Guest Join UsHey Guest,
Welcome, Join our awesome community where you can discuss on various topics :-
Some point about your community
Some point about your community
Some point about your community
Some point about your community
Some point about your community
Some point about your community
Some point about your community
Much More.. or Create an Account


I am super Awesome Announcement, with links and can be used to announce important things. Check here
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Main Repo] [Support] Linuxserver.io - Letsencrypt (Nginx)
#81
I seem to be running into a problem with my attempt to set this up. I have a static IP, which I set up on cloudflare for dns, and I'm running Docker on a Synology DS1513+. I did manage, on another network, to get Let's Encrypt all set up on an unRAID server, so I didn't think it would be a big deal to set it up on a Synology but I may have been wrong. Full disclosure: I'm relatively new to both Docker and Linux.

What I'm trying to accomplish is to have the nginx proxy point to a different server on my network. When I try to connect to either my top level or a subdomain from either inside the network or a remote system, I get a 521 error.

I'm connected to the Synology through SSH and due to being new to Docker, I'm not sure how to get my config files available to paste into here, so I guess that's where I need to start.
Reply
#82
Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container.

It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors.

build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC

Any ideas?

le log (I've attached the full le log here as well).
Code:
le             | 2018-04-29T16:54:15.228690086Z Performing the following challenges:
le             | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini
le             | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate
le             | 2018-04-29T16:54:26.534836161Z Waiting for verification...
le             | 2018-04-29T16:54:30.185131883Z Cleaning up challenges
le             | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES:
le             | 2018-04-29T16:54:46.250348556Z  - Congratulations! Your certificate and chain have been saved at:
le             | 2018-04-29T16:54:46.250445899Z    /etc/letsencrypt/live/mydomain/fullchain.pem
le             | 2018-04-29T16:54:46.253021957Z    Your key file has been saved at:
le             | 2018-04-29T16:54:46.253059746Z    /etc/letsencrypt/live/mydomain/privkey.pem
le             | 2018-04-29T16:54:46.253064950Z    Your cert will expire on 2018-07-28. To obtain a new or tweaked
le             | 2018-04-29T16:54:46.253069538Z    version of this certificate in the future, simply run certbot
le             | 2018-04-29T16:54:46.253073599Z    again. To non-interactively renew *all* of your certificates, run
le             | 2018-04-29T16:54:46.253077573Z    "certbot renew"
le             | 2018-04-29T16:54:46.253088918Z  - If you like Certbot, please consider supporting our work by:
le             | 2018-04-29T16:54:46.253097379Z
le             | 2018-04-29T16:54:46.253101610Z    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
le             | 2018-04-29T16:54:46.253106190Z    Donating to EFF:                    https://eff.org/donate-le
le             | 2018-04-29T16:54:46.253110181Z
le             | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file.


The docker compose file:
Code:
 letsencrypt:
   image: linuxserver/letsencrypt
   container_name: le
   ports:
     - 443:443
     - 80:80
   volumes:
     - /opt/appdata/letsencrypt:/config
     - /opt/appdata/organizr/www:/fail2ban:ro
   restart: always
   depends_on:
     - tautulli
     - nzbget
     - sonarr
     - radarr
     - delugevpn
   environment:
     - PUID=1002
     - PGID=1002
     - EMAIL=my@email
     - URL=myserver
     - SUBDOMAINS=wildcard
     - ONLY_SUBDOMAINS=true
     - VALIDATION=dns
     - DNSPLUGIN=digitalocean
     - DHLEVEL=4096
     - TZ=America/New_York


Attached Files
.txt   lelog.txt (Size: 24.76 KB / Downloads: 0)
Reply
#83
Hello,
I'm newbie in this case so please help. I tried installing the Caliber-web docker container from technosoft2000/caliber-web and it works. I can access it in Ip-address: 8083. Then I want to do a reverse proxy by using linuxserver/letsencrypt so i can access it in ip-address without port. But I do not know where to put the sentence below. This sentence i see at linuxserver/calibre-web.

Code:
location / caliber-web {
                proxy_pass http: // <your-ip>: 8083;
                proxy_set_header Host $ http_host;
                proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
                proxy_set_header X-Scheme $ scheme;
                proxy_set_header X-Script-Name / caliber-web;
        }
Reply
#84
I'm missing something somewhere. I've been trying to get linuxserver/letsencrypt to work for 3 weeks now. Here's my environment. I have mydomain.net being hosted at host4geek.com, I've set up a Let's Encrypt Cert for my domain using their cpanel. I'm trying to set up the let's encrypt docker container at my house on my ESXi server in an Ubuntu VM.

