Unraid Docker Swag certbot failed to authenticate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
zeno.hopto.org

I ran this command:
Just checked the swag log after installing

It produced this output:

User UID: 99
User GID: 100
───────────────────────────────────────
Linuxserver.io version: 3.0.0-ls334
Build-date: 2024-11-05T20:25:10+00:00
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=hopto.org
SUBDOMAINS=zeno
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=czenob@gmail.com
STAGING=false

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Sub-domains processed are: zeno.hopto.org
E-mail address entered: czenob@gmail.com
http validation is selected
Generating new certificate
Account registered.
Requesting a certificate for zeno.hopto.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: zeno.hopto.org
Type: connection
Detail: 34.199.8.144: Fetching http://zeno.hopto.org/.well-known/acme-challenge/KMc74eRdM3XEtcftrc9MR_TAaULMXhSvV1aik3iSzHE: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
no-ip

I can login to a root shell on my machine (yes or no, or I don't know):
yes (I think)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am trying to follow this tutorial to the best of my ability stuck at the end of step 3 as I get that error in the log.

My router setting says "success!" in the Dynamic DNS section after putting in my NoIP information.
I think I have my TP Link router set up correctly to route external 443 to internal 8443 and external 80 to internal 8180.

I am a complete novice with all of this so I probably sound pretty dumb here, but I appreciate the help if you can.

2

I'm not familiar with swag but I'm assuming it's this, which appears to be a nginx web server acting as a reverse proxy to other apps etc:

https://hub.docker.com/r/linuxserver/swag

Does your ISP definitely support hosting on TCP port 80? That would be required to do HTTP domain validation. You should start by proving that your server can be reached on TCP port 80 using http. e.g.:curl -I http://zeno.hopto.org [from an external network such as mobile data, so you are testing incoming traffic to your routers public IP]

If HTTP domain validation is problematic you may be able to try DNS validation if your DNS provider has a supported DNS API plugin in swag. Your above configuration mentions DNSPLUGIN=cloudflare but you're apparently not using that.

Swag is using certbot, so it's using certbot plugins for dns: GitHub - linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.

4 Likes
3

I believe it does.

$ curl -Ii http://zeno.hopto.org/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.26.1
Date: Thu, 07 Nov 2024 03:29:56 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

And Let's Debug gets and "OK" here https://letsdebug.net/zeno.hopto.org/2275022

3 Likes
4

It does for me now as well, it didn't before.

2 Likes
5

Good find but it did not get through earlier. The nginx server replying now will interfere if they keep trying --standalone though

3 Likes
6

I'm almost certain that the "A" in SWAG stands for Apache.
So... seeing nginx is unexpected [to me].

1 Like
7

Step 5 of the instructions they linked say "nginx"

Also this describes nginx: SWAG - LinuxServer.io

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.