Take any which is free. You have to change on both sides: Router and the container (host port!).
Accessing my OMV nas server outside the house
-
-
OK. This is why I took 8888.
But still no luck.
-
The network looks ok now. Can you provide the logs of the container?
try connectiong to https://<my_duckdns_name>/ and see what you get.
do the same with http://<my_duckdns_name>/You should see something.
-
In both cases I get error connection refused. Because the port 80 is closed. But when I go to my router and change both those fields to 80 (now one is 8888 like you said), then the port opens and I can access my OMV via http and get an error on https.
-
I guess this thing will not work out for me. I will just try some other thing, maybe Wireguard or swag.
-
Maybe I'm missing something here, but if you're using duckdns, and you're using the Linuxserver containers of sonarr, etc... Just use linuxserver/swag and reverse proxy them through it, and don't use nginx-proxy-manager.
This is literally a 5sec set up for almost any service once you have duckdns routing through swag properly.
-
But even swag needs the ports be to right. In the whole thread we have not looked into nginx-proxy but tried to get ports right.
Nabukodonosor if you switch to swag, you have to change the scheme how you use your dns names. You need a subdomaon for each service.
-
But even swag needs the ports be to right. In the whole thread we have not looked into nginx-proxy but tried to get ports right.
Nabukodonosor if you switch to swag, you have to change the scheme how you use your dns names. You need a subdomaon for each service.
Correct.
As for the subdomains... you do but it doesn't really change anything on the part of the end user.. If you set swag to wildcard on subdomains (which is generally recommended).. then you copy your service.subdomain.conf file from the examples in the swag config.... Then all you have to do is put your container on the swag network (usually swag_default)... Then restart swag and wait for it to pull a cert, then restart the container.
You'd then navigate to service.your-subdomain.duckdns.org
The swag folder has dozens of service.subdomain.conf.sample files.. (including for the 3 services the OP is talking about).. so all you need to do is copy them and drop the sample extension... you don't even need to adjust them under most cases
But you're right, if you don't forward 2 ports to swag correctly... you'll never get a cert and none of it will work.
-
OP is using your-subdomain.duckdns.org to access his service and has tried multiple your-subdomains.
-
OP is using your-subdomain.duckdns.org to access his service and has tried multiple your-subdomains.
Well that can be problematic in my experience. Not impossible, just problematic depending on the container. Much easier to do it the way I said.. If that bothers you, purchase a cheap domain (you can get them pretty cheap) and route everything through it.
-
Yes, live can be so easy if you do it right:
- set up a dyndns account somwhere
- make sure it gets the new IP address if it changes (for me every 24 hours)
- get a decent DNS provider
- create a wildcard CNAME entry pointing to the dyndns entry
- install a battle-tested reverse proxy with automatic creation / renewal of SSL certs (swag, traefik, ...)
- make sure you can connect to the admin / status UI of the proxs (does swag have such a thing?)
- make your router forward ports 80 and 443 to the proxy
- set up your containers
- connect your proxy to the containers
Don't touch it for the next years
-
Yes, live can be so easy if you do it right:
- set up a dyndns account somwhere
- make sure it gets the new IP address if it changes (for me every 24 hours)
- get a decent DNS provider
- create a wildcard CNAME entry pointing to the dyndns entry
- install a battle-tested reverse proxy with automatic creation / renewal of SSL certs (swag, traefik, ...)
- make sure you can connect to the admin / status UI of the proxs (does swag have such a thing?)
- make your router forward ports 80 and 443 to the proxy
- set up your containers
- connect your proxy to the containers
Don't touch it for the next years
#6 Swag has a park page that lets you verify it is working correctly... all of my services are mapped at service.my-domain.xyz
If I go to my-domain.xyz, I get the swag park page and it is secured w/ SSL. This lets you know swag is working properly.
-
I've tried to install swag docker, but got these errors in the log. I think everything comes from the fact that I can't open port 443.
