Error while generating self-signed cert when starting SniDust

jakoberpf commented 1 year ago

This is a very interesting project. I started this up on a vanilla Ubuntu on Hetzner with a quite vanilla config, but am getting this error which I fail to unterstand.

version: '3.3'
services:
    snidust:
        container_name: snidust
        environment:
            - 'ALLOWED_CLIENTS=0.0.0.0/0'
            - EXTERNAL_IP=49.13.5.52
            - SPOOF_ALL_DOMAINS=false # Set to true (case sensetive!) if you want spoof ALL domains.
        ports:
            - '443:443'
            - '80:80'
            - '53:5300/udp'
        image: 'ghcr.io/seji64/snidust:main'

Any Ideas why I see this issue?

snidust    | Dnsdist webserver password not set - generating one
snidust    | Generated WebServer Password: i_rP56tacZhh
snidust    | Dnsdist webserver api key not set - generating one
snidust    | Generated WebServer API Key: U5M-LyN7zOTXW1Xyqe7Qu-hdR9q5rPZt
snidust    | Generating DNSDist Configs...
snidust    | Starting DNSDist...
snidust    | Starting sniproxy
snidust    | [INFO] Using 49.13.5.52 - Point your DNS settings to this address
snidust    | 2023-06-22T19:28:50Z INF starting sniproxy. version v2.0.3, commit bb94fc501f875a260d402c4a9d887d6b6c77b177
snidust    | dnsdist 1.8.0 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
snidust    | [SniDust] *** Loading Domain Lists... ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/00-debug.lst***
snidust    | [SniDust] Adding domain myip.is to list
snidust    | [SniDust] Adding domain ifconfig.co to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/01-cdn_akamai.lst***
snidust    | [SniDust] Adding domain akadns.net to list
snidust    | [SniDust] Adding domain akam.net to list
snidust    | [SniDust] Adding domain akamai.com to list
snidust    | [SniDust] Adding domain akamai.net to list
snidust    | [SniDust] Adding domain akamaiedge.net to list
snidust    | [SniDust] Adding domain akamaihd.net to list
snidust    | [SniDust] Adding domain akamaistream.net to list
snidust    | [SniDust] Adding domain akamaitech.net to list
snidust    | [SniDust] Adding domain akamaitechnologies.com to list
snidust    | [SniDust] Adding domain akamaitechnologies.fr to list
snidust    | [SniDust] Adding domain akamaized.net to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/02-amazon.lst***
snidust    | [SniDust] Adding domain amazon.com to list
snidust    | [SniDust] Adding domain amazon.co.uk to list
snidust    | [SniDust] Adding domain amazonvideo.com to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/03-hbo.lst***
snidust    | [SniDust] Adding domain hbonow.com to list
snidust    | [SniDust] Adding domain hbogo.com to list
snidust    | [SniDust] Adding domain hbo.com to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/04-hulu.lst***
snidust    | [SniDust] Adding domain hulu.com to list
snidust    | [SniDust] Adding domain huluim.com to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/05-netflix.lst***
snidust    | [SniDust] Adding domain netflix.com to list
snidust    | [SniDust] Adding domain netflix.de to list
snidust    | [SniDust] Adding domain nflximg.net to list
snidust    | [SniDust] Adding domain nflximg.com to list
snidust    | [SniDust] Adding domain nflxvideo.net to list
snidust    | [SniDust] Adding domain netflix.net to list
snidust    | [SniDust] Adding domain nflximg.net to list
snidust    | [SniDust] Adding domain nflxvideo.net to list
snidust    | [SniDust] Adding domain nflxso.net to list
snidust    | [SniDust] Adding domain nflxext.com to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/06-molotov_tv.lst***
snidust    | [SniDust] Adding domain molotov.tv to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/07-srf_ch.lst***
snidust    | [SniDust] Adding domain srgssr.ch to list
snidust    | [SniDust] Adding domain cdn.rts.ch to list
snidust    | [SniDust] Adding domain srgsnitch.herokuapp.com to list
snidust    | [SniDust] Adding domain srg.live.ott.irdeto.com to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/08-wilmaa.lst***
snidust    | [SniDust] Adding domain wilmaa.com to list
snidust    | [SniDust] Adding domain wilmaa.wemfbox.ch to list
snidust    | [SniDust] Adding domain wilm-ssl.wemfbox.ch to list
snidust    | [SniDust] Adding domain user.wilmaa.tvbackbone.com to list
snidust    | [SniDust] Adding domain multiscreencache.tvbackbone.com to list
snidust    | [SniDust] Adding domain teleboy.ch to list
snidust    | [SniDust] Adding domain wilmaa.customers.cdn.iptv.ch to list
snidust    | [SniDust] Adding domain teleboy.customers.cdn.iptv.ch to list
snidust    | [SniDust] Adding domain cdn.iptv.ch to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/09-zattoo.lst***
snidust    | [SniDust] Adding domain zattoohds-a.akamaihd.net to list
snidust    | [SniDust] Adding domain zathdslive-a.akamaihd.net to list
snidust    | [SniDust] Adding domain zahs.tv to list
snidust    | [SniDust] Adding domain zatsslive-a.akamaihd.net to list
snidust    | [SniDust] Adding domain chromecast-receiver.zattoo.com to list
snidust    | [SniDust] Adding domain box30030.wemfbox.ch to list
snidust    | [SniDust] Adding domain zattoo.wemfbox.ch to list
snidust    | [SniDust] Adding domain zatsslive-a.akamaihd.net to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Domain List: /etc/snidust/domains.d/10-yallo.lst***
snidust    | [SniDust] Adding domain y3o.tv to list
snidust    | [SniDust] *** End of Domain List ***
snidust    | [SniDust] *** Complete! ***
snidust    | Added downstream server 8.8.8.8:853
snidust    | Added downstream server 8.8.4.4:853
snidust    | Added downstream server 1.1.1.1:443
snidust    | Added downstream server 1.0.0.1:443
snidust    | Listening on 0.0.0.0:5300
snidust    | ACL allowing queries from: 0.0.0.0/0
snidust    | Console ACL allowing connections from: 127.0.0.0/8, ::1/128
snidust    | 2023-06-22T19:28:50Z ERR Could not automatically determine public IPv6. you should provide it manually using --publicIPv6
snidust    | Marking downstream cloudflare-dns (1.1.1.1:443) as 'up'
snidust    | Marking downstream cloudflare-dns (1.0.0.1:443) as 'up'
snidust    | Marking downstream dns.google (8.8.8.8:853) as 'up'
snidust    | Marking downstream dns.google (8.8.4.4:853) as 'up'
snidust    | Polled security status of version 1.8.0 at startup, no known issues reported: OK
snidust    | 2023-06-22T19:28:51Z ERR error while generating self-signed cert: failed to write cert fixture to /tmp/
snidust    | <html><head>
snidust    | <meta http-equiv="content-type" content="text/html;charset=utf-8">
snidust    | <title>403 Forbidden</title>
snidust    | </head>
snidust    | <body text=#000000 bgcolor=#ffffff>
snidust    | <h1>Error: Forbidden</h1>
snidust    | <h2>Your client does not have permission to get URL <code>/raw</code> from this server.</h2>
snidust    | <h2></h2>
snidust    | </body></html>
snidust    | .crt: open /tmp/
snidust    | <html><head>
snidust    | <meta http-equiv="content-type" content="text/html;charset=utf-8">
snidust    | <title>403 Forbidden</title>
snidust    | </head>
snidust    | <body text=#000000 bgcolor=#ffffff>
snidust    | <h1>Error: Forbidden</h1>
snidust    | <h2>Your client does not have permission to get URL <code>/raw</code> from this server.</h2>
snidust    | <h2></h2>
snidust    | </body></html>
snidust    | .crt: no such file or directory

