Closed ifindthanh closed 9 months ago
hakwerk
commented
1 year ago When the certificate is generated, a DNS lookup is done. So you cannot use localhost but must use a FQDN (Fully Qualified Domain Name) that the LabCA instance can lookup in DNS.
Please have a look at cd /home/labca/boulder && docker compose logs -f output, there should be some error messages related to that
ifindthanh
commented
1 year ago Hi @hakwerk,
Thanks, it turned out that my 443 port is already used by another service. I shut it down and restart the docker container, now I were able to continue the installation process
So sorry for this.
Thanks!
ifindthanh
commented
1 year ago Hi @hakwerk ,
I continued with the admin/setup web page and getting this error at the final step
labca-control-1 | Verifying desktop-t75l5jk.localdomain...
labca-control-1 | Traceback (most recent call last):
labca-control-1 | File "/opt/labca/acme_tiny.py", line 145, in get_crt
labca-control-1 | assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
labca-control-1 | File "/opt/labca/acme_tiny.py", line 46, in _do_request
labca-control-1 | raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
labca-control-1 | ValueError: Error:
labca-control-1 | Url: http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
labca-control-1 | Data: None
labca-control-1 | Response Code: None
labca-control-1 | Response: <urlopen error [Errno 111] Connection refused>
labca-control-1 |
labca-control-1 | During handling of the above exception, another exception occurred:
labca-control-1 |
labca-control-1 | Traceback (most recent call last):
labca-control-1 | File "/opt/labca/acme_tiny.py", line 199, in <module>
labca-control-1 | main(sys.argv[1:])
labca-control-1 | File "/opt/labca/acme_tiny.py", line 195, in main
labca-control-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
labca-control-1 | File "/opt/labca/acme_tiny.py", line 147, in get_crt
labca-control-1 | raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
labca-control-1 | ValueError: Wrote file to /var/www/html/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY, but couldn't download http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY: Error:
labca-control-1 | Url: http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
labca-control-1 | Data: None
labca-control-1 | Response Code: None
labca-control-1 | Response: <urlopen error [Errno 111] Connection refused>
labca-gui-1 | 2023/09/10 08:08:53 ERROR: Message from server: 'ERROR! On line 68 in commander script
labca-gui-1 | '
labca-gui-1 | 2023/09/10 08:08:53 errorHandler: err=ERROR! On line 68 in commander script
labca-gui-1 |
labca-gui-1 | main._hostCommand({0x13cf8b0, 0xc0001fe380}, 0xc0000bd818?, {0xe91722, 0xc}, {0x0, 0x0, 0xc0000bd7d0?})
labca-gui-1 | /go/src/labca/main.go:2096 +0x652
labca-gui-1 | main.finalHandler({0x13cf8b0?, 0xc0001fe380}, 0xc0008cea00)
labca-gui-1 | /go/src/labca/main.go:2642 +0x61e
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xd75260?, {0x13cf8b0?, 0xc0001fe380?}, 0xc0001fe380?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | main.authorized.func1({0x13cf8b0, 0xc0001fe380}, 0xc0008cea00)
labca-gui-1 | /go/src/labca/main.go:3118 +0x26d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xc0008ce900?, {0x13cf8b0?, 0xc0001fe380?}, 0x5b041b6611?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000000600, {0x13cf8b0, 0xc0001fe380}, 0xc0008ce800)
labca-gui-1 | /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf
labca-gui-1 | net/http.serverHandler.ServeHTTP({0xc0005538f0?}, {0x13cf8b0, 0xc0001fe380}, 0xc0008ce800)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2936 +0x316
labca-gui-1 | net/http.(*conn).serve(0xc00036a6c0, {0x13d04e8, 0xc0008e4270})
labca-gui-1 | /usr/local/go/src/net/http/server.go:1995 +0x612
labca-gui-1 | created by net/http.(*Server).Serve
labca-gui-1 | /usr/local/go/src/net/http/server.go:3089 +0x5ed
labca-gui-1 | 2023/09/10 08:08:53 http: superfluous response.WriteHeader call from main.finalHandler (main.go:2645)labca-gui-1 | 2023/09/10 08:08:53 GET /final
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/final HTTP/1.1" 200 32 "https://desktop-t75l5jk.localdomain/admin/setup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-gui-1 | 2023/09/10 08:08:53 GET /error
labca-gui-1 | 2023/09/10 08:08:53 errorHandler: err=<nil>
labca-gui-1 | main.showErrorHandler({0x13cf8b0?, 0xc0001fe620?}, 0xc000423950?)
