linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

2184 posts in this topic Last Reply

Recommended Posts

###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://10.20.1.39:8383/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}
/mnt/cache/appdata/letsencrypt/nginx/site-confs#  this is where i modified it and it stopped that error for me.

 

kamhighway

  • Advanced Member
  •  
  • kamhighway
  • Members
  • 2
  • 277 posts

Solved File Upload Size Limitation 

 

I had been fiddling with the LSIO's letsencrypt container to make it work as a reverse proxy for LSIO's Nextcloud.  The reverse proxy works, but file uploads are limited to 10MB.  The solution is to edit the file proxy.conf which for me resides in /mnt/cache/appdata/letsencrypt_lsio/nginx. The first line in that file is:

 

client_max_body_size 10m;

 

Change to:

 

 

 

I hope this helps

  • Like 1

Share this post


Link to post
4 hours ago, aptalca said:

 

Then it's your site config. Without seeing that, we have no idea

 

I found the problem.

I was working outside today and realized, that everything works fine from outside my LAN.

Turns out, my router ignores the port mapping I've created to map 80 from outside to 84 for let'sencrypt (as 80 is the Unraid GUI).

 

Probably going to change the gui port to 8080 so everything works fine even inside my LAN

Edited by Altair
Typo

Share this post


Link to post

Hi,

 

I was using Letsencrypt for about 4 months then had to reset my router and remap my ports and with some extra fiddling around (updated to beta version) I broke it all.

 

Currently having to set it all back up again however i cannot get the docker to start and not sure why.

I am running latest 6.4.0 beta release rc11i and i did read some letsencrypt SSL renewal stuff but here is my container log.

It keeps saying something else is using port 443 but nothing else is and i can change the port to anything it still says 443 is being used.

please help?

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXX
E-mail address entered: XXX
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for XXX
Cleaning up challenges
Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

[s6-finish] sending all processes the KILL signal and exiting.

Here is all my current port mappings,

 

binhex-plex

binhex-sonarr8989 9897

binhex-radarr7878

plexrequests3001

netdata

jackett9117

dolphin8080

openvpn-as943 9444 1194

binhex-teamspeak

headphones8282

binhex-rtorrentvpn3000 5000 9080 9443 8118

filezilla7809 7909

binhex-airsonic4040

letsencrypt 81 443

nextcloud 444

mariadb3306

plexpy8181

deluge

 

Sorry they look rough, as you can see i cannot see what is using "443"

 

On a separate note though my nextcloud when i open the gui it loads my UNraid gui however i do not have the option to map a port apart from the 444 that it already has not sure why it is using UNraid Gui port.

 

Ports are mapped correctly on the router and i use no-ip (ddns.net) also checked ports are open 

 

Any help will be appreciated. 

Share this post


Link to post
2 hours ago, JPDom1 said:

 

Sorry they look rough, as you can see i cannot see what is using "443"

 

Unraid uses 80 & 443 on 6.4.0

 

set lets encrypt to something like 445

 

then on your router forward port 445 -->(to) 443

Edited by MowMdown

Share this post


Link to post
1 hour ago, MowMdown said:

 

Unraid uses 80 & 443 on 6.4.0

 

set lets encrypt to something like 445

 

then on your router forward port 445 -->(to) 443

But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around.

 

 

Share this post


Link to post
15 minutes ago, ijuarez said:

But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around.

 

 

 

The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host)

 

ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443

Share this post


Link to post

@MowMdown - if i left it at 6.3.0 i would have been OK then?

Thank you for the info @aptalca & @ijuarez i will go and test it all again tonight after work as i got a error last night on letsencrypt for to many cert renewal attempts. 

On a side note i had to change the network type from host to Br0 to stop the 443 error(got 2 nic's).

will reply once sorted with what i have done.

Share this post


Link to post
7 hours ago, aptalca said:

 

The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host)

 

ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

  • Upvote 1

Share this post


Link to post
1 minute ago, bonienl said:

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

 

Correct me if i am wrong here @bonienl. Are you saying i can assign a different IP to Letsencrypt and not worry about the port problems? for example my UNraid runs on 192.168.1.2 and i can assign 192.168.1.3 for letsencrypt? is this in the "edit" template of the docker then?

Share this post


Link to post

First you need to change the network type to br0 (or eth0), the new type is automatically detected and added when the docker service is started.

 

Once a custom network is selected, the option appears to set a fixed IP address for this specific container.

 

  • Like 1
  • Upvote 1

Share this post


Link to post
4 hours ago, bonienl said:

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

 

That's nice, just wondering what prompted unraid to make the gui on 443?

Share this post


Link to post
2 minutes ago, ijuarez said:

 

That's nice, just wondering what prompted unraid to make the gui on 443?

 

To use HTTPS for security and Let’s Encrypt has also been baked if for added authentication (or something to that effect)

Edited by MowMdown
  • Like 1
  • Upvote 1

Share this post


Link to post
3 hours ago, bonienl said:

First you need to change the network type to br0 (or eth0), the new type is automatically detected and added when the docker service is started.

 

Once a custom network is selected, the option appears to set a fixed IP address for this specific container.

 

This explains why the container started when i switched from "host" to "br0" thank you.

 

 

Share this post


Link to post
8 hours ago, MowMdown said:

 

To use HTTPS for security and Let’s Encrypt has also been baked if for added authentication (or something to that effect)

 

Are you sure letsencrypt is added to unraid gui? Or is it just a self cert? 

Share this post


Link to post
23 hours ago, aptalca said:

 

Are you sure letsencrypt is added to unraid gui? Or is it just a self cert? 

 

The cert for https. 

