RequestError: unable to verify the first certificate

[niklasgrewe]

Hi, i have reinstalled exoframe with traefik on my Debian 10 server. So I deleted the exoframe-server and exoframe-traefik container and also deleted the .exoframe directory except for the server.config.yml file. Afterwards I could access my website (which I already deployed) as usual via my domain.

My problem now is that I can't log in via the CLI. I get the following error:

Error logging in! Error getting login request phrase. Make sure your endpoint is correct! RequestError: unable to verify the first certificate

When I enter my exoframe endpoint url in the browser, I see the standard exoframe website with the logo via HTTP. When I access the site via HTTPS, I get a 404 NOT FOUND ERROR When I then check the certificate in the browser, I notice that Traefik uses the standard certificate.

How can I fix this?

[yamalight]

Please refer to Installation and usage with Letsencrypt part of server docs and see if that helps.

[niklasgrewe]

@yamalight thanks for the reference. I have actually used the wrong configuration 🙈But now I have a different error message when I try to login with exoframe login

Error logging in! Check your username and password and try again. HTTPError: Response code 405 (Method Not Allowed)

Note: I am using the 6.1.0 Version

I already had the same error during my first installation. Unfortunately I don't remember how I fixed it. I have used this config to create exoframe-server docker container:

docker run -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /path/to/exoframe-folder:/root/.exoframe \
  -v /home/user/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
  -e EXO_PRIVATE_KEY=your_private_key \
  --label traefik.enable=true \
  --label "traefik.http.routers.exoframe-server.rule=Host(\`exoframe.your-host.com\`)" \
  --label "traefik.http.routers.exoframe-server-web.rule=Host(\`exoframe.your-host.com\`)" \
  --label traefik.http.routers.exoframe-server.tls.certresolver=exoframeChallenge \
  --label traefik.http.middlewares.exoframe-server-redirect.redirectscheme.scheme=https \
  --label traefik.http.routers.exoframe-server-web.entrypoints=web \
  --label traefik.http.routers.exoframe-server-web.middlewares=exoframe-server-redirect@docker \
  --label traefik.http.routers.exoframe-server.entrypoints=websecure \
  --label entryPoints.web.address=:80 \
  --label entryPoints.websecure.address=:443 \
  --restart always \
  --name exoframe-server \
  exoframe/server

and then I tested the config with this line:

-v $HOME/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \

i'm pretty sure i fixed the bug somehow by changing this line, but it didn't work that way

my server.config.yml looks like this

# whether to enable letsencrypt, default "false"
letsencrypt: true

# email used for letsencrypt
letsencryptEmail: niklas@grewe.io

# whether to apply gzip compression, default "true"
compress: true

# base top-level domain to use for deployments without domains specified, default "false"
# used as postfix, e.g. if you specify ".example.com" (dot is auto-prepended if not present)
# all your deployments will be autodeployed as "deployment-id.example.com"
baseDomain: false

# CORS support; can be "true" ("*" header) or object with "origin" property, default "false"
cors: false

# Traefik image to be used; set to "false" to disable traefik management, default "traefik:latest"
traefikImage: 'traefik:latest'

# Traefik container name, default "exoframe-traefik"
traefikName: 'exoframe-traefik'

# Additional Traefik start args, default []
traefikArgs: []

# Network used by traefik to connect services to, default "exoframe"
exoframeNetwork: 'exoframe'

# server image update channel; can be "stable" or "nightly", default "stable"
updateChannel: 'stable'

# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/user/.ssh'

# whether Exoframe server would be running in swarm mode, default "false"
swarm: false

# plugins config
# plugins:
  # list of plugins that has to be installed and loaded by exoframe-server on startup
  # install: ['exoframe-plugin-swarm']
  # specific plugin config (see plugins docs to know what property they use)
  # swarm:
    # enabled: true

[niklasgrewe]

and when i do

docker exec -t exoframe-server /bin/sh -c 'cat /root/.ssh/authorized_keys'

i get the ssh keys as output ✅I have not changed anything else on the server or on the client

[yamalight]

@niklasgrewe does your ssh key uses supported format?

[niklasgrewe]

@yamalight definitely yes

I'll also try the Installation with this line

-v /home/user/.ssh/:$HOME/.ssh/

but the server.config.yml is otherwise already correct, right?

[yamalight]

@niklasgrewe So, error 405 means exoframe-server cannot read authorized_keys file, let's try to figure out why. the right part definitely should be /root/.ssh/authorized_keys. I'm not sure docker understands $HOME correctly - never tried it to be honest 🤔 Are permissions set correctly?

[niklasgrewe]

@yamalight Okay, this is really weird. Here's what I've done:

Generated a new SSH key on my macOS client

ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m 'PEM'

Transfer the SSH key to my server

ssh-copy-id username@server-ip

tested SSH login via Terminal like this

ssh username@server-ip

Connection successful - without requesting a password. Does the SSH key work ✅

Reinstalled exoframe-server and exoframe-traefik without remove .exoframe directory

docker run -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /home/myusername/.exoframe:/root/.exoframe \
  -v /home/myusername/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
  -e EXO_PRIVATE_KEY=myprivatekey \
  --label traefik.enable=true \
  --label "traefik.http.routers.exoframe-server.rule=Host(\`my.domain.com\`)" \
  --label "traefik.http.routers.exoframe-server-web.rule=Host(\`my.domain.com\`)" \
  --label traefik.http.routers.exoframe-server.tls.certresolver=exoframeChallenge \
  --label traefik.http.middlewares.exoframe-server-redirect.redirectscheme.scheme=https \
  --label traefik.http.routers.exoframe-server-web.entrypoints=web \
  --label traefik.http.routers.exoframe-server-web.middlewares=exoframe-server-redirect@docker \
  --label traefik.http.routers.exoframe-server.entrypoints=websecure \
  --label entryPoints.web.address=:80 \
  --label entryPoints.websecure.address=:443 \
  --restart always \
  --name exoframe-server \
  exoframe/server

check if ssh keys passed to exoframe-container

docker exec -t exoframe-server /bin/sh -c 'cat /root/.ssh/authorized_keys'

Output:

ssh-rsa.... (and longer longer longer)

so that worked, too. ✅

check if server.config.yml is correct

# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/myusername/.ssh/'

Try to login

exoframe login

Output:

Login in to https://my.domain.com
? Username: myusername
? Private key: id_rsa
? Private key passpharse (leave blank if not set): [input is hidden]
Error logging in! Check your username and password and try again. HTTPError: Response code 405 (Method Not Allowed)

Oh, man, what is wrong with this thing?

[yamalight]

I think I found the issue that I haven't noticed yesterday. You've changed the config to:

# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/myusername/.ssh/'

which means exoframe-server will look for authorized_keys under /home/myusername/.ssh/ inside container, not under /root/.ssh/ where you mount it. Either change the mount, or remove that property - that should fix it

[niklasgrewe]

@yamalight i changed the server.config.yaml to

# path to folder with authorized_keys, default "~/.ssh"
# publicKeysPath: ''

If I try to log in again afterwards, I still get the error. Or do I have to reinstall the containers again?

[yamalight]

You have to re-create the server container again, yep

[niklasgrewe]

ok do I have to create the .exoframe directory again, or will it be overwritten?

[yamalight]

just re-creating the container will do :)

[niklasgrewe]

@yamalight yeah it works now. Successfully logged in! ✅ thanks for your help and sorry that I didn't figure it out myself 🙈

[yamalight]

@niklasgrewe cool, glad it was that easy to figure out :)