jakoberpf commented 1 year ago

Digging and found: https://github.com/mosajjal/sniproxy/blob/160a31ec80e4bc302ada7c7fa0cb8876c87f638f/main.go#L344

Sniproxy tries to generate some certs but fails

Seji64 commented 1 year ago

As the log indicates there are missing permission writing to /tmp . Are you using rootless-docker or podman?

jakoberpf commented 1 year ago

Not intentionally. I am setting up docker in my cloud init script like so...

#cloud-config
users:
  - name: automation
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ${public_ssh_key}
package_update: true
package_upgrade: true
packages:
  - fail2ban
  - ufw
runcmd:
  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
  - systemctl enable fail2ban
  - systemctl start fail2ban
  - ufw allow OpenSSH
  - ufw allow http
  - ufw allow https
  - ufw allow 53
  - ufw enable
  - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -ie '/^X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -ie '/^#MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
  - sed -ie '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -ie '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers automation' /etc/ssh/sshd_config
  - systemctl restart ssh
  - apt update && apt install apt-transport-https ca-certificates curl software-properties-common -y
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  - apt update && apt install docker-ce docker-compose -y
  - usermod -aG docker automation

And then startup docker-compose via the automation user and sudo docker-compose up -d. I didn't think that I would run rootless then?

Seji64 commented 1 year ago

hm looks like a normal docker installation. sorry no idea why you get this permission error. spawn a shell inside the container, then you can test a bit. as a workaround you can probably map /tmp to a local volume.

jakoberpf commented 1 year ago

After a couple of tries, tearing down the machine and recreating it started working. But I actually have no Idea why it suddenly did. Thanks for the help.

Closing this...

Seji64 / SniDust

Error while generating self-signed cert when starting SniDust #26