Share this post


Link to post

I got it all back up and running now. Thank you to everyone who advised me where to go the 6.4.0 update surely messed up my LE docker.

 

This is where i am now with my settings for anyone else who has issues

 

Settings - Identification - SSL Certificate settings

 

Use SSL - Auto

HTTP - 8080

HTTPS - 400

 

now access uunRAID GUI with serverrname:8080

 

in the settings when you expand the SSL section it reads this line below so i put my cert in but not sure if it makes a difference.

 

"A Lets Encrypt or other user-generated SSL certificate, must be stored in the file /boot/config/ssl/csrts/certificate_bundle.pem. nginx will prefer ths certificate if present."

 

I run 2 NIC's so my LE docker runs as Host with port 80 & 443 with those ports also forwarded on my router.

 

I did try and run the container with br0 setting for network type however it only assigns the IP when the container runs and it did not stay running for long enough to get the cert and with my stup** vodafone router i have to map ports to an IP or device so it basically just did not work for me. Should work if you have a decent router unlike me.

 

Finally i switched from NO-IP to DUCKDNS and i had to manually update my IP as DUCKDNS did not so to do that just use this URL.

https://www.duckdns.org/update/domainname/token

  

 

Share this post


Link to post
On 2017-11-07 at 10:30 PM, GilbN said:

I'm having some trouble with this. 

 

My jail.local in /config looks like this


# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = false


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=<emailg@gmail.com>]

[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

And in config/action.d I copied the sendmail-whois.conf to sendmail-whois.local 


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[INCLUDES]

before = sendmail-common.conf

[Definition]

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `/usr/bin/whois <ip> || echo missing whois program`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest>

[Init]

# Default name of the chain
#
name = default

But I get this in fail2ban.log 


2017-11-07 22:16:42,999 fail2ban.jail           [310]: INFO    Jail 'nginx-http-auth' started
2017-11-07 22:16:43,001 fail2ban.jail           [310]: INFO    Jail 'nginx-botsearch' started
2017-11-07 22:16:43,002 fail2ban.jail           [310]: INFO    Jail 'nginx-badbots' started
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR   printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n`
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <fail2ban>
To: <email@gmail.com>\n
Hi,\n
The jail letsencrypt has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- stderr:
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR    -- stderr: '/bin/sh: syntax error: unexpected end of file'
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR   printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n`
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <fail2ban>
To: <email@gmail.com>\n
Hi,\n
The jail letsencrypt has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- returned 2
2017-11-07 22:16:43,010 fail2ban.actions        [310]: ERROR   Failed to start jail 'nginx-http-auth' action 'sendmail-whois': Error starting action Jail('nginx-http-auth')/sendmail-whois

It's like it skips the .local file and uses the sendmail-whois.conf file???

I event completely removed the container and deleted the image and /config folder, but this still happens. 

 

When I bash into the container and do this: 


sendmail -t -v  -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auMYEMAILADDRESS -apMYPASSWORD <mail.txt

it works just fine. 

 

Anyone know whats wrong?

I have the same in my logfile! any solution on this?

Edited by peter_sm

Share this post


Link to post

Hi,

 

I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed.

 

When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on:

root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt"
Generating a signed certificate...
missing --load-certificate
root@Muff:/# 

I don't know where I can find "--load-certificate".

 

And this is the log from the container:

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d secret.duckdns.org
E-mail address entered: secret@gmail.com
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Nov 23 16:23:28 CET 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: s6-svc -d /var/run/s6/services/nginx
Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111

Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for secret.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.

Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: secret.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P).

 

Thank you!

Share this post


Link to post
On 11/16/2017 at 5:43 AM, bonienl said:

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

This feature alone makes 6.4 so worth the wait. As soon as its released I am upgrading my second license just for the heck of it so I have two pro versions for my live and my test machines. 

Share this post


Link to post
13 hours ago, Muff said:

Hi,

 

I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed.

 

When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on:


root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt"
Generating a signed certificate...
missing --load-certificate
root@Muff:/# 

I don't know where I can find "--load-certificate".

 

And this is the log from the container:


-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d secret.duckdns.org
E-mail address entered: secret@gmail.com
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Nov 23 16:23:28 CET 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: s6-svc -d /var/run/s6/services/nginx
Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111

Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for secret.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.

Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: secret.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P).

 

Thank you!

 

Looks like you didn't forward the port on your router

Share this post


Link to post

Thanks for developing this docker.

 

I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult.

 

I have not succeeded yet to set up the docker. Few issues:

 

* Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working

 

* I cannot access the UI. Log shows me two error message:

certbot: error: argument --cert-path: No such file or directory

 

Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

[s6-finish] sending all processes the KILL signal and exiting.

 

 

I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this?

Share this post


Link to post
7 minutes ago, steve1977 said:

Thanks for developing this docker.

 

I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult.

 

I have not succeeded yet to set up the docker. Few issues:

 

* Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working

 

* I cannot access the UI. Log shows me two error message:

certbot: error: argument --cert-path: No such file or directory

 

Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

[s6-finish] sending all processes the KILL signal and exiting.

 

 

I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this?

 

 

you have multiple issues to resolve here

in no particular order

 

resolve the webui and container port clash

ensure your dynamic dns address is updated otherwise the domain name won't resolve to your ip

sort out port forwarding as without this nothing will function

Share this post


Link to post

Thanks, that's quite of an issue...

 

Any pointers on the first two issues?

 

And maybe also any thoughts whether there is a tool around that allows me to check whether port forwarding is even possible with my ISP (and if so what ports).

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Copyright © 2005-2018 Lime Technology, Inc.
unRAID® is a registered trademark of Lime Technology, Inc.