Ignore this - I started again from scratch and all is now working fine.

Edited by WannabeMKII
Issue resolved

Share this post


Link to post
6 hours ago, Djoss said:

/etc/letsencrypt in the container is mapped to /mnt/user/appdata/NginxProxyManager/letsencrypt/ in unRAID.  Do you see certs there?

I saw a some folders and files, in them were some .pem files. Did not investigate further..

 

 

I ended up solving my issue by completely uninstalling and reinstalling. I thought I had tried it without any luck, but I just tried again, and I can add certs now, the container is working again. Before figuring this out, I checked dynamic dns, cloudflare DNS Cnames, and my router settings, denying it was the container throwing error. I'm glad it was as simple as uninstalling and reinstalling.

 

Here' what I did:

-Delete container

-Delete appdata (I needed to do it through krusader)

-Delete from "previous apps" in apps tab.

-Reinstall

 

The first time around, I did everything except clear it from Previous Apps.

 

I was thinking about copying files over from old appdata folder, but this container is so easy to use, I'm just going to keep it clean and reinput all the certs and proxies again. 

 

Hope this helps someone!

 

Share this post


Link to post
4 hours ago, alturismo said:

ok, so 1st it has to be an unknown host when i read correctly, makes sense.

 

tried and ended always up like this with adding /config/www

 

image.png.5482fa98f15dea4c1aacd14ec60c0be9.pngSetting

image.png.934e31af9f3141ff28fa83ef96941c2d.pngBrowser when using http://ip/blabla <- while blabla is located at /config/www

 

For an Tipp thanks ahead

The "Custom Page" option allows you to directly put the HTML content of the page to display.  You cannot point to a folder.

Share this post


Link to post

OK, thanks for the Info, means a simple download folder is not possible.

Gesendet von meinem SM-G950F mit Tapatalk

Share this post


Link to post

Hi All - sorry if this has been asked, I did search and did not see an answer... 

How can I reduce logging or enforce log rotation? After only a few weeks NginxProxyManager is generating and keeping a LOT of log files. especially in "appdata\NginxProxyManager\log\letsencrypt\" 

Thanks,

 

BR

Share this post


Link to post
On 6/10/2019 at 12:52 PM, bertrandr said:

Hi All - sorry if this has been asked, I did search and did not see an answer... 

How can I reduce logging or enforce log rotation? After only a few weeks NginxProxyManager is generating and keeping a LOT of log files. especially in "appdata\NginxProxyManager\log\letsencrypt\" 

Thanks,

 

BR

There is no log rotation done currently.  I agree it would be nice to do it.  Could you create an issue for this at https://github.com/jlesage/docker-nginx-proxy-manager/issues ?

Share this post


Link to post
Posted (edited)

I've been digging into this trying to get SSL to work for the some of my soon to be externally accessible sites.

 

I have a mixture of things I want exposed and how to expose them. Some things, I want to only expose over my ZeroTier network. Examples are Node Red and Nzbget since all the devices  I access those things from (basically my laptop) can have the zero tier client installed and works seamlessly.  I really don't need SSL on these but why not?

 

Other containers I want exposed over regular internet (non-ZeroTier network) since I need them accessible from other internet devices (e.g. my MQTT broker which needs to be accessible from internet attached devices not on my LAN).

 

My ZeroTier addresses are in 10.241.0.0/16.  When creating proxy hosts in Nginx Proxy Server, is this just a matter of adding those addresses as aliases? (e.g. 10.241.1.1 and 192.168.1.5 both for same proxy host?) Or am I just totally confused?

 

Would appreciate help in understanding the above.

Edited by tmchow

Share this post


Link to post
Posted (edited)

I've tried to get his going by mucking around. I have the container setup to port 2080 for HTTP and 20443 for HTTPS. I've forwarded ports 80 and 443 on my router to those ports.

 

When I try to create an SSL cert through the Nginx reverse proxy dashboard, I get an "Internal error" dialog after a few seconds. In the error.log there isn't a 1:1 corresponding line for when this error occurs other than:

 

2019/06/29 18:37:01 [notice] 1037#1037: signal process started

 

If I hit "OK" on that error modal and refresh the page, there is a line for the SSL cert. If I then try to use that cert, it fails because it can' tfind the cert on the disk (presumably due to the "internal error").

 

How do i debug this and get this working?

