Question about SSH Keys in Letsencrypt Docker

Hi all. I’m not certain this is acceptable here, but I’m hoping somebody can point me in the right direction.

I’m running an Unraid server with several dockers, including Homeassistant and Nextcloud, as well as LetsEncrypt as a reverse proxy. It is all running fine.

I’ve recently become interested in utilizing fail2ban, and more specifically I’d like to implement a solution like the one described here: https://community.home-assistant.io/t/ip-blocking-at-pfsense-instead-of-in-hass/115063 Long story short, I’d like fail2ban to tell my pfSense firewall to do the IP blocking.

Since the LetsEncrypt container is already running fail2ban, I’m hoping a can utilize that.

Now, the solution in the document I linked requires generating SSH keys on the fail2ban instance, and then trusting those keys on pfSense. This will allow fail2ban to SSH into pfSense and run a script to ban/unban an IP.

That brings me to my question. How can I generate SSH keys on the LetsEncrypt docker that are persistent when re-deploying the image?

If that is not possible, do you have any other suggestions for a secure way to execute a script on the pfSense box from the LetsEncrypt docker?

Thanks for taking the time to read this and for any feedback you can provide!

They keys are easy. Create a folder under /config and store them there (you can create keys on any machine, they will be a key pair, the public one will go into pfsense, private one to letsencrypt). That folder is persistent. But you also have to install openssh-client inside the image. To make that persistent, you can use the container customization we provide: https://blog.linuxserver.io/2019/09/14/customizing-our-containers/

In short, create the folder /config/custom-cont-init.d and drop a script into it with the following contents:

#!/bin/bash

echo "**** installing ssh client ****"
apk add --no-cache openssh-client

That way, the container will install it on start if it’s not already installed.

Then you can use ssh in scripts

Oh, excellent! Thank you so much for the clear instructions! I’ll try this out tonight and report back if I have any additional questions or problems.

First, let me apologize because I am not very familiar with linux, and I think that may be hindering me here.

I created the custom-cont-init.d folder, and added a text file named “script” with the contents that you provided. I attempted to force Unraid to re-deploy the docker image by adding a space to one of the parameters and then deleting it. That gave me this output:

Stopping container: letsencrypt

Successfully stopped container 'letsencrypt'

Removing container: letsencrypt

Successfully removed container 'letsencrypt'

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='bridge' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'EMAIL'='tomk@tomk.xyz' -e 'URL'='tomk.xyz' -e 'SUBDOMAINS'='cloud,home,dashboard' -e 'ONLY_SUBDOMAINS'='true' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'PUID'='99' -e 'PGID'='100' -p '55080:80/tcp' -p '55443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' -v '/mnt/user/appdata/home-assistant/':'/hass':'rw' 'linuxserver/letsencrypt'

abd96f2d5b2ecd787cbf2745d003923c15b1bd6be6a52227108a82492f362e3d

The command finished successfully!

Then I opened a console window for that container and typed ‘ssh’, but was met with this error:

sh: ssh: not found

I take that to mean that OpenSSH was not properly installed. Is there a way to force Unraid to redeploy the container using the custom script?

Please post the container log so we can see if openssh was installed.

https://pastebin.com/5epqapUZ

It looks like you created that file in windows format, which uses carriage returns (\r) and messed up the script.

Either use linux to create the file, or use a text editor like notepad++ in windows and change the format to linux/unix

Got it… that makes perfect sense. Thank you!