[Request/Done] Let's Encrypt Container


rix

Recommended Posts

just a quick question though, if i connect from local machine to letsencrypt container using port 81:80 and 443:443, should i see any nginx default webpage? or i should see nothing at all, because at the moment, Chrome, Edge and Firefox said connection refused.

 

Many thanks

Link to comment
  • 2 months later...
On 08/05/2017 at 5:42 PM, jfrancais said:

So I have my image passing my web traffic appropriately to my servers.  Now I'm trying to get fail2ban implemented to protect them, but I'm a bit confused how to do so.

 

For example, my one webserver sits behind the letsencrypt proxy on https and is secured with http auth.  I'd like to get fail2ban to block too many bad attempts to this server, but I'm unsure how.  I nginx-http-auth in the jail fail but I get errors when enabling.  And even with it on, I don't see the login fails showing up in the error logs anyways, since the auth is done on the backend server.  Does the auth have to be done on the proxy?  Any suggestions on how to accomplish this?  I'd also like to set up fail2ban to block auth failures for my nextcloud server.

 

Thanks in advance,

Jared

 

Any chance you can share how you configured your nginx config with the stream module? I am looking to do something similar (VPN traffic -> OpenVPN and everything else to appropriate containers)

Link to comment

Okay I got mine working the way I wanted and thought I would share here just in case anyone else wanted to do the same.

 

Background: I want to host an OpenVPN server and a bunch of websites but all over normal TCP/443 due to restrictions in various places I travel to for work where they block usual VPN ports. I had previously set it up like this:-

 

Incoming traffic -> OpenVPN -> nginx -> backend web sites

 

as OpenVPN can be configured to pass on requests which are not VPN traffic. This is pretty slow though and I would get really bad performance on my web sites.

Using the stream module in nginx and SNI we can configure nginx to do the inspection and determine where traffic should end up instead

 

Incoming traffic -> nginx   -> backend web sites
                            -> OpenVPN

                         
Anything not specified in the stream map section is assumed to be VPN and passed on to the OpenVPN server (sitting on port 4443 in my case)

 

Seems to work pretty well and my sites are now really quick and my VPN works just fine. (sample nginx config attached)

All based off a blog post here:- http://blog.le-vert.net/?p=224

 

 

nginx.conf

Edited by planetwilson
Link to comment
  • 2 months later...

Hi guys,

 

If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config?
For Krusader I have the following:

location /krusader {
        include /config/nginx/proxy.conf;
        rewrite ^/krusader$ /krusader/ redirect;
        proxy_pass http://XXX.XXX.XX.XXX:8084/;
        }

and all I get is a page with a rolling gear

 

For DokuWIki I have:

location /dokuwiki/ {
        index doku.php;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Proxy "";
        include /config/nginx/proxy.conf;
        proxy_pass http://XXX.XXX.XX.XXX:8087/;
        }

I see the landing page (doku.php), but there is no CSS and none of the links work :(

 

Please help!

Link to comment
5 hours ago, izarkhin said:

Hi guys,

 

If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config?
For Krusader I have the following:


location /krusader {
        include /config/nginx/proxy.conf;
        rewrite ^/krusader$ /krusader/ redirect;
        proxy_pass http://XXX.XXX.XX.XXX:8084/;
        }

and all I get is a page with a rolling gear

 

For DokuWIki I have:


location /dokuwiki/ {
        index doku.php;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Proxy "";
        include /config/nginx/proxy.conf;
        proxy_pass http://XXX.XXX.XX.XXX:8087/;
        }

I see the landing page (doku.php), but there is no CSS and none of the links work :(

 

Please help!

 

Using the subfolder method with no base url often causes issues like the no css one you mentioned. 

 

I recommend setting a base url for the apps you are reverse proxying, if not then use a subdomain

Link to comment
  • 2 months later...

 

After the last 2 updates I have not been able to get my container to run. Nothing else has changed to my knowledge besides the update.  I am getting the following from my log:

 

cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d xxxxxxxxx.com
E-mail address entered: xxxxxxxxx.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Link to comment
1 hour ago, greg2895 said:

 

After the last 2 updates I have not been able to get my container to run. Nothing else has changed to my knowledge besides the update.  I am getting the following from my log:

 

cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d xxxxxxxxx.com
E-mail address entered: xxxxxxxxx.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Check the linuxserver letsencrypt thread

Link to comment
  • 2 weeks later...
On 26/07/2017 at 6:05 AM, Jessie said:

Has anyone shared letsencrypt on the same network as a small business server?

The issue is that both systems need port 443.

I'm thinking you might be able to config letsencrypt to redirect to the sbs server but not sure how to do it.

