September 11, 20205 yr Hello Everybody. I have an unraid server with mutliple fixed IPs (e.g. with the ending .15 for unraid, .16 for nextcloud 1, .17 for nextcloud 2, .18 for windows VM etc.) and now I wanted to set up lets encrypt container for https connection. However, I am not able to configure it the right way and I can't find any tutorials which match my case. I have followed many instructions, created a domain with several subdomains pointing to the unraid server IP, however I struggle with IP forwarding since there is no router to do it - I just have a fixed IP. To the procedure: When I configure letsencrypt with Ports 80 and 443 and the custom network called "proxynet", the container fails to start with the error: 'URL'='alptekin.de' -e 'SUBDOMAINS'='www,cloud' -e 'ONLY_SUBDOMAINS'='true' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'PUID'='99' -e 'PGID'='100' -p '80:80/tcp' -p '443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt' b5048c49965b8301d7ad84b3f674583c5b911f615d553d787334c847a248908a /usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (28ea8b125fda09108bb915b42aa644542626a2da05e89d0d664eaf63fad0ef28): Error starting userland proxy: listen tcp 0.0.0.0:80: bind: address already in use. The command failed. When I set up with different Ports for http and https, e.g. 180 and 1443, the container starts correctly 'URL'='alptekin.de' -e 'SUBDOMAINS'='www,cloud' -e 'ONLY_SUBDOMAINS'='true' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt' ce11a06bffa81d45dc3e56683f1bddbd7912263e640d9ec5ea2bc9921a4a3215 The command finished successfully! but there are several errors in the container log: Performing the following challenges: http-01 challenge for cloud.alptekin.de http-01 challenge for www.alptekin.de Waiting for verification... Challenge failed for domain cloud.alptekin.de Challenge failed for domain www.alptekin.de http-01 challenge for cloud.alptekin.de http-01 challenge for www.alptekin.de Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: cloud.alptekin.de Type: unauthorized Detail: Invalid response from http://cloud.alptekin.de/login [xxx.xxx.xxx.19]: "<!DOCTYPE html>\n<html class=\"ng-csp\" data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\" >\n\t<head\n data-requesttoken=\"sdOZ" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. - The following errors were reported by the server: Domain: www.alptekin.de Type: connection Detail: Fetching http://www.alptekin.de/.well-known/acme-challenge/SCwRkrdGFW8SRRVNevsrbjvTkldoatzXFdEOeQMWx_A: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
September 12, 20205 yr 4 hours ago, arnoldnym said: I struggle with IP forwarding since there is no router to do it - I just have a fixed IP. Are you saying that you have a public IP with no firewall assigned to Unraid? Don't do that. Unraid itself is not hardened for internet exposure. You must have another firewall in place. You certainly can expose individual container's specific ports and IP's, just not Unraid's native ports.
September 12, 20205 yr Author 18 hours ago, jonathanm said: Are you saying that you have a public IP with no firewall assigned to Unraid? Don't do that. Unraid itself is not hardened for internet exposure. You must have another firewall in place. You certainly can expose individual container's specific ports and IP's, just not Unraid's native ports. yes, I have several fixed, public IPs, for Unraid and for each container (3 in total) I am running. There is a firewall behind unraid, but I have not much influence on that (I can ask for opening certain ports) but there is no option on port forwarding - that's the reason why I was not able to follow any of those letsencrypt instructions. so back to the original question/problem: what do I have to do, so that I have encrypted connection to all my containers and to unraid itself? Thanks
September 15, 20205 yr So: you have multiple fixed public IPs that your Unraid uses? Do you actually have those configured on Unraid? Depending on what exactly your config is I would suggest to remove them from Unraid and assigning them to a container.
September 15, 20205 yr On 9/12/2020 at 1:29 PM, arnoldnym said: There is a firewall behind unraid yikes!! You want that firewall in front of unraid or you are opening yourself up to some serious issues
September 15, 20205 yr Community Expert On 9/12/2020 at 4:29 PM, arnoldnym said: There is a firewall behind unraid, but I have not much influence on that (I can ask for opening certain ports) but there is no option on port forwarding - that's the reason why I was not able to follow any of those letsencrypt instructions. I am guessing your use of the word "behind" is exactly opposite your meaning, but just in case. 4 hours ago, arnoldnym said: any help/suggestions will be appreciated Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.
September 15, 20205 yr Author 2 hours ago, trurl said: I am guessing your use of the word "behind" is exactly opposite your meaning, but just in case. Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread. yes, my mistake. there is a firewall before the server. The current server has only one LAN Port. The containers and VMs have all separated fixed, public IPs such as xxx.xxx.xxx.16, xxx.xxx.xxx.17, xxx.xxx.xxx.18 ... again: by default, all ports are closed and you need to have VPN connection, to access to the unraid server through internet by using its public IP xxx.xxx.xxx.15 The server has only one LAN Port. for other public IPs, such as xxx.16 or xxx.17, I have opened the Ports 80 and 443 so that you can access to the docker containers (e.g. nextcloud) through internet without having any VPN connection. this works so far, however I don't know how to set up secured connection with letsencrypt (currently only http is working, no https). td-srv-diagnostics-20200915-2126.zip Edited September 15, 20205 yr by arnoldnym additional information
Archived
This topic is now archived and is closed to further replies.