I have port 80 and 443 port forwarded to the Ubuntu server IP.
The container is set up for 80:80 and 443:443.
In DNS I have an A record pointing to the hosted mydomain.net
I want to set up proxy.mydomain.net 
URL=mydomain.net
ONLY_SUBDOMAINS=True
SUBDOMAINS=proxy
I get the error message:
Fail:
Domain: fredbrodeur.net                                                      
   Type:   unauthorized                                                         
   Detail: Invalid response from                                                
   http://mydomain.net/.well-known/acme-cha...ERICSTRING:

How do I fix this? And I use DynDNS for my DNS. Do I need to create an A record there for the subdomain or a redirect on my hosted server?
The containers you guys have created are absolutely awesome and this Noob is learning a lot. Thank you for all of your hard work.

Fred
Thank you for your help

Fred
Reply
#85
(25-05-2018, 04:11 AM)FredBro Wrote: I'm missing something somewhere. I've been trying to get linuxserver/letsencrypt to work for 3 weeks now. Here's my environment. I have mydomain.net being hosted at host4geek.com, I've set up a Let's Encrypt Cert for my domain using their cpanel. I'm trying to set up the let's encrypt docker container at my house on my ESXi server in an Ubuntu VM.

I have port 80 and 443 port forwarded to the Ubuntu server IP.
The container is set up for 80:80 and 443:443.
In DNS I have an A record pointing to the hosted mydomain.net
I want to set up proxy.mydomain.net 
URL=mydomain.net
ONLY_SUBDOMAINS=True
SUBDOMAINS=proxy
I get the error message:
Fail:
Domain: fredbrodeur.net                                                      
   Type:   unauthorized                                                         
   Detail: Invalid response from                                                
   http://mydomain.net/.well-known/acme-cha...ERICSTRING:

How do I fix this? And I use DynDNS for my DNS. Do I need to create an A record there for the subdomain or a redirect on my hosted server?
The containers you guys have created are absolutely awesome and this Noob is learning a lot. Thank you for all of your hard work.

Fred

Never mind! I got it to finally work!! Woooohooooo!!!  Big Grin Big Grin Big Grin
Thank you for your help

Fred
Reply
#86
And for my next issue. I have Sonarr working and removed .sample from the proxy config file. Now I've also got nzbget created and discovered there is no proxy .sample file for it.
So I stole the sabnzbd.subfolder.conf.sample file and tweaked it for nzbget. Hope I did it right. Can someone check my work please?

location /nzbget {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_nzbget nzbget;
proxy_pass http://$upstream_nzbget:6789;
}

Thank you for giving me the opportunity for an education in this stuff. I've been learning a LOT.

Fred
Thank you for your help

Fred
Reply
#87
Code:
## Version 2018/04/20 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
    listen 80;
    server_name cloud.mydomain.com;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name cloud.mydomain.com;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php7-cgi alone:
        fastcgi_pass 127.0.0.1:9000;
        # With php7-fpm:
        #fastcgi_pass unix:/var/run/php7-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#    location ^~ /cp {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050/cp;
#    }

##  QNAP Web UI
#####################
location /ui {
#  proxy_set_header X-Real-IP         $remote_addr;
#  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
#  proxy_set_header X-Forwarded-Proto https;
#  proxy_set_header X-Forwarded-Host  $http_host;
#  proxy_set_header Host              $http_host;
   include /config/nginx/proxy.conf;
   proxy_pass                         http://192.168.1.11:444;
#  proxy_redirect                     http:// https://;
   }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name cp.*;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050;    
#    }
#}

# enable subdomain method reverse proxy confs
#include /config/nginx/proxy-confs/*.subdomain.conf;
Hi everyone!
I am new to these forums having just started working with docker/container and rather new to Linux as well. I wouldn't call myself technically-challenged but I am definitely still learning and realize there's a long way to go. I recently bought a QNAP NAS and for the last week or so been setting it up. Just thought should give a bit of a background before I started with the problem.

So I am trying to set up NGINX reverse proxy container. I have gotten to the point (which isn't very far I am afraid) where I am able to see the default welcome page. Letsencrypt cert and port 80 to port 443 redirect seems to be working (green lock and all) regardless of whether I enter a http or https based URI.

