[BUG] 1.6.11 clean not docker installation failure

[wgh-control]

What happened?

Clean setup fails in process of installation, installation script downloaded from github on June 20, 2026

How to reproduce?

I have Ubuntu 24.04 LTS server running on VM. Its just installed and updated, nothing installed yet, i just got 1.6.11 installation bash script with quick start manual, using this command:
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.11/install-bunkerweb.sh

I'm starting installation, not as a docker, but as application, since i have to use external PGSQL cluster and external REDIS cluster. I answer almost everywhere default answers except questions about redis and pgsql, so i answered YES on questions about CrowdSec and CrowdSec App installation. And it face me to an error.

Configuration file(s) (yaml or .env)

n/a

Relevant log output

[INFO] Installing BunkerWeb 1.6.11

[STEP] Installing NGINX on Debian/Ubuntu
[CMD] apt update
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
**EDITED - PRIVATE Ubuntu repo proxy redacted** 
Get:5 https://esm.ubuntu.com/apps/ubuntu noble-apps-security InRelease [8,371 B]
Get:6 https://esm.ubuntu.com/apps/ubuntu noble-apps-updates InRelease [8,220 B]
Get:7 https://esm.ubuntu.com/infra/ubuntu noble-infra-security InRelease [8,235 B]
Get:8 https://esm.ubuntu.com/infra/ubuntu noble-infra-updates InRelease [8,213 B]
Fetched 33.0 kB in 1s (28.1 kB/s)    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
[CMD] apt install -y curl gnupg2 ca-certificates lsb-release
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (8.5.0-2ubuntu10.9).
curl set to manually installed.
ca-certificates is already the newest version (20260601~24.04.1).
ca-certificates set to manually installed.
lsb-release is already the newest version (12.0-2).
lsb-release set to manually installed.
The following packages were automatically installed and are no longer required:
  libfwupd2 libgusb2
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  gnupg2
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,752 B of archives.
After this operation, 32.8 kB of additional disk space will be used.
Get:1 http://ru.archive.ubuntu.com/ubuntu noble-updates/universe amd64 gnupg2 all 2.4.4-2ubuntu17.4 [4,752 B]
Fetched 4,752 B in 0s (25.1 kB/s)  
Selecting previously unselected package gnupg2.
(Reading database ... 89260 files and directories currently installed.)
Preparing to unpack .../gnupg2_2.4.4-2ubuntu17.4_all.deb ...
Unpacking gnupg2 (2.4.4-2ubuntu17.4) ...
Setting up gnupg2 (2.4.4-2ubuntu17.4) ...
Processing triggers for man-db (2.12.0-4build2) ...
Scanning processes...                                                                                                                                                                                                                                                                                                                           
Scanning linux images...                                                                                                                                                                                                                                                                                                                        

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
[CMD] apt install -y ubuntu-keyring
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ubuntu-keyring is already the newest version (2023.11.28.1).
ubuntu-keyring set to manually installed.
The following packages were automatically installed and are no longer required:
  libfwupd2 libgusb2
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[CMD] apt update
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
**EDITED - PRIVATE Ubuntu repo proxy redacted**                                          
Get:4 http://nginx.org/packages/ubuntu noble InRelease [3,278 B]    
Hit:5 https://esm.ubuntu.com/apps/ubuntu noble-apps-security InRelease 
**EDITED - PRIVATE Ubuntu repo proxy redacted**          
Hit:7 https://esm.ubuntu.com/apps/ubuntu noble-apps-updates InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu noble-infra-security InRelease
Hit:9 https://esm.ubuntu.com/infra/ubuntu noble-infra-updates InRelease
Get:10 http://nginx.org/packages/ubuntu noble/nginx amd64 Packages [39.8 kB]
Fetched 43.1 kB in 1s (44.2 kB/s)   
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
[CMD] apt install -y nginx=1.30.2-1~noble
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfwupd2 libgusb2
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  nginx
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,203 kB of archives.
After this operation, 3,867 kB of additional disk space will be used.
Get:1 http://nginx.org/packages/ubuntu noble/nginx amd64 nginx amd64 1.30.2-1~noble [1,203 kB]
Fetched 1,203 kB in 1s (971 kB/s)
Selecting previously unselected package nginx.
(Reading database ... 89266 files and directories currently installed.)
Preparing to unpack .../nginx_1.30.2-1~noble_amd64.deb ...
----------------------------------------------------------------------

Thanks for using nginx!

