search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.37k stars 544 forks source link

certificate expiration notice for domain #2646

Open Hannahleer opened 10 months ago

Hannahleer commented 10 months ago

Hello, I recently switched my network to netmaker. I chose to use my own domain name during the installation process using the nm-quick.sh script. However yesterday I received an email notification "Let's Encrypt certificate expiration notice for domain", telling me that [xxx.netmaker.example.com ] the domain name is about to expire.

I want to know if the certificate expires and affects the current network channel? And how to renew these certificates if necessary?

Thanks!!

abhishek9686 commented 10 months ago

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

Hannahleer commented 10 months ago

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

abhishek9686 commented 10 months ago

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

Hannahleer commented 9 months ago

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

I have removed the tls from caddyfile and restart caddy. but i can't open the netmaker web ui now.

abhishek9686 commented 9 months ago

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

I have removed the tls from caddyfile and restart caddy. but i can't open the netmaker web ui now.

can you paste logs from caddy?

Hannahleer commented 9 months ago

caddy.log.txt

It has been restarted for a while, there are a lot of logs, sorry

Hannahleer commented 9 months ago

caddy.log.txt

It has been restarted for a while, there are a lot of logs, sorry

@abhishek9686

abhishek9686 commented 9 months ago

run these following. commands docker stop caddy && docker rm caddy docker volume rm root_caddy_data && docker volume rm root_caddy_conf docker-compose up -d

Hannahleer commented 9 months ago

@abhishek9686 there seems still some problem, thanks

image

caddylog.txt

Caddyfile:

# Dashboard
https://dashboard.{$NM_DOMAIN} {
        # Apply basic security headers
        header {
                # Enable cross origin access to *.{$NM_DOMAIN}
                Access-Control-Allow-Origin *.{$NM_DOMAIN}
                # Enable HTTP Strict Transport Security (HSTS)
                Strict-Transport-Security "max-age=31536000;"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
                X-Frame-Options "SAMEORIGIN"
                # Prevent search engines from indexing
                X-Robots-Tag "none"
                # Remove the server name
                -Server
        }

        reverse_proxy http://netmaker-ui
}

# API
https://api.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy http://netmaker:8081
}

# TURN
https://turn.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy host.docker.internal:3479
}

# TURN API
https://turnapi.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy http://host.docker.internal:8089
}

# MQ
wss://broker.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083`
}
Hannahleer commented 9 months ago

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?

I only removed the first one,sorry

Hannahleer commented 9 months ago

and https should change to http?

abhishek9686 commented 9 months ago

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?

I only removed the first one,sorry

yes you need to remove all and restart the container

Hannahleer commented 9 months ago

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile? I only removed the first one,sorry

yes you need to remove all and restart the container caddylog.txt

I removed all tls and restart, but it's not work logs show seem like firewall problem, but it's local public ip and all traffic allow

Hannahleer commented 9 months ago

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile? I only removed the first one,sorry

yes you need to remove all and restart the container caddylog.txt

I removed all tls and restart, but it didn't work logs show seem like firewall problem, but it's local public ip and all traffic allow

@abhishek9686

Hannahleer commented 9 months ago

@abhishek9686 I have disabled the HSTS config, it's still not work.

header {
                # Enable cross origin access to *.{$NM_DOMAIN}
                Access-Control-Allow-Origin *.{$NM_DOMAIN}
                # Enable HTTP Strict Transport Security (HSTS)
                #Strict-Transport-Security "max-age=31536000;"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
                X-Frame-Options "SAMEORIGIN"
                # Prevent search engines from indexing
                X-Robots-Tag "none"
                # Remove the server name
                -Server
        }

caddylog.txt

matanper commented 9 months ago

@abhishek9686 I also have this problem, I tried your suggestion and I'm getting:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: open /root/certs/fullchain.pem: no such file or directory

seems like netmaker is missing a way to reissue expired certificates

matanper commented 9 months ago

The problem for me was a bug in the nm-certs.sh script, although I don't see it in the repository anymore so maybe it was replaced by something else. Anyway the bug was using unneeded quotes around $CERTBOT_PARAMS

./zerossl-bot.sh "$CERTBOT_PARAMS"

changed to:

./zerossl-bot.sh $CERTBOT_PARAMS

not sure how it worked before but now everything back to normal

abhishek9686 commented 9 months ago

@abhishek9686 I also have this problem, I tried your suggestion and I'm getting:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: open /root/certs/fullchain.pem: no such file or directory

seems like netmaker is missing a way to reissue expired certificates

did you remove the references from the caddy file?

wendellli99 commented 8 months ago

I'm hitting this issue too. Besides deleting all the lines of tls /root/certs/fullchain.pem /root/certs/privkey.pem from Caddyfile, do we also need to remove the two .pem files themselves?

melm commented 8 months ago

I hit this Issue too. Its from when they deprecated that nm-cert script I think. https://github.com/gravitl/netmaker/pull/2611

This thread was mostly red herrings from that change.

The fix for me was to replace my Caddyfile and my docker-compose with the ones from the latest release then: docker-compose down docker-compose pull docker-compose up -d

And it was working again.

https://github.com/gravitl/netmaker/blob/master/compose/docker-compose.yml https://github.com/gravitl/netmaker/blob/master/docker/Caddyfile