labca-gui-1 | /go/src/labca/main.go:2671 +0x2d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xd75260?, {0x13cf8b0?, 0xc0001fe620?}, 0xc0001fe620?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | main.authorized.func1({0x13cf8b0, 0xc0001fe620}, 0xc0008cf400)
labca-gui-1 | /go/src/labca/main.go:3118 +0x26d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xc0008cf300?, {0x13cf8b0?, 0xc0001fe620?}, 0x5e83c7f241?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000000600, {0x13cf8b0, 0xc0001fe620}, 0xc0008cf200)
labca-gui-1 | /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf
labca-gui-1 | net/http.serverHandler.ServeHTTP({0xc000808000?}, {0x13cf8b0, 0xc0001fe620}, 0xc0008cf200)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2936 +0x316
labca-gui-1 | net/http.(*conn).serve(0xc00036afc0, {0x13d04e8, 0xc0008e4270})
labca-gui-1 | /usr/local/go/src/net/http/server.go:1995 +0x612
labca-gui-1 | created by net/http.(*Server).Serve
labca-gui-1 | /usr/local/go/src/net/http/server.go:3089 +0x5ed
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/error HTTP/1.1" 500 34712 "https://desktop-t75l5jk.localdomain/admin/setup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/bootstrap.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/metisMenu.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/sb-admin-2.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/font-awesome.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/labca.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/jquery.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/bootstrap.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/metisMenu.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/sb-admin-2.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/labca.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"It said that Connection refused when trying to access http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY.
But there is no problem when I use curl command to check that
ifindthanh
commented
1 year ago @hakwerk : can you take a look at my issue, thanks in advance!
hakwerk
commented
1 year ago I'm afraid I can't tell from these logs what the problem is. I've never encountered this issue before.
It looks like it is not reaching the nginx container, otherwise there should have been some logs in the labca-nginx-1 container log for the .well-known URL (maybe you could double check with docker compose logs nginx | grep .well-known). Are you sure there is nothing else running on port 80?
Also, did you try the curl command from the VM, or from inside the container? You may try to see what happens if you try it from inside the container:
docker compose exec control curl http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOYThanks @hakwerk for the feedback. Then the problem is from docker container, it has no DNS for desktop-t75l5jk.localdomain because I'm setting up in my local machine.
Let's me find a way to deal with that.
ifindthanh
commented
11 months ago Hi @hakwerk ,
I solved above issue by adding the hostname to /etc/hosts file. But getting another issue:
Already registered! Account ID: http://boulder:4001/acme/acct/1
Creating new order...
Order created!
Verifying desktop-t75l5jk.localdomain...
Traceback (most recent call last):
File "/opt/labca/acme_tiny.py", line 199, in <module>
main(sys.argv[1:])
File "/opt/labca/acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "/opt/labca/acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for desktop-t75l5jk.localdomain: {'identifier': {'type': 'dns', 'value': 'desktop-t75l5jk.localdomain'}, 'status': 'invalid', 'expires': '2023-10-09T03:56:39Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'DNS problem: networking error looking up A for desktop-t75l5jk.localdomain; DNS problem: networking error looking up AAAA for desktop-t75l5jk.localdomain', 'status': 400}, 'url': 'http://boulder:4001/acme/chall-v3/2/dioWXw', 'token': 'K1j9GHNCMpo76g_u3QAmREjLdZGAcyTJIHYQEA98U_E', 'validated': '2023-10-02T03:56:39Z'}]}Is it mandatory to have a DNS server for the installation? I put the hostname to the hosts file of all docker containers, but it doesn't help to fix the issue.
Thanks!
hakwerk
commented
11 months ago Yes, a DNS server is indeed required for the ACME protocol to issue certificates.
On https://< your LabCA fqdn >/admin/manage#config (or in config file /home/labca/admin/data/config.json) you can configure the IP address of your internal DNS server to use.
GuyGuy-59
commented
10 months ago Hi,
I'm having trouble finalizing the installation. I execute directly the docker-compose.yml following the readme (give the fqdn). Here's the error: ERROR: Message from server: 'ERROR! On line 89 in commander script
However, I have no problem running the installation script. I do exactly the same thing!
If you have a solution
hakwerk
commented
10 months ago The line 89 only tells me that it could not reload nginx. Is there anything in the commander.log?
docker compose exec control cat /opt/logs/commander.logYes, 'service "nginx" is not running'. I just commented the name:labca line because I got an error: (root) Additional property name is not allowed Nothing more.
hakwerk
commented
10 months ago I cannot reproduce this. Have you tried restarting the nginx container?
docker compose restart nginxI got an error: (root) Additional property name is not allowed
That may be a v1.x docker-compose vs the v2.x docker compose thingy?
Hello everyone,
I'm starting with labca from scrap. I'm following the instruction at README.md home page. This command:
Everything seem to be fine, all 6 docker containers are well started up. I was able to access the home page from: http://localhost. But the problem is, I cannot access the following resources:
Is there any way to troubleshoot this issue?