Edited by tmchow

Share this post


Link to post

Anybody managed to get Airsonic working behind nginxproxymanager? The web site comes up, and will play music, but some features don't work (settings tab, downloading to a mobile device). Seems like it's related to a "location" setting, but I haven't found the winner.

Share this post


Link to post
On 6/26/2019 at 8:36 PM, Adam64 said:

Love this docker so far!   Having read this article:  https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/ I'm wondering about docker security. Any thoughts on that for this docker (as it's internet facing).

Thanks!

By running the same tool as the article:

 

trivy --clear-cache jlesage/nginx-proxy-manager:latest
2019-07-02T07:20:28.768-0400	INFO	Removing image caches...
2019-07-02T07:20:28.826-0400	INFO	Updating vulnerability database...
2019-07-02T07:20:35.328-0400	INFO	Detecting Alpine vulnerabilities...

jlesage/nginx-proxy-manager:latest (alpine 3.8.4)
=================================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| mariadb | CVE-2019-2628    | MEDIUM   | 10.2.24-r0        | 10.2.24.r0    | mysql: InnoDB unspecified      |
|         |                  |          |                   |               | vulnerability (CPU Apr 2019)   |
+         +------------------+          +                   +               +--------------------------------+
|         | CVE-2019-2627    |          |                   |               | mysql: Server: Security:       |
|         |                  |          |                   |               | Privileges unspecified         |
|         |                  |          |                   |               | vulnerability (CPU Apr 2019)   |
+         +------------------+----------+                   +               +--------------------------------+
|         | CVE-2019-2614    | LOW      |                   |               | mysql: Server: Replication     |
|         |                  |          |                   |               | unspecified vulnerability (CPU |
|         |                  |          |                   |               | Apr 2019)                      |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

 

Share this post


Link to post
On 6/29/2019 at 9:40 PM, tmchow said:

I've tried to get his going by mucking around. I have the container setup to port 2080 for HTTP and 20443 for HTTPS. I've forwarded ports 80 and 443 on my router to those ports.

 

When I try to create an SSL cert through the Nginx reverse proxy dashboard, I get an "Internal error" dialog after a few seconds. In the error.log there isn't a 1:1 corresponding line for when this error occurs other than:

 

2019/06/29 18:37:01 [notice] 1037#1037: signal process started

 

If I hit "OK" on that error modal and refresh the page, there is a line for the SSL cert. If I then try to use that cert, it fails because it can' tfind the cert on the disk (presumably due to the "internal error").

 

How do i debug this and get this working?

Double check that accessing port 80 from the Internet reaches the container.  You can use https://www.yougetsignal.com/tools/open-ports/.

Then make sure that your DNS name is properly mapped to the Internet IP of your router.

Share this post


Link to post
9 hours ago, bdillahu said:

Anybody managed to get Airsonic working behind nginxproxymanager? The web site comes up, and will play music, but some features don't work (settings tab, downloading to a mobile device). Seems like it's related to a "location" setting, but I haven't found the winner.

You can have a look at the corresponding log file under /mnt/user/appdata/NginxProxyManager/log/nginx/ to have a better understanding of what's happening when you access these locations.

Share this post


Link to post
1 hour ago, Djoss said:

By running the same tool as the article:

 


trivy --clear-cache jlesage/nginx-proxy-manager:latest
2019-07-02T07:20:28.768-0400	INFO	Removing image caches...
2019-07-02T07:20:28.826-0400	INFO	Updating vulnerability database...
2019-07-02T07:20:35.328-0400	INFO	Detecting Alpine vulnerabilities...

jlesage/nginx-proxy-manager:latest (alpine 3.8.4)
=================================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| mariadb | CVE-2019-2628    | MEDIUM   | 10.2.24-r0        | 10.2.24.r0    | mysql: InnoDB unspecified      |
|         |                  |          |                   |               | vulnerability (CPU Apr 2019)   |
+         +------------------+          +                   +               +--------------------------------+
|         | CVE-2019-2627    |          |                   |               | mysql: Server: Security:       |
|         |                  |          |                   |               | Privileges unspecified         |
|         |                  |          |                   |               | vulnerability (CPU Apr 2019)   |
+         +------------------+----------+                   +               +--------------------------------+
|         | CVE-2019-2614    | LOW      |                   |               | mysql: Server: Replication     |
|         |                  |          |                   |               | unspecified vulnerability (CPU |
|         |                  |          |                   |               | Apr 2019)                      |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

 

 

Thanks!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.