search

Chia-Network / chia-docker

Apache License 2.0
215 stars 345 forks source link

ssl3_get_record error while accessing Dockerized Node via PRC #83

Closed ohld closed 3 years ago

ohld commented 3 years ago

The problem

I want to run the node in the docker container and access its PRC interface from another docker container.

When I call PRC endpoints from inside the Node's container - everything works perfectly. If I try to do the same from outside (e.g. from machine where docker is deployed) I received error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

Steps to reproduce

Run node

docker run --name rpc_test \
-v /root/.chia:/root/.chia \
-v /root/.local/share/python_keyring:/root/.local/share/python_keyring \
-d ghcr.io/chia-network/chia:latest \
-p 8555:8555 -p 8444:8444

Open logs to make sure everything started fine.

~ docker logs rpc_test
Chia directory /root/.chia/mainnet
WARNING: using a farmer address which we don't have the private keys for. We searched the first 500 addresses. Consider overriding xch1ncdfpth786dz0vkqyv5yg7ect7q70wq3l0j9zxrv8muuhnajzk4ssxuxav with xch1ycd28vszm8xvxyd99hf485sj870zyvyx8yftyy9r8jd0uyxl2nzql3jqp2
WARNING: using a pool address which we don't have the private keys for. We searched the first 500 addresses. Consider overriding xch1ncdfpth786dz0vkqyv5yg7ect7q70wq3l0j9zxrv8muuhnajzk4ssxuxav with xch1ycd28vszm8xvxyd99hf485sj870zyvyx8yftyy9r8jd0uyxl2nzql3jqp2
/root/.chia/mainnet already exists, no migration action taken
to use your own keys pass them as a text file -v /path/to/keyfile:/path/in/container and -e keys="/path/in/container"
Generating private key
Added private key with public key fingerprint 471723910 and mnemonic
enter coach solve supreme crucial option stay wealth helmet illness between present course direct aunt sun sail equip blush false drift chronic bright minute
WARNING: using a farmer address which we don't have the private keys for. We searched the first 500 addresses. Consider overriding xch1ncdfpth786dz0vkqyv5yg7ect7q70wq3l0j9zxrv8muuhnajzk4ssxuxav with xch1ycd28vszm8xvxyd99hf485sj870zyvyx8yftyy9r8jd0uyxl2nzql3jqp2
WARNING: using a pool address which we don't have the private keys for. We searched the first 500 addresses. Consider overriding xch1ncdfpth786dz0vkqyv5yg7ect7q70wq3l0j9zxrv8muuhnajzk4ssxuxav with xch1ycd28vszm8xvxyd99hf485sj870zyvyx8yftyy9r8jd0uyxl2nzql3jqp2
Plots directory '/plots' appears to be empty, try mounting a plot directory with the docker -v command
Added plot directory "/plots".
Daemon not started yet
Starting daemon
chia_harvester: started
chia_farmer: started
chia_full_node: started
chia_wallet: started

Get blockchain status to make sure everything is fine (again)

~ docker exec -it rpc_test venv/bin/chia show -s

Current Blockchain Status: Full Node Synced

Peak: Hash: c83896873a02d356e18f02551fdcc4eb54d2071719ff5f1b7b8e7883574e2adf
      Time: Wed Jun 02 2021 13:19:23 UTC                  Height:     373395

Estimated network space: 15.978 EiB
Current difficulty: 1168
Current VDF sub_slot_iters: 117964800
Total iterations since the start of the blockchain: 1214915313295

  Height: |   Hash:
   373395 | c83896873a02d356e18f02551fdcc4eb54d2071719ff5f1b7b8e7883574e2adf
   373394 | 7417f715ea6cc2d9fe38cffd99bb30855f37611774ef886d0a5fb522789ec5df
   .......

Enter the container to check if local PRC requests work. curl request found here.

docker exec -it rpc_test bash

curl --insecure --cert /root/.chia/mainnet/config/ssl/full_node/private_full_node.crt \
--key /root/.chia/mainnet/config/ssl/full_node/private_full_node.key \
-d '{}' -H "Content-Type: application/json" -X POST https://localhost:8555/get_blockchain_state

# prints valid JSON with node state. Starting with: {"blockchain_state": {"difficulty": 1168, ....

Doing the same from machine where the docker was depoyed (from outside of the node's container):

curl --insecure --cert /root/.chia/mainnet/config/ssl/full_node/private_full_node.crt \
--key /root/.chia/mainnet/config/ssl/full_node/private_full_node.key \
-d '{}' -H "Content-Type: application/json" -X POST https://0.0.0.0:8555/get_blockchain_state

Receiving error:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Docker contained didn't write anything to stdout:

docker logs rpc_test
# nothing new here

Chia Debug logs are empty as well - nothing was added after the curl:

~ docker exec -it rpc_test cat ~/.chia/mainnet/log/debug.log -t
# nothing new here also

More info about my setup

I have run and synced the node without docker on that machine before. So I in the attached volumes I have the data of synced node and its keys. I tried to remove all synced node data (rm -rf /root/.chia/mainnet) but it didn't help.

ohld commented 3 years ago

This is the full output of curl -v with increased verbosity: 

*   Trying 0.0.0.0:8555...
* TCP_NODELAY set
* Connected to 0.0.0.0 (127.0.0.1) port 8555 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
epaypool-admin commented 3 years ago

Try to put in entrypoint.sh

sed -i 's/localhost/127.0.0.1/g' ~/.chia/mainnet/config/config.yaml
# allow for port forward using cloudflare of full node
sed -i 's/self_hostname: 127.0.0.1/self_hostname: 0.0.0.0/g' ~/.chia/mainnet/config/config.yaml
ohld commented 3 years ago

@epaypool-admin no, same result. 😔

ohld commented 3 years ago

Just found out that the cause of this problem was running nginx who listened to 8555 and 8444 ports. I disabled it and everything worked fine: I can successfully query the dockerized node from outside of the container.

But I really want to route traffic using nginx (I'm using heroku-style opensource PaaS called Dokku, and nginx is built-in there). Well, at least I define there the problem is.

luis360 commented 3 years ago

Just found out that the cause of this problem was running nginx who listened to 8555 and 8444 ports. I disabled it and everything worked fine: I can successfully query the dockerized node from outside of the container.

But I really want to route traffic using nginx (I'm using heroku-style opensource PaaS called Dokku, and nginx is built-in there). Well, at least I define there the problem is.

I am also considering using nginx proxy, how is nginx configured.