natiz Posted April 16, 2017 Share Posted April 16, 2017 After reading a bit on certbot I think I understand better - the script runs certbot in standalone mode - it itself listens on 443 to perform the verification. I did some troubleshooting (built the image w/o the starter script, nginx turned off) from the container itself: certbot certonly --verbose --non-interactive --renew-by-default --standalone --preferred-challenges tls-sni --rsa-key-size 4096 --email "[email protected]" --agree-tos -d "x.mydomain.com" Same error, only this time, I ran watch on curl https://localhost, and after a few seconds, got this: Quote Every 2s: curl -v -k https://localhost * Rebuilt URL to: https://localhost/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure * Curl_http_done: called premature == 1 * Closing connection 0 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure After that certbot finished and from then it was connection refused (which is fine).. btw, here's my docker run cmd (Router routes both 443 and 80 to 443 and 81): docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.com" -e "SUBDOMAINS"="x," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt Quote Link to comment
CHBMB Posted April 16, 2017 Share Posted April 16, 2017 Try removing the comma and space after x in the subdomain field. And also could try changing to /mnt/cache/appdata/letsencrypt/ from /mnt/user/appdata/letsencrypt/ And double check you got port 443 open in your router/firewall. Quote Link to comment
natiz Posted April 16, 2017 Share Posted April 16, 2017 Well, I feel a bit ashamed I tried removing/changing as you suggested, and then I started triple-checking my router is forwarding as it should As it turns out, I'm using a VERY old firmware version of DD-WRT (DD-WRT v24-sp2 (12/24/13) std). After some reading, there seem to be a known issue around NAT loopback/port forwarding which was fixed in later versions There's a workaround available but I decided to upgrade to the latest firmware, which seem to resolve the issue. All is working as expected - thanks @CHBMB Quote Link to comment
CHBMB Posted April 16, 2017 Share Posted April 16, 2017 Jolly good!Sent from my LG-H815 using Tapatalk Quote Link to comment
GoodOlCap Posted April 18, 2017 Share Posted April 18, 2017 (edited) Good evening, i hope that one of you can help me. I tried let's encrypt today using this guide.I didn't have much trouble with emby and nextcloud (Also using no-ip instead of duckdns) but mymcadmin is giving me a headache. I can reach it but all images, js and css files are missing. I searched this forum and google and found different solutions for similar problems but couldn't get it to work. location /mcmyadmin2 { include /config/nginx/proxy.conf; proxy_pass http://192.168.178.29:8080/; } This is my code at the moment, I tried adding all sorts of commands to no avail. I read something about using a subdomain but I guess that is not possible on a free dyndns? That is how the interface looks opening it via https://<servername>.ddns.net/mcmyadmin2 Help would be much appreciated! Edit: I think I solved it! I don't know how but I found this to be working: location /mcmyadmin2/ { rewrite ^/mcmyadmin2(/.*)$ $1 break; proxy_pass http://192.168.178.29:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } Is doing it like this advisable? Edited April 19, 2017 by GoodOlCap Quote Link to comment
heytcass Posted April 19, 2017 Share Posted April 19, 2017 Hey guys, I've been banging my head against the wall trying to get this going. But I'm having a bear of a time. I checked in the logs and found a couple errors: certbot: error: argument --cert-path: No such file or directory and Detail: Failed to connect to 192.64.119.116:443 for tls-sni-01 I have ports 443 and 80 passed to 81 on my unRAID box, so that shouldn't be an issue. Is there a way to test that those are going through fine? Any thoughts? Thanks in advance. Quote Link to comment
CHBMB Posted April 19, 2017 Share Posted April 19, 2017 Need to post your docker run command.Sent from my LG-H815 using Tapatalk Quote Link to comment
Harro Posted April 21, 2017 Share Posted April 21, 2017 I would like to set this docker up but have some issues involving conflicting ports. I have a stand alone dvr recording 18 security cameras, This dvr has port 80, 8082 and 443 used for outside access. I have a static IP which the dvr forwards to. I think I can change ports on the dvr and then set the router to forward those ports but the 80 port for web access gets me messed up with how to distinguish between the dvr internal ip and and my other computers on the network, Any help on this or direction would be appreciated.. Quote Link to comment
JonathanM Posted April 21, 2017 Share Posted April 21, 2017 47 minutes ago, Harro said: Any help on this or direction would be appreciated.. Why do you need 80 externally for this docker? I'm not being a smart alec, I'm genuinely asking. I don't forward anything other than 443. Quote Link to comment
