# Watchtower Notification Fix Guide ## ๐Ÿšจ **CRITICAL ERROR - CRASH LOOP** **If Watchtower is crash looping with "unknown service 'http'" error:** ```bash # EMERGENCY FIX - Run this immediately: sudo /home/homelab/organized/repos/homelab/scripts/emergency-fix-watchtower-crash.sh ``` **Root Cause**: Using `http://` instead of `ntfy://` in WATCHTOWER_NOTIFICATION_URL causes Shoutrrr to fail with "unknown service 'http'" error. ## ๐Ÿšจ **Issue Identified** ``` error="failed to send ntfy notification: error sending payload: Post \"https://192.168.0.210:8081/updates\": http: server gave HTTP response to HTTPS client" ``` ## ๐Ÿ” **Root Cause** - Watchtower is using `ntfy://192.168.0.210:8081/updates` - The `ntfy://` protocol defaults to HTTPS - Your ntfy server is running on HTTP (port 8081) - This causes the HTTPS/HTTP protocol mismatch ## โœ… **Solution** ### **Option 1: Fix via Portainer (Recommended)** 1. Open Portainer web interface 2. Go to **Stacks** โ†’ Find the **watchtower-stack** 3. Click **Editor** 4. Find the line: `WATCHTOWER_NOTIFICATION_URL=ntfy://192.168.0.210:8081/updates` 5. Change it to: `WATCHTOWER_NOTIFICATION_URL=ntfy://localhost:8081/updates?insecure=yes` 6. Click **Update the stack** ### **Option 2: Fix via Docker Command** ```bash # Stop the current container sudo docker stop watchtower sudo docker rm watchtower # Recreate with correct notification URL sudo docker run -d \ --name watchtower \ --restart unless-stopped \ -p 8091:8080 \ -v /var/run/docker.sock:/var/run/docker.sock \ -e WATCHTOWER_CLEANUP=true \ -e WATCHTOWER_SCHEDULE="0 0 4 * * *" \ -e WATCHTOWER_INCLUDE_STOPPED=false \ -e TZ=America/Los_Angeles \ -e WATCHTOWER_HTTP_API_UPDATE=true \ -e WATCHTOWER_HTTP_API_TOKEN="REDACTED_HTTP_TOKEN" \ -e WATCHTOWER_NOTIFICATIONS=shoutrrr \ -e WATCHTOWER_NOTIFICATION_URL="ntfy://localhost:8081/updates?insecure=yes" \ containrrr/watchtower:latest ``` ## ๐Ÿงช **Test the Fix** ### **Test ntfy Endpoints** ```bash # Run comprehensive ntfy test ./scripts/test-ntfy-notifications.sh # Or test manually: curl -d "Test message" http://localhost:8081/updates curl -d "Test message" http://192.168.0.210:8081/updates curl -d "Test message" https://ntfy.vish.gg/REDACTED_NTFY_TOPIC ``` ### **Test Watchtower Notifications** ```bash # Trigger a manual update curl -H "Authorization: Bearer watchtower-update-token" \ -X POST http://localhost:8091/v1/update # Check logs for success (should see no HTTPS errors) sudo docker logs watchtower --since 30s ``` ## ๐ŸŽฏ **Notification Options** You have **3 working ntfy endpoints**: | Endpoint | URL | Protocol | Use Case | |----------|-----|----------|----------| | **Local (localhost)** | `http://localhost:8081/updates` | HTTP | Most reliable, no network deps | | **Local (IP)** | `http://192.168.0.210:8081/updates` | HTTP | Local network access | | **External** | `https://ntfy.vish.gg/REDACTED_NTFY_TOPIC` | HTTPS | Remote notifications | ### **Recommended Configurations** **Option 1: Local Only (Most Reliable)** ```yaml - WATCHTOWER_NOTIFICATION_URL=ntfy://localhost:8081/updates?insecure=yes ``` **Option 2: External Only (Remote Access)** ```yaml - WATCHTOWER_NOTIFICATION_URL=ntfy://ntfy.vish.gg/REDACTED_NTFY_TOPIC ``` **Option 3: Both (Redundancy)** ```yaml - WATCHTOWER_NOTIFICATION_URL=ntfy://localhost:8081/updates?insecure=yes,ntfy://ntfy.vish.gg/REDACTED_NTFY_TOPIC ``` ## โœ… **Expected Result** - No more "HTTP response to HTTPS client" errors - Successful notifications to ntfy server - Updates will be posted to: http://192.168.0.210:8081/updates ## ๐Ÿ“‹ **Repository Files Updated** - โœ… `common/watchtower-full.yaml` - Fixed notification URL - โœ… `scripts/fix-watchtower-notifications.sh` - Safe fix script - โœ… `docs/WATCHTOWER_SECURITY_ANALYSIS.md` - Security analysis ## ๐Ÿ”— **Related Files** - [Watchtower Security Analysis](WATCHTOWER_SECURITY_ANALYSIS.md) - [Container Diagnosis Report](CONTAINER_DIAGNOSIS_REPORT.md)