[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

Hm that is strange (perhaps restart your container?)

 

But yes you should be able to do it from the CLI. Again SSH to your unraid and do:

docker exec -it NginxProxyManager sh

(If your container has a different name use that you can see it on the web UI from Unraid)

 

In your container do:

certbot renew
or
certbot renew --force-renewal

This will renew everything or use the --cert-name flag to only do the ones you need

 

edit:

I would restart my container after doing this.

Edited by mattie112
Link to comment

@Rejserr, the web server is not starting because of the missing certificate file.  If the certbot command suggested by @mattie112 doesn't fix the problem, you should try to edit the file under /mnt/user/appdata/NginxProxyManager/nginx/proxy_host/ that contains the following lines:

  ssl_certificate /etc/letsencrypt/live/npm-9/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-9/privkey.pem;

And comment them:

#  ssl_certificate /etc/letsencrypt/live/npm-9/fullchain.pem;
#  ssl_certificate_key /etc/letsencrypt/live/npm-9/privkey.pem;

 

  • Like 1
Link to comment

hey guys, does your NPM have updated to 2.7.1? Im stuck at 2.6.2, Tried force update, tried remove and reinstall, tried setting :latest as a tag.
Nothing worked.


EDIT* Now i realised this isn't the official docker image, i'll have to wait until this image is updated to 2.7.1 :) 

Edited by skois
Link to comment

Ok, for the past few days I've been trying to get a cert and keep getting the following error:

 

Quote

Internal Error

 

Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-23" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "irc.spectralforceservers.net" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for irc.spectralforceservers.net Using the webroot path /config/letsencrypt-acme-challenge for all unmatched domains. Waiting for verification... Challenge failed for domain irc.spectralforceservers.net http-01 challenge for irc.spectralforceservers.net Cleaning up challenges Some challenges have failed. at ChildProcess.exithandler (child_process.js:303:12) at ChildProcess.emit (events.js:315:20) at maybeClose (internal/child_process.js:1021:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)

 

If anyone has a resolution or could shed some light on the subject, it would be greatly appreciated.

 

Note: I have tried the renew certbot command previously mentioned.  Thanks in advance for any help.

Link to comment
10 hours ago, mattie112 said:

Can you check the logfile mentioned: /var/log/letsencrypt/letsencrypt.log

(this file exists in your docker container so docker exec -it NginxProxyManager sh and then cat /var/log/letsencrypt/letsencrypt.log)

 

Also:

Is this the only domain that fails or does everything fail?

@mattie112   I haven't tried any other domain as I haven't need any others.  As for the log file, I can add it here as long as there's no sensitive info in it.

Link to comment
On 11/20/2020 at 11:56 AM, skois said:

hey guys, does your NPM have updated to 2.7.1? Im stuck at 2.6.2, Tried force update, tried remove and reinstall, tried setting :latest as a tag.
Nothing worked.


EDIT* Now i realised this isn't the official docker image, i'll have to wait until this image is updated to 2.7.1 :) 

Container image has been updated.

Link to comment
On 11/20/2020 at 12:43 PM, skois said:

Also if anyone could explain when to use Websocket Support and Cache Assets (or what is the benefits/cons of using them) Thanks!

WebSocket support must be enabled only when your proxied application requires it.

When enabling Cache Assets, some assets, like images, will be served by NPM instead of your proxied application.  I guess this can provide some performance improvements when a lot of them need to be loaded.

Link to comment
WebSocket support must be enabled only when your proxied application requires it.
When enabling Cache Assets, some assets, like images, will be served by NPM instead of your proxied application.  I guess this can provide some performance improvements when a lot of them need to be loaded.
I have enabled it on all, didn't see any problems or any difference when disabled, so I left it on! But I'll keep an eye if I have any problem

Thanks!!

Sent from my Mi 10 Pro using Tapatalk

Link to comment

I have linuxserver's letsencrypt (now SWAG) container working just fine but would like to switch over to this as it makes adding entries so much easier through the UI. I also followed Spaceinvaderone's video of setting up each container that needs to be proxied via a custom proxynet network interface. Is this still necessary? Any other considerations for migrating over? Anything like fail2ban in here?

Edited by nimaim
Link to comment
On 11/23/2020 at 8:48 AM, mattie112 said:

Perhaps you can try `certbot renew --dry-run` just to see if that works? Or perhaps `certbot --test-cert` ro verify letsencrypt could be reached.