Please find the official documentation for nginx here:
* https://nginx.org/en/docs/

Please subscribe to nginx-announce mailing list to get
the most important news about nginx:
* https://nginx.org/en/support.html

Commercial subscriptions for nginx are available on:
* https://nginx.com/products/

----------------------------------------------------------------------
Unpacking nginx (1.30.2-1~noble) ...
Setting up nginx (1.30.2-1~noble) ...
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
Processing triggers for man-db (2.12.0-4build2) ...
Scanning processes...                                                                                                                                                                                                                                                                                                                           
Scanning linux images...                                                                                                                                                                                                                                                                                                                        

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
[CMD] apt-mark hold nginx
nginx set on hold.
[INFO] NGINX 1.30.2-1~noble installed successfully

========================================
CrowdSec Security Engine Installation
========================================

[STEP] Installing CrowdSec security engine
--- Step 1: Add CrowdSec repository and install engine ---
[STEP] Adding CrowdSec repository and installing engine
[CMD] sh /tmp/bw-crowdsec-install.NPzHj8
Detected operating system as ubuntu/24.
Detected apt version as 2.8.3
Checking for gpg...
Detected gpg...
Checking for curl...
Detected curl...
Scanning processes...                                                                                                                                                                                                                                                                                                                           
Scanning linux images...                                                                                                                                                                                                                                                                                                                        

Importing packagecloud gpg key... 

Packagecloud gpg key imported to /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg

Installing /etc/apt/sources.list.d/crowdsec_crowdsec.list...


[CMD] apt install -y crowdsec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfwupd2 libgusb2
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  crowdsec
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 36.1 MB of archives.
After this operation, 120 MB of additional disk space will be used.
Get:1 https://esm.ubuntu.com/apps/ubuntu noble-apps-security/main amd64 crowdsec amd64 1.4.6-6ubuntu0.24.04.2+esm2 [36.1 MB]
Fetched 36.1 MB in 3s (11.9 MB/s)    
Selecting previously unselected package crowdsec.
(Reading database ... 89304 files and directories currently installed.)
Preparing to unpack .../crowdsec_1.4.6-6ubuntu0.24.04.2+esm2_amd64.deb ...
Unpacking crowdsec (1.4.6-6ubuntu0.24.04.2+esm2) ...
Setting up crowdsec (1.4.6-6ubuntu0.24.04.2+esm2) ...
I: Registering to LAPI (/etc/crowdsec/local_api_credentials.yaml)
I: Registering to CAPI (/etc/crowdsec/online_api_credentials.yaml)
I: Setting up offline hub (see README.Debian)
I: Enabling upstream-recommended items, first installation (via symlinks from /etc/crowdsec)
I: Enabling WAL for SQLite [fstype=ext4] (see README.Debian)
Created symlink /etc/systemd/system/multi-user.target.wants/crowdsec.service → /usr/lib/systemd/system/crowdsec.service.
W: Restarting manually to force a CAPI pull (upstream #2120)
Scanning processes...                                                                                                                                                                                                                                                                                                                           
Scanning linux images...                                                                                                                                                                                                                                                                                                                        

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
[INFO] CrowdSec engine installed
--- Step 2: Configure log acquisition for BunkerWeb ---
[STEP] Configuring CrowdSec to parse BunkerWeb logs
[INFO] Wrote BunkerWeb acquisition config to: /etc/crowdsec/acquis.d/bunkerweb.yaml
--- Step 3: Update hub and install core collections/parsers ---
[STEP] Updating hub and installing detection collections/parsers
INFO[20-06-2026 09:58:19] Wrote new 577828 bytes index to /var/lib/crowdsec/hub/.index.json 
INFO[20-06-2026 09:58:20] update for collection crowdsecurity/linux available (currently:?, latest:0.2) 
FATA[20-06-2026 09:58:20] unable to find collections 'bunkerity/bunkerweb'

BunkerWeb version

1.6.11

What integration are you using?

Linux

Linux distribution (if applicable)

Ubuntu server 24.04 LTS

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @wgh-control,
Thank you for opening this issue. Did you already have CrowdSec installed beforehand ? (I'm asking this because the parser is fairly recent).

[wgh-control]

@TheophileDiot
Hi,
no i just installed clean Ubuntu 24.04 server with no any additional packages, just clean ubuntu, apt-get update just after installation and Ubuntu pro has been enabled. Nothing more.

[TheophileDiot]

Hi @wgh-control,

Thanks for the detailed logs, they make the cause pretty easy to pin down.

This isn't actually the bunkerity/bunkerweb collection being missing from the Hub. The collection is there and up to date. The real problem is which CrowdSec engine ended up getting installed on your VM. This line is the giveaway:

Get:1 https://esm.ubuntu.com/apps/ubuntu noble-apps-security/main amd64 crowdsec amd64 1.4.6-6ubuntu0.24.04.2+esm2 [36.1 MB]

apt grabbed the Ubuntu ESM/Pro build of CrowdSec (1.4.6, which dates back to 2022) instead of the current upstream release from CrowdSec's own repository that our installer adds. That old engine ships an outdated Hub index that has never heard of the bunkerity/bunkerweb collection, so the next step fails with:

FATA unable to find collections 'bunkerity/bunkerweb'

In other words, the installer did its part. It added the CrowdSec repo and wrote the acquisition file correctly, but your environment's apt priorities pulled the engine from ESM. My guess is that the private Ubuntu repo proxy you redacted, or Ubuntu Pro being enabled, is shadowing or out-ranking the upstream crowdsec package.