The next thing I am trying to achieve is the ability to access QNAP's Web UI. Currently, I access the Web UI remotely through an open port (444) in my router - cloud.mydomain.com:444 or locally through the NAS IP. What I am looking to do is to access QNAP Web UI through something like cloud.mydomain.com/admin.

Following are the things I have done. Due to my lack of understanding, I will try and go into as much detail as possible - apologies in advance if some of it is useless/redundant:
1. Created container using via the command line using the instructions from here.
2. Forwarded port 80 and port 443 on my router
3. Disabled the QNAP's built-in server (Apache??)
3. Changed the default SSL port on NAS to 444. Currently have that forwarded in my router as well so that I can access the Web UI remotely. Will close this port once I am able to fix the problem.
4. I already have a domain set up in Google domains which points to my site hosted on AWS. I created a subdomain and set up dynamic DNS through Google Domain DNS page. I am using the docker container (dragoncube/google-domains-ddns).
5. Tried copy pasting various 'headers' in the .conf file.
6. Hoping and praying in vain

Anyway.. can someone point out where I am going wrong. On paper, it shouldn't be too difficult to achieve what I am trying to do but I am failing miserably here.. help highly appreciated..

My .conf file is attached.. the only things I changed in the default file is uncomment port 80/HTTPS redirect section. And added a "location" mimicking the included example in the file.
Reply
#88
Hey all,

I'm new here, but I'm at the point where I really need to stop bashing my head against the wall and seek help for this. I'm doing my best to set up an automated media server from my home pc. I've gotten it to the point where it works pretty much perfectly... internally. I have containers for Transmission-vpn, Sonarr, Radarr, Jackett, Ombi, etc.

However, I really want to be able to access some of these containers externally as well (ombi) or view the status of my downloads in an android app like nzb360 (which supports sonarr, radar, transmission).

I was really excited when I came across the linuxserver/letsencrypt Docker image (as I am on a Win10 pc and am unable to use alternatives like Traefik because I can't chmod permissions for the acme.json key file -- but that's another topic), and the setup/config for it seemed pretty straightforward.

In terms of the domain itself, I purchased a domain name from google domains and transferred it to Cloudflare DNS. There I set up some A records (www.*, *.domain.net) and CNAME records for the subdomains for each container I want to make available externally.

I have also forwarded both ports 80 and 443 on my dd-wrt router.

I'm using docker-compose to make it a lot easier to test changes and bring up/down the containers as I go. Here is the compose entry for letsencrypt (minus sensitive info [email, domain name, etc]):

Code:
 letsencrypt:
   image: linuxserver/letsencrypt
   container_name: le
   ports:
     - "80:80"
     - "443:443"
   volumes:
     - ${CONFIG}/letsencrypt:/config
   restart: always
   depends_on:
     - transmission-vpn
     - sonarr
     - radarr
     - ombi
     - jackett
   environment:
     - PUID=${PUID}
     - PGID=${PGID}
     - EMAIL=email@gmail.com
     - URL=domain.net
     - SUBDOMAINS=tv,movies,downloads,requests,ombi,transmission,radarr,sonarr,jackett
     - ONLY_SUBDOMAINS=false
     - VALIDATION=dns
     - DNSPLUGIN=cloudflare
     - DHLEVEL=4096
     - TZ=America/Los_Angeles

My \letsencrypt\nginx\site-confs\default file looks like this:


Code:
# main server block
server {
listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name domain.net;

# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;

# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;

client_max_body_size 0;

location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php7-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php7-fpm:
#fastcgi_pass unix:/var/run/php7-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}


# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp;
# }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name cp.*;
#
# include /config/nginx/ssl.conf;
#
# client_max_body_size 0;
#
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050;
# }
#}


# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

And I've renamed the subdomain files I want to use under \proxy-confs\

To my eye, all of that looks like it *should* be working and allowing me to access sonarr from "sonarr.domain.net" -- but instead I get "ERR_CONNECTION_TIMED_OUT" page.

I can ping sonarr.domain.net -- and it returns a reply, along with my valid WAN IP. But I can't reach it in a browser window, and I have no idea what the cause of the issue is.

I'm not sure if its related to the letsencrypt proxy set up, but cert creation does work successfully and it starts the server. Is there something I missed? 