HTML
Alles anzeigen[s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Certbot: https://supporters.eff.org/donate/support-work-on-certbot To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 998 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... generating self-signed keys in /config/keys, you can replace these with your own keys if required Generating a RSA private key .................................................................................+++++ .......................................................................+++++ writing new private key to '/config/keys/cert.key' ----- [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=998 PGID=100 TZ=Europe/Belgrade URL=duckdns.org SUBDOMAINS=marjan-nas,marjan-arr EXTRA_DOMAINS= ONLY_SUBDOMAINS=true VALIDATION=http CERTPROVIDER= DNSPLUGIN=cloudflare EMAIL=marjan@gmail.com STAGING=false grep: /config/nginx/resolver.conf: No such file or directory Setting resolver to 8.8.8.8 grep: /config/nginx/worker_processes.conf: No such file or directory Setting worker_processes to 4 Created .donoteditthisfile.conf Using Let's Encrypt as the cert provider SUBDOMAINS entered, processing SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d marjan-nas.duckdns.org -d marjan-arr.duckdns.org E-mail address entered: marjanbazalac@gmail.com http validation is selected Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for marjan-nas.duckdns.org and marjan-arr.duckdns.org Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: marjan-arr.duckdns.org Type: dns Detail: DNS problem: NXDOMAIN looking up A for marjan-arr.duckdns.org - check that a DNS record exists for this domain Domain: marjan-nas.duckdns.org Type: unauthorized Detail: Invalid response from http://marjan-nas.duckdns.org/.well-known/acme-challenge/R7tp2IDWUBhXhqRjTU2xs2sIyqfhdXM7ap6IlZrI_MY [93.86.227.217]: "<!DOCTYPE html>\n<html>\n\t<head>\n\t\t<title>openmediavault - HTTP 404 error</title>\n\t\t<meta charset=\"UTF-8\">\n\t\t<meta http-equiv=\"X-U" Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
-
Go step by step:
can you access https://marjan-nas.duckdns.org or https://marjan-arr.duckdns.org even if you do not hve secure connections and a browser warning.
You are trying to get certificates for non-existing domain names.
NXDOMAIN looking up A for marjan-arr.duckdns.org
swag works with subdomains, so you would have my-name.duckdns.org as main domain name and nas.my-name.duckdns.org as dns name of your service.
Did you follow the howto for setting up duckdns and swag?
-
Zitat
I can't.
ZitatYou are trying to get certificates for non-existing domain names.
NXDOMAIN looking up A for marjan-arr.duckdns.org
Yeah, I deleted that one in the mean time, ignore that.
ZitatDid you follow the howto for setting up duckdns and swag?
No, I followed a youtube tutorial. I will check this one. But the port 443 problem still remains.
-
I think things are moving now! I did the wildcard thing, and set it like this:
Code
Alles anzeigendocker run -d \ --name=swag \ --cap-add=NET_ADMIN \ -e PUID=998 \ -e PGID=100 \ -e TZ=Europe/Belgrade \ -e URL=marjan-nas.duckdns.org \ -e VALIDATION=duckdns \ -e SUBDOMAINS=wildcard `#optional` \ -e CERTPROVIDER= `#optional` \ -e DNSPLUGIN=cloudflare `#optional` \ -e PROPAGATION= `#optional` \ -e DUCKDNSTOKEN=token \ -e EMAIL=marjan@gmail.com \ -e ONLY_SUBDOMAINS=true `#optional` \ -e EXTRA_DOMAINS= `#optional` \ -e STAGING=false `#optional` \ -p 450:443 \ -p 82:80 `#optional` \ -v /MainPool/Documents/Containers/swag:/config \ --restart unless-stopped \ linuxserver/swag
And this is the log:
Code
Alles anzeigen[fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Certbot: https://supporters.eff.org/donate/support-work-on-certbot To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 998 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=998 PGID=100 TZ=Europe/Belgrade URL=marjan-nas.duckdns.org SUBDOMAINS=wildcard EXTRA_DOMAINS= ONLY_SUBDOMAINS=true VALIDATION=duckdns CERTPROVIDER= DNSPLUGIN=cloudflare EMAIL=marjan@gmail.com STAGING=false Using Let's Encrypt as the cert provider SUBDOMAINS entered, processing Wildcard cert for only the subdomains of marjan-nas.duckdns.org will be requested E-mail address entered: marjanbazalac@gmail.com duckdns validation is selected the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for *.marjan-nas.duckdns.org Hook '--manual-auth-hook' for marjan-nas.duckdns.org ran with output: OKsleeping 60 Hook '--manual-auth-hook' for marjan-nas.duckdns.org ran with error output: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 2 0 2 0 0 2 0 --:--:-- --:--:-- --:--:-- 2 Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/marjan-nas.duckdns.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/marjan-nas.duckdns.org/privkey.pem This certificate expires on 2022-03-22. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - New certificate generated; starting nginx [cont-init.d] 50-config: exited 0. [cont-init.d] 60-renew: executing... The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am). [cont-init.d] 60-renew: exited 0. [cont-init.d] 70-templates: executing... [cont-init.d] 70-templates: exited 0. [cont-init.d] 90-custom-folders: executing... [cont-init.d] 90-custom-folders: exited 0. [cont-init.d] 99-custom-files: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-files: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready
No errors in the log.
-
If you change a container port away from what is standard as defined in the image documentation, expect problems. There is never a need to do this. Did you?
Also, you should provide the full names of any images you are using because there can be many variations available.
-
If it works, redo the setup and get a new duckdns token, or I will take over you domain.
-
I actually didn't use that marjan-nas subdomain, I edited that log, just to be on the safeside
Oh, I forgot to edit out the token.
-
I don't understand one thing. If I use 'wildcard' like your link suggested for subdomains, where do I add my subdomains for radarr, sonarr and stuff like that?
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!