https access to Tautulli web interface?

Currently reading
https access to Tautulli web interface?

319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I am having trouble getting https (SSL) (with Let's Encrypt certs) access to the Tautulli web interface to work under Docker.
Here's what I have done; where did I go wrong?

Installed Tautulli, web access is at port 8181, and using http it works just fine using http://my_own_non_Synology_related_domain.com:8181

Exported the Let's Encrypt certificate files (since I can't find where the NAS stores them, dammit) cert.pem, chain.pem, privkey.pem, and copied them to a directory, /volume1/lecerts

In Tautulli settings, Web Interface, I unchecked "create a self-signed certificate."

I set the https domain to my_own_non_Synology_related_domain.com , set the https IPs to the static WAN and static LAN addresses of the NAS, put /volume1/lecerts/cert.pem in "Location of HTTPS Certificate," put /volume1/lecerts/chain.pem in "The location of the SSL certificate chain," and put /volume1/lecerts/privkey.pem in "The location of the SSL key. "

When I then try to connect using a browser to https://my_own_non_Synology_related_domain.com , I get an error. And the Tautulli log says:

"Tautulli WebStart :: Disabled HTTPS because of missing certificate and key. "

Any idea what I'm missing here?
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
@akahan gueesing you are running tautulli in docker? If so why not run it using the built in revers proxy if you already have a custom domain?
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Yes. Excellent idea. Of course, I screwed up a couple times adding tautulli.mydomain.com to the cert, and reached the maximum attempts permitted by let's encrypt(!), so now I have to wait a while...
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Are you running LE in docker as well? I switched to a wild card cert from LE just so I can have a single cert for all my subdomain needed
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
No, running LE from the Synology native interface. Maybe running from within docker will be next month's project...
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Aha yes that’s a bit limiting then. Main reason why I switched to docker LE. not using it as revers proxy just for creating and renewing. Using that wild card on multiple Nas as well so there is no need to reissue each nas cert. After that I just import it to all of them and case closed.

If you are lookin into multiple custom sub domain apps being accessed from the web, wild card might be a way to go.

I have a one liner ready if you need a hand as well as a few other steps that need to be done in order to protect your domain with cloudflare and use it as a alternative method of LE validation, so you don’t have to open port 80/443 for renewal as well.
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Ha! Worked! Thanks, Rusty!
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Aha yes that’s a bit limiting then. Main reason why I switched to docker LE. not using it as revers proxy just for creating and renewing. Using that wild card on multiple Nas as well so there is no need to reissue each nas cert. After that I just import it to all of them and case closed.

If you are lookin into multiple custom sub domain apps being accessed from the web, wild card might be a way to go.

I have a one liner ready if you need a hand as well as a few other steps that need to be done in order to protect your domain with cloudflare and use it as a alternative method of LE validation, so you don’t have to open port 80/443 for renewal as well.

I have one NAS that functions as a web server, open to the internet, so its ports 80 and 443 are open anyway. That's the one that obtains and renews the LE certs, and then I just export them from that one to the others.
 
If you run a swarm cluster, you can deploy traefik as a global service on all nodes, it acts as a reverse proxy and uses etcd3 as a backend to share the certificate among the instances. The beautiy is that it leverages docker events to automaticly create/remove proxy rules, based on container or swarm deploy labels you add to the target service. Traefik wil take care to create and extend the LE certificates for each subdomain or a wildcare domain.
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
traefik sounds intriguing, but I have a strict policy of not running programs that are smarter than I am.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top