If anyone can help me figure this out, I would be eternally grateful. I've spent the past week or two staying up late trying to get all of this set up correctly, and I feel like I'm so close. 

Thanks in advance!

-Adam
Reply
#89
(18-06-2018, 10:39 PM)ablaine Wrote: Hey all,

I'm new here, but I'm at the point where I really need to stop bashing my head against the wall and seek help for this. I'm doing my best to set up an automated media server from my home pc. I've gotten it to the point where it works pretty much perfectly... internally. I have containers for Transmission-vpn, Sonarr, Radarr, Jackett, Ombi, etc.

However, I really want to be able to access some of these containers externally as well (ombi) or view the status of my downloads in an android app like nzb360 (which supports sonarr, radar, transmission).

I was really excited when I came across the linuxserver/letsencrypt Docker image (as I am on a Win10 pc and am unable to use alternatives like Traefik because I can't chmod permissions for the acme.json key file -- but that's another topic), and the setup/config for it seemed pretty straightforward.

In terms of the domain itself, I purchased a domain name from google domains and transferred it to Cloudflare DNS. There I set up some A records (www.*, *.domain.net) and CNAME records for the subdomains for each container I want to make available externally.

I have also forwarded both ports 80 and 443 on my dd-wrt router.

I'm using docker-compose to make it a lot easier to test changes and bring up/down the containers as I go. Here is the compose entry for letsencrypt (minus sensitive info [email, domain name, etc]):

Code:
 letsencrypt:
   image: linuxserver/letsencrypt
   container_name: le
   ports:
     - "80:80"
     - "443:443"
   volumes:
     - ${CONFIG}/letsencrypt:/config
   restart: always
   depends_on:
     - transmission-vpn
     - sonarr
     - radarr
     - ombi
     - jackett
   environment:
     - PUID=${PUID}
     - PGID=${PGID}
     - EMAIL=email@gmail.com
     - URL=domain.net
     - SUBDOMAINS=tv,movies,downloads,requests,ombi,transmission,radarr,sonarr,jackett
     - ONLY_SUBDOMAINS=false
     - VALIDATION=dns
     - DNSPLUGIN=cloudflare
     - DHLEVEL=4096
     - TZ=America/Los_Angeles

My \letsencrypt\nginx\site-confs\default file looks like this:


Code:
# main server block
server {
listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name domain.net;

# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;

# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;

client_max_body_size 0;

location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php7-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php7-fpm:
#fastcgi_pass unix:/var/run/php7-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}


# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp;
# }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name cp.*;
#
# include /config/nginx/ssl.conf;
#
# client_max_body_size 0;
#
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050;
# }
#}


# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

And I've renamed the subdomain files I want to use under \proxy-confs\

To my eye, all of that looks like it *should* be working and allowing me to access sonarr from "sonarr.domain.net" -- but instead I get "ERR_CONNECTION_TIMED_OUT" page.

I can ping sonarr.domain.net -- and it returns a reply, along with my valid WAN IP. But I can't reach it in a browser window, and I have no idea what the cause of the issue is.

I'm not sure if its related to the letsencrypt proxy set up, but cert creation does work successfully and it starts the server. Is there something I missed? 

If anyone can help me figure this out, I would be eternally grateful. I've spent the past week or two staying up late trying to get all of this set up correctly, and I feel like I'm so close. 

Thanks in advance!

-Adam
I would suggest to scroll back your config and see if you can get the basic container running first with the sample pages supplied. Then once this is running, you can start to add your reverse proxies in.

I will say, none of our images are tested on windows so there is very limited support we can actually provide and YMMV with them.

Sent from my ONEPLUS A5010 using Tapatalk
Main: i5-3570k @ 4.0GHZ | 8GB Ram | 250GB SSD + 1TB HDD | EVGA 780 SC 6GB
Server: HP N54L | 8GB Ram | UnRAID v6.2.4 | 10TB Data [2x3TB+2x2TB] + 3TB Parity
RPi2 Model B 1GB: LibreELEC x2 / Wetek Hub: LibreELEC / DigiBit R1 Sat>IP Receiver

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

About LinuxServer.io

Focus MyBB Theme is designed for MyBB 1.8 series and is tested properly till the most current version of MyBB i.e. 1.8.9. It is simple, clean and light MyBB theme with use of font-awesome icons and shrinking header.

For any more information, please use our contact form.

              Quick Links

              User Links

              Advertise