Closed ifindthanh closed 9 months ago
When the certificate is generated, a DNS lookup is done. So you cannot use localhost but must use a FQDN (Fully Qualified Domain Name) that the LabCA instance can lookup in DNS.
Please have a look at cd /home/labca/boulder && docker compose logs -f
output, there should be some error messages related to that
Hi @hakwerk,
Thanks, it turned out that my 443 port is already used by another service. I shut it down and restart the docker container, now I were able to continue the installation process
So sorry for this.
Thanks!
Hi @hakwerk ,
I continued with the admin/setup web page and getting this error at the final step
labca-control-1 | Verifying desktop-t75l5jk.localdomain...
labca-control-1 | Traceback (most recent call last):
labca-control-1 | File "/opt/labca/acme_tiny.py", line 145, in get_crt
labca-control-1 | assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
labca-control-1 | File "/opt/labca/acme_tiny.py", line 46, in _do_request
labca-control-1 | raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
labca-control-1 | ValueError: Error:
labca-control-1 | Url: http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
labca-control-1 | Data: None
labca-control-1 | Response Code: None
labca-control-1 | Response: <urlopen error [Errno 111] Connection refused>
labca-control-1 |
labca-control-1 | During handling of the above exception, another exception occurred:
labca-control-1 |
labca-control-1 | Traceback (most recent call last):
labca-control-1 | File "/opt/labca/acme_tiny.py", line 199, in <module>
labca-control-1 | main(sys.argv[1:])
labca-control-1 | File "/opt/labca/acme_tiny.py", line 195, in main
labca-control-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
labca-control-1 | File "/opt/labca/acme_tiny.py", line 147, in get_crt
labca-control-1 | raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
labca-control-1 | ValueError: Wrote file to /var/www/html/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY, but couldn't download http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY: Error:
labca-control-1 | Url: http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
labca-control-1 | Data: None
labca-control-1 | Response Code: None
labca-control-1 | Response: <urlopen error [Errno 111] Connection refused>
labca-gui-1 | 2023/09/10 08:08:53 ERROR: Message from server: 'ERROR! On line 68 in commander script
labca-gui-1 | '
labca-gui-1 | 2023/09/10 08:08:53 errorHandler: err=ERROR! On line 68 in commander script
labca-gui-1 |
labca-gui-1 | main._hostCommand({0x13cf8b0, 0xc0001fe380}, 0xc0000bd818?, {0xe91722, 0xc}, {0x0, 0x0, 0xc0000bd7d0?})
labca-gui-1 | /go/src/labca/main.go:2096 +0x652
labca-gui-1 | main.finalHandler({0x13cf8b0?, 0xc0001fe380}, 0xc0008cea00)
labca-gui-1 | /go/src/labca/main.go:2642 +0x61e
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xd75260?, {0x13cf8b0?, 0xc0001fe380?}, 0xc0001fe380?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | main.authorized.func1({0x13cf8b0, 0xc0001fe380}, 0xc0008cea00)
labca-gui-1 | /go/src/labca/main.go:3118 +0x26d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xc0008ce900?, {0x13cf8b0?, 0xc0001fe380?}, 0x5b041b6611?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000000600, {0x13cf8b0, 0xc0001fe380}, 0xc0008ce800)
labca-gui-1 | /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf
labca-gui-1 | net/http.serverHandler.ServeHTTP({0xc0005538f0?}, {0x13cf8b0, 0xc0001fe380}, 0xc0008ce800)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2936 +0x316
labca-gui-1 | net/http.(*conn).serve(0xc00036a6c0, {0x13d04e8, 0xc0008e4270})
labca-gui-1 | /usr/local/go/src/net/http/server.go:1995 +0x612
labca-gui-1 | created by net/http.(*Server).Serve
labca-gui-1 | /usr/local/go/src/net/http/server.go:3089 +0x5ed
labca-gui-1 | 2023/09/10 08:08:53 http: superfluous response.WriteHeader call from main.finalHandler (main.go:2645)labca-gui-1 | 2023/09/10 08:08:53 GET /final
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/final HTTP/1.1" 200 32 "https://desktop-t75l5jk.localdomain/admin/setup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-gui-1 | 2023/09/10 08:08:53 GET /error
labca-gui-1 | 2023/09/10 08:08:53 errorHandler: err=<nil>
labca-gui-1 | main.showErrorHandler({0x13cf8b0?, 0xc0001fe620?}, 0xc000423950?)