 

 


Yes I have done this. I have a bunch of subdomains all coming in over https and getting routed to different dockers or VMs. In addition I have an Open VPN server that is serving over 443 as many places block the standard VPN ports.

 

So the question is how do you handle both incoming VPN traffic as well as a bunch of sub-domains? Some of the incoming traffic is for a Windows server setup and federation with ADFS so might be similar to SBS?

 

There are two ways this can be achieved. The first is to have OpenVPN in front of nginx and use the ability for it to pass on non-VPN traffic. I had this setup for a few months but the performance was erratic and unstable. It worked but I would get timeouts sometimes on various websites I was hosting

 

The second way is to do the routing in nginx using an nginx module called stream and that is what I have settled on and it works rather well although it sounds like your situation might be a little easier and the other thread more helpful :)

 

Attached my config....

 

 

nginx_sample.conf

Link to comment
1 minute ago, tcarlsson90 said:

Hello! Im having some trouble getting letsencypt to work. I got so far to the Welcome page, but in the log im getting following error: e":"No such container: 5896c2bd3ac6"}

Anyone have an idea why this is? 

 

Thanks

adasdasd.PNG

adasdsadsad.PNG

 

Close that browser window and open a new one.  That error means there's no such container anymore, probably because of an update.

Link to comment

 In case anyone is having cert renewal issues, such as this post below:

 

I didn't find a resolution on the unraid forums, so here is the link and resolution from the linuxserver.io forums:

 

https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/

 

Quote

Following a very recent announcement by the Let's Encrypt team regarding a vulnerability that has surfaced relating to the use of the TLS-SNI-01 challenge when validating certificates, we have had to make an emergency change to our image. In short, they have disabled that method of verification until they can properly mitigate the issue.

 

This means that our Let's Encrypt container will not work as we only make use of the TLS-SNI method of certificate validation. With this in mind, we have made the decision to (hopefully) lessen the impact of this issue to our users by making a change to our image which allows certificate validation via HTTP (port 80).

 

We're just awaiting final peer review before we push these changes through our pipeline, so in the mean time, we stress that our users try their best not to restart their Let's Encrypt container until we have pushed this change up.

We will update you once the new image is available, and what you need to do to enable HTTP validation.

 

Update: The changes to our image have now been merged. In order to get certificate validation working, you'll need to add the following environment variable to your docker create/run command:

 

-e HTTPVAL=true

 

In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true'

Link to comment
5 minutes ago, vortexrap said:

 In case anyone is having cert renewal issues, such as this post below:

 

I didn't find a resolution on the unraid forums, so here is the link and resolution from the linuxserver.io forums:

 

https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/

 

 

In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true'

 

Mate, there's a whole support thread dedicated to our Letsencrypt container in these forums, and countless posts about this issue.  No need to bump needless threads about it.

Link to comment
I can't connect with the desktop client to my nextcloud :/. I can connect via URL in the browser but not with my nextcloud client with the same url. I get an error "...nextcloud/owncloud/status.php not found". I followed this example:
 
https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/
 
Can you help me out?
We don't support that tutorial, you'd have to ask the author of it for support.

There is a completely different tutorial on the linuxserver website that I can vouch for as I wrote it.

Sent from my LG-H815 using Tapatalk

Link to comment
  • 1 month later...
On 10/18/2017 at 2:50 AM, izarkhin said:

Hi guys,

 

If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config?
For Krusader I have the following:


location /krusader {
        include /config/nginx/proxy.conf;
        rewrite ^/krusader$ /krusader/ redirect;
        proxy_pass http://XXX.XXX.XX.XXX:8084/;
        }

and all I get is a page with a rolling gear

 

For DokuWIki I have:


location /dokuwiki/ {
        index doku.php;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Proxy "";
        include /config/nginx/proxy.conf;
        proxy_pass http://XXX.XXX.XX.XXX:8087/;
        }

I see the landing page (doku.php), but there is no CSS and none of the links work :(

 

Please help!

 

So for Krusader - I got it to work (fixed the rolling gear) copying the settings under Nginx section in https://guacamole.apache.org/doc/gug/proxying-guacamole.html

(Note the docker runs guacamole)

location /guacamole/ {
    proxy_pass http://HOSTNAME:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
}

 

  • Like 1
Link to comment
On 3/6/2018 at 2:01 AM, dazzathewiz said:

 

So for Krusader - I got it to work (fixed the rolling gear) copying the settings under Nginx section in https://guacamole.apache.org/doc/gug/proxying-guacamole.html

(Note the docker runs guacamole)


location /guacamole/ {
    proxy_pass http://HOSTNAME:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
}

 

 

Wow, it worked! Thank you SO MUCH!

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.