Harro Posted April 21, 2017 Share Posted April 21, 2017 5 minutes ago, jonathanm said: Why do you need 80 externally for this docker? I'm not being a smart alec, I'm genuinely asking. I don't forward anything other than 443. I guess that is what I am confused about. If I use duckdns for a domain to my static ip. Any connection to that domain name will open the dvr viewer. How to get other internal ip's on lan available to the static ip is where I am confused on. Whether that be on port 80 or whatever. Quote Link to comment
JonathanM Posted April 21, 2017 Share Posted April 21, 2017 Just now, Harro said: Any connection to that domain name will open the dvr viewer. Not if you use https://your.domain.name. It will go straight to the nginx ssl site. Quote Link to comment
Harro Posted April 21, 2017 Share Posted April 21, 2017 4 minutes ago, jonathanm said: Not if you use https://your.domain.name. It will go straight to the nginx ssl site. Even if that dvr is using port 443? Or can sub-domains be set up? Quote Link to comment
JonathanM Posted April 21, 2017 Share Posted April 21, 2017 1 hour ago, Harro said: I think I can change ports on the dvr and then set the router to forward those ports 21 minutes ago, Harro said: Even if that dvr is using port 443? Nope, forward your dvr to another port, 444 or something. Your router should allow you to redirect IP.FOR.DVR:443 to external:444 or something like that, and IP.FOR.UNRAID:443 to external:443 You would then go to https://your.domain.name for nginx, and https://your.domain.name:444 for your DVR. I wouldn't forward port 80 at all, unless your DVR requires it for some function. Much better to use SSL for everything if possible. Subdomain redirection may be possible, as well as possibly reverse proxy to your DVR through nginx, but that gets a little more hairy. Simply pointing your browser to different ports will work easily. 1 Quote Link to comment
Harro Posted April 21, 2017 Share Posted April 21, 2017 2 hours ago, jonathanm said: Nope, forward your dvr to another port, 444 or something. Your router should allow you to redirect IP.FOR.DVR:443 to external:444 or something like that, and IP.FOR.UNRAID:443 to external:443 You would then go to https://your.domain.name for nginx, and https://your.domain.name:444 for your DVR. I wouldn't forward port 80 at all, unless your DVR requires it for some function. Much better to use SSL for everything if possible. Subdomain redirection may be possible, as well as possibly reverse proxy to your DVR through nginx, but that gets a little more hairy. Simply pointing your browser to different ports will work easily. Thank jonathanm. I have it up and running. took some time with restarting router and dvr to new ports but I think it will be worth while in the long run. Quote Link to comment
dukiethecorgi Posted April 22, 2017 Share Posted April 22, 2017 I'm trying to configure this to block access by country. I came across instructions on using GeoIP module on Ubuntu, but not being very conversant with linux I'm having trouble getting this to work. Running nginx -V shows " --with-http_geoip_module=dynamic" so it's compiled with the right module, but it doesnt seem to have geoip-database and libgeoip1 installed. Any way to get this working, or do these modules need to be part of the letsencrypt container? Quote Link to comment
aptalca Posted April 22, 2017 Share Posted April 22, 2017 I'm trying to configure this to block access by country. I came across instructions on using GeoIP module on Ubuntu, but not being very conversant with linux I'm having trouble getting this to work. Running nginx -V shows " --with-http_geoip_module=dynamic" so it's compiled with the right module, but it doesnt seem to have geoip-database and libgeoip1 installed. Any way to get this working, or do these modules need to be part of the letsencrypt container?Geoip is an nginx module and is included in this image. You may have to enable it in the nginx config or site config, that I'm not sure as I haven't used it myself Quote Link to comment
dukiethecorgi Posted April 22, 2017 Share Posted April 22, 2017 3 hours ago, aptalca said: Geoip is an nginx module and is included in this image. You may have to enable it in the nginx config or site config, that I'm not sure as I haven't used it myself Hey, got it working! The problem was the location of the GeoIP.dat file, it defaulted to /usr/share/GeoIP/GeoIP.dat so I created /config/geodata, changed the config, and manually downloaded the data Quote Link to comment
archedraft Posted April 28, 2017 Share Posted April 28, 2017 I have this installed so that I can access certain dockers from a outside network. I was thinking it would be nice to use the reverse proxy for internal network access only. Is there an easy way have the outside and internal network separate from within this single docker or would it be best to install a separate nginx docker for internal only items? Quote Link to comment