labca-gui-1 | /go/src/labca/main.go:2671 +0x2d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xd75260?, {0x13cf8b0?, 0xc0001fe620?}, 0xc0001fe620?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | main.authorized.func1({0x13cf8b0, 0xc0001fe620}, 0xc0008cf400)
labca-gui-1 | /go/src/labca/main.go:3118 +0x26d
labca-gui-1 | net/http.HandlerFunc.ServeHTTP(0xc0008cf300?, {0x13cf8b0?, 0xc0001fe620?}, 0x5e83c7f241?)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2122 +0x2f
labca-gui-1 | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000000600, {0x13cf8b0, 0xc0001fe620}, 0xc0008cf200)
labca-gui-1 | /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf
labca-gui-1 | net/http.serverHandler.ServeHTTP({0xc000808000?}, {0x13cf8b0, 0xc0001fe620}, 0xc0008cf200)
labca-gui-1 | /usr/local/go/src/net/http/server.go:2936 +0x316
labca-gui-1 | net/http.(*conn).serve(0xc00036afc0, {0x13d04e8, 0xc0008e4270})
labca-gui-1 | /usr/local/go/src/net/http/server.go:1995 +0x612
labca-gui-1 | created by net/http.(*Server).Serve
labca-gui-1 | /usr/local/go/src/net/http/server.go:3089 +0x5ed
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/error HTTP/1.1" 500 34712 "https://desktop-t75l5jk.localdomain/admin/setup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/bootstrap.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/metisMenu.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/sb-admin-2.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/font-awesome.min.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/css/labca.css HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/jquery.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/bootstrap.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/metisMenu.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/sb-admin-2.min.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
labca-nginx-1 | ::ffff:10.77.77.1 - - [10/Sep/2023:08:08:53 +0000] "GET /admin/static/js/labca.js HTTP/1.1" 304 0 "https://desktop-t75l5jk.localdomain/admin/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76" "-"
It said that Connection refused
when trying to access http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
.
But there is no problem when I use curl command to check that
@hakwerk : can you take a look at my issue, thanks in advance!
I'm afraid I can't tell from these logs what the problem is. I've never encountered this issue before.
It looks like it is not reaching the nginx container, otherwise there should have been some logs in the labca-nginx-1 container log for the .well-known URL (maybe you could double check with docker compose logs nginx | grep .well-known
). Are you sure there is nothing else running on port 80?
Also, did you try the curl command from the VM, or from inside the container? You may try to see what happens if you try it from inside the container:
docker compose exec control curl http://desktop-t75l5jk.localdomain/.well-known/acme-challenge/qiR6oisNnzBRPaaIKZ7Z--BIZAWxtNoYWfn1RquvfOY
Thanks @hakwerk for the feedback. Then the problem is from docker container, it has no DNS for desktop-t75l5jk.localdomain
because I'm setting up in my local machine.
Let's me find a way to deal with that.
Hi @hakwerk ,
I solved above issue by adding the hostname to /etc/hosts file. But getting another issue:
Already registered! Account ID: http://boulder:4001/acme/acct/1
Creating new order...
Order created!
Verifying desktop-t75l5jk.localdomain...
Traceback (most recent call last):
File "/opt/labca/acme_tiny.py", line 199, in <module>
main(sys.argv[1:])
File "/opt/labca/acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "/opt/labca/acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for desktop-t75l5jk.localdomain: {'identifier': {'type': 'dns', 'value': 'desktop-t75l5jk.localdomain'}, 'status': 'invalid', 'expires': '2023-10-09T03:56:39Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'DNS problem: networking error looking up A for desktop-t75l5jk.localdomain; DNS problem: networking error looking up AAAA for desktop-t75l5jk.localdomain', 'status': 400}, 'url': 'http://boulder:4001/acme/chall-v3/2/dioWXw', 'token': 'K1j9GHNCMpo76g_u3QAmREjLdZGAcyTJIHYQEA98U_E', 'validated': '2023-10-02T03:56:39Z'}]}
Is it mandatory to have a DNS server for the installation? I put the hostname to the hosts file of all docker containers, but it doesn't help to fix the issue.
Thanks!
Yes, a DNS server is indeed required for the ACME protocol to issue certificates.
On https://< your LabCA fqdn >/admin/manage#config (or in config file /home/labca/admin/data/config.json) you can configure the IP address of your internal DNS server to use.
Hi, I'm having trouble finalizing the installation. I execute directly the docker-compose.yml following the readme (give the fqdn). Here's the error: ERROR: Message from server: 'ERROR! On line 89 in commander script However, I have no problem running the installation script. I do exactly the same thing! If you have a solution
The line 89 only tells me that it could not reload nginx. Is there anything in the commander.log?
docker compose exec control cat /opt/logs/commander.log
Yes, 'service "nginx" is not running'. I just commented the name:labca line because I got an error: (root) Additional property name is not allowed Nothing more.
I cannot reproduce this. Have you tried restarting the nginx container?
docker compose restart nginx
I got an error: (root) Additional property name is not allowed
That may be a v1.x docker-compose
vs the v2.x docker compose
thingy?
Hello everyone,
I'm starting with labca from scrap. I'm following the instruction at README.md home page. This command:
Everything seem to be fine, all 6 docker containers are well started up. I was able to access the home page from: http://localhost. But the problem is, I cannot access the following resources:
Is there any way to troubleshoot this issue?