To confirm, could you run these on the affected VM and paste the output?

• cscli version
• apt-cache policy crowdsec
• grep -r crowdsec /etc/apt/sources.list /etc/apt/sources.list.d/
• anything under /etc/apt/preferences.d/ (any custom pinning)

To unblock you in the meantime:

1. Remove the ESM engine: sudo apt remove --purge crowdsec
2. Make sure the upstream CrowdSec repo wins over ESM. Easiest options are to temporarily disable the Ubuntu Pro/ESM apt sources during install, or add a pin in /etc/apt/preferences.d/ that ranks esm.ubuntu.com below the CrowdSec repo.
3. Reinstall from the CrowdSec repo, then run:

   sudo cscli hub update
   sudo cscli collections install bunkerity/bunkerweb
   

A current engine (1.6.x or newer) installs the collection without any trouble. Once I see your apt-cache policy output we can decide whether the installer should explicitly pin the CrowdSec repo so it holds up in ESM/proxy setups like yours.

Thanks again for taking the time to report this.

[TheophileDiot]

Hi @wgh-control,

Good news, I managed to reproduce this on my end, so you don't need to dig up any more output. Your logs were really helpful for tracking it down.

It turned out to be an APT priority thing, pretty much what I suspected. When Ubuntu Pro/ESM is enabled, the file /etc/apt/preferences.d/ubuntu-esm-apps pins esm.ubuntu.com at priority 510. That beats the upstream CrowdSec repo our installer adds, which sits at the default 500. So APT happily installs the ESM build of CrowdSec (1.4.6, from back in 2022) instead of the current one. That old engine ships a hub index that has never heard of the bunkerity/bunkerweb collection, and that's where the unable to find collections 'bunkerity/bunkerweb' error comes from. The installer added the repo and the acquisition file correctly. Your environment's ESM pinning just outranked it.

I'll be fixing this in the next version of the install script. The installer will drop in an APT preference that tells your system to ignore the ESM build of CrowdSec, so the upstream engine always wins no matter what Ubuntu Pro is doing. While I'm at it, I'm also making that collection step fail with a clear message instead of the cryptic fatal, and making sure a CrowdSec problem doesn't take the whole BunkerWeb install down with it, since it's an optional piece.

If you'd rather not wait for the release, here's how to unblock yourself right now:

# 1. Remove the ESM-provided engine
sudo apt remove --purge crowdsec

# 2. Tell APT to never use the ESM crowdsec, so the upstream repo wins
sudo tee /etc/apt/preferences.d/99-crowdsec.pref >/dev/null <<'EOF'
Package: crowdsec*
Pin: origin "esm.ubuntu.com"
Pin-Priority: -1
EOF

# 3. Reinstall (now from the upstream CrowdSec repo) and re-sync the hub
sudo apt update && sudo apt install crowdsec
sudo cscli hub update
sudo cscli collections install bunkerity/bunkerweb

If you ever want to double-check which repo APT is picking, apt-cache policy crowdsec will show you the candidate version and where it's coming from.

I'll give you a shout on this issue once the patched installer is out. Thanks again for taking the time to report it, it's appreciated.

[wgh-control]

@TheophileDiot well i take clean VM without ESM (Ubuntu PRO) and yes, now i'm passing this step, however getting this error now:

[INFO] Resuming interrupted installation (completed through: host_config).
[INFO] Installing BunkerWeb 1.6.11

[INFO] Skipping nginx phase (already completed in the interrupted run).
[INFO] Skipping crowdsec phase (already completed in the interrupted run).
[INFO] Skipping redis phase (already completed in the interrupted run).
[INFO] Skipping database phase (already completed in the interrupted run).
[INFO] Skipping host_config phase (already completed in the interrupted run).
[STEP] Installing BunkerWeb on Debian/Ubuntu
[CMD] curl --proto =https --tlsv1.2 --fail --silent --show-error --connect-timeout 10 --max-time 60 -L https://repo.bunkerweb.io/install/script.deb.sh -o /tmp/bunkerweb-repo.sh
[ERROR] Command failed: curl --proto =https --tlsv1.2 --fail --silent --show-error --connect-timeout 10 --max-time 60 -L https://repo.bunkerweb.io/install/script.deb.sh -o /tmp/bunkerweb-repo.sh