 

And just to be really sure: can you ping from within the NPM container to the internet?

@mattie112

 

Getting back to this.  I can ping from the container.  When I do the dry run, it says Cerbot is already running.

 

I get the following error from the log 

Quote

 

2020-11-30 09:56:46,228:DEBUG:acme.client:Storing nonce: 0003zHntUKE9Oxgxpsq2L1IDEF4VMp9I5SDSoDg3GCK8AHw
2020-11-30 09:56:46,228:WARNING:certbot._internal.auth_handler:Challenge failed for domain irc.spectralforceservers.net
2020-11-30 09:56:46,229:INFO:certbot._internal.auth_handler:http-01 challenge for irc.spectralforceservers.net
2020-11-30 09:56:46,229:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: irc.spectralforceservers.net
Type:   unauthorized
Detail: Invalid response from http://irc.spectralforceservers.net/.well-known/acme-challenge/vxRjJMhh-i5YTWmGUfElTq9CLZQrqNrmZKE1pWMI8OI [172.98.192.36]: "<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://irc.spectralfor"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-11-30 09:56:46,229:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

 

My CNAME and duckdns.org url are linked.  Thanks for your help!

Link to comment

So it seems that letsencrypt cannot access the fiel it want's. When I go to the website mentioned I get redirected to a site "survey-smiles" (with a huge alert from MalwareBytes) so I can only assume that letsencrypt faces the same issue.

 

If you go to your site do you end up correctly? (Assuming the survey-smiles thing is not yours).

 

And just for funs here is the output of that domain:

 

xx@xx:~# curl irc.spectralforceservers.net
<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://irc.spectralforceservers.net/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQ<removed>TUsInRzIjoxNjA2NzQ5MjE1MzI2OTIyfQ.iwTewrvuWy6FWsN3bbD0pVnXh36dwDhFwp0Hamm07RY&sid=9db9<removed>cc3238fa');</script></body></html>

So yes your site does issue a redirect (the same happens with /.well-kown/acme-challenge/somerandomstring)

Edited by mattie112
Link to comment
15 minutes ago, mattie112 said:

So it seems that letsencrypt cannot access the fiel it want's. When I go to the website mentioned I get redirected to a site "survey-smiles" (with a huge alert from MalwareBytes) so I can only assume that letsencrypt faces the same issue.

 

If you go to your site do you end up correctly? (Assuming the survey-smiles thing is not yours).

 

And just for funs here is the output of that domain:

 


xx@xx:~# curl irc.spectralforceservers.net
<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://irc.spectralforceservers.net/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQ<removed>TUsInRzIjoxNjA2NzQ5MjE1MzI2OTIyfQ.iwTewrvuWy6FWsN3bbD0pVnXh36dwDhFwp0Hamm07RY&sid=9db9<removed>cc3238fa');</script></body></html>

So yes your site does issue a redirect (the same happens with /.well-kown/acme-challenge/somerandomstring)

Yeah that's definitely wrong.  I'll try changing the subdomain and see if that works.

 

Even with a new subdomain it still is going to that smiles survey, which is weird, should I contact my domain provider at this point?

Edited by Spectral Force
Link to comment
On 11/30/2020 at 4:24 PM, Spectral Force said:

Yeah that's definitely wrong.  I'll try changing the subdomain and see if that works.

 

Even with a new subdomain it still is going to that smiles survey, which is weird, should I contact my domain provider at this point?

I would suggest to do that yeah. It seems not to resolve correctly (or at least what you expect)

On 11/30/2020 at 9:55 PM, muwahhid said:

Tell me, how can I get a certificate for one domain, but several ports? 
mydomain.com
ports: 443, 444, 445?

You don't

Your external ip: 1.1.1.1

Your NPM: 192.168.1.1

You forward external:80 and external:443 to NPM

 

Then you can do:

domainA.com -> 1.1.1.1

domainB.com -> 1.1.1.1

domainC.com -> 1.1.1.1

 

NPM can then do:

if i get some connection that wants domainA.com -> go to 192.168.1.2:1234

domainB.com -> 192.168.1.123:80

domainC.com -> 192.168.1.1:9234

 

So NPM is your only "visible" endpoint and that takes care of multiple hosts / subdomains

 

reverse-proxy-featured.png

Edited by mattie112
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.