CHBMB Posted April 28, 2017 Share Posted April 28, 2017 (edited) 43 minutes ago, archedraft said: I have this installed so that I can access certain dockers from a outside network. I was thinking it would be nice to use the reverse proxy for internal network access only. Is there an easy way have the outside and internal network separate from within this single docker or would it be best to install a separate nginx docker for internal only items? Well you can go to https//$UNRAID-IP/$application and it will work (as long as you're using 443:443) but the SSL won't be valid. Otherwise I can't see how you can get a valid cert for your internal network using LE. Edited April 28, 2017 by CHBMB Quote Link to comment
archedraft Posted April 28, 2017 Share Posted April 28, 2017 Just now, CHBMB said: Well you can go to https//$UNRAID-IP/$application and it will work (as long as you're using 443:443) but the SSL won't be valid. Otherwise I can't see how you can get a valid cert for your internal network using LE. Yeah the IP/app_name is what I am looking for. It wouldn't necessary need to have a valid SSL as most of them are just http currently. I just do not want to be able to access them through my external ip address. Quote Link to comment
CHBMB Posted April 29, 2017 Share Posted April 29, 2017 Then just put the proxy information in the server block for port 80. Job done.Sent from my LG-H815 using Tapatalk Quote Link to comment
johnsanc Posted April 29, 2017 Share Posted April 29, 2017 (edited) I am getting this error when trying to connect from outside my home network: NET:ERR_CERT_AUTHORITY_INVALID, but it works fine within my network. I am using HSTS. Nothing has changed from a configuration standpoint to cause this. However, we did just have AT&T out here to install U-verse the other day and they were messing with the gateway. Does this behavior sound like an issue with LetsEncrypt or the gateway/router settings? EDIT: Think I found the issue. I hate AT&T. Apparently if you use wireless set top boxes they require port 443 and you cannot change that. Ridiculous. https://forums.att.com/t5/AT-T-Internet-Features/Forwarding-port-443-for-WHS-conflict-with-connectToCiscoAP/td-p/3365983 Edited April 29, 2017 by johnsanc Quote Link to comment
aptalca Posted April 29, 2017 Share Posted April 29, 2017 I am getting this error when trying to connect from outside my home network: NET:ERR_CERT_AUTHORITY_INVALID, but it works fine within my network. I am using HSTS. Nothing has changed from a configuration standpoint to cause this. However, we did just have AT&T out here to install U-verse the other day and they were messing with the gateway. Does this behavior sound like an issue with LetsEncrypt or the gateway/router settings? EDIT: Think I found the issue. I hate AT&T. Apparently if you use wireless set top boxes they require port 443 and you cannot change that. Ridiculous.https://forums.att.com/t5/AT-T-Internet-Features/Forwarding-port-443-for-WHS-conflict-with-connectToCiscoAP/td-p/3365983Wow that is pretty ridiculous. Can you bypass it and use your own router? That's what I did with Verizon. I turned my Verizon modem into a simple bridge and my router behind it gets the dhcp lease directly from verizon 1 Quote Link to comment
johnsanc Posted April 29, 2017 Share Posted April 29, 2017 I just removed the rule. The boxes still work fine. I think it's just for pushing updates and stuff. If that rule gets pushed back automatically I'll take more drastic measures to resolve the issue.Sent from my iPhone using Tapatalk 1 Quote Link to comment
dalben Posted April 30, 2017 Share Posted April 30, 2017 I installed this docker last night and got the following errors. It mentions www.dlink.com but I don't run dlink routers. I do have some dlink webcams that are exposed to the intraweb via the dlink myhome software but there is no port forwarding of 443 required for that. I'm wondering if letsencrypt is hanging onto a previous cert tied to the IP my domain has at the moment. [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... 2048 bit DH parameters present SUBDOMAINS entered, processing Sub-domains processed are: -d www.<mydomain> Generating new certificate WARNING: The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead. Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for www.dlink.com tls-sni-01 challenge for <mydomain> /usr/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Failed authorization procedure. <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com", <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com" IMPORTANT NOTES: - The following errors were reported by the server: Domain: <mydomain> Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com" Domain: <mydomain> Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. /var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory [cont-init.d] 50-config: exited 1. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] syncing disks. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.