search

linuxserver / docker-unifi-controller

GNU General Public License v3.0
902 stars 123 forks source link

unifi wizard/setup for SSO account is rejected, same issue attempting to enable remote access from local account #138

Closed fermulator closed 1 year ago

fermulator commented 2 years ago

Expected Behavior

  1. During wizard, user should be able to setup/authenticate to Unifi SSO
  2. Post wizard w/ local user account, should be able to enable remote access using Unifi SSO

Current Behavior

Neither works.

unifi_enable_remote

unifi_login_prompt

(fill in credentials) - 100% confirmed they're right (password manager)

fail_message_no_access

"There was an error enabling Remote Access. UniFi's remote access service cannot be reached. Please check your network connection and try again."

-- the error message during wizard is slightly less helpful.

"There was a problem logging into your account, please try again later."

Steps to Reproduce

(A)

  1. Fresh install
  2. Default wizard/setup
  3. Try to login with SSO

(B)

  1. Fresh install
  2. Setup local account
  3. GO to https://:8443/manage/default/settings/system
  4. Attempt to enable remote access (sign in via SSO)

Environment

x86/64-bit

$ docker --version
Docker version 20.10.12, build e91ed57

$ docker ps | grep unifi
248b00a02038   lscr.io/linuxserver/unifi-controller   "/init"      3 days ago     Up 3 days             0.0.0.0:3478->3478/udp, :::3478->3478/udp, 0.0.0.0:6789->6789/tcp, :::6789->6789/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:8443->8443/tcp, :::8443->8443/tcp, 0.0.0.0:8843->8843/tcp, :::8843->8843/tcp, 0.0.0.0:5514->5514/udp, :::5514->5514/udp, 0.0.0.0:10001->10001/udp, :::10001->10001/udp, 0.0.0.0:8880->8880/tcp, :::8880->8880/tcp   unifi-controller

Command used to create docker container (run/create/compose/screenshot)

same as #137

Docker logs

same as #137

There are no useful logs from the appliance side. How can we debug this failure?

Other Notes

  1. 137 is actually the INITIAL reason/issue I figured was to blame here, but since now the docker container is running with current timezone + datetime, this is no longer the case.

  2. Unifi support hasn't been much help yet.
  3. I AM able to login via same credentials SSO to unifi account website
  4. I have disabled MFA (2 Factor) off the account as well to see if that was part of theproblem (nope)
fermulator commented 2 years ago

Looks similar to #53 (but different)

johenkel commented 2 years ago

I am having the same issues. My Unifi OS is running on a UCKV2 v1.1.19 , OS is 7.1.61 . I was trying to add an extra user but can't as SMTP is not working, neither is cloud email. Cannot re-enable remote access to enable cloud email again .

fermulator commented 2 years ago

Tried again today same issues. How can we diagnose this issue? @johenkel why /how did you conclude it is related to not having SMTP? (I don't see why SMTP would be required to login to Unifi's online cloud account services)

fermulator commented 2 years ago

The server logs are QUITE helpful, check this out:

[2022-04-15T14:45:27,050] <model-lifecycle-cache-refresh> WARN  dev    - failed to retrieve EOL stats from - I/O error on GET request for "https://static.ubnt.com/network/devices/lifecycle.json": static.ubnt.com; nested exception is java.net.UnknownHostException: static.ubnt.com
[2022-04-15T14:46:26,964] <autoupdate-check> WARN  system - update site - cannot resolve the host
[2022-04-15T14:46:35,732] <webapi-2> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:46:46,993] <autoupdate-check> WARN  fwupdate - unable to get update info for channel RELEASE: java.net.UnknownHostException: fw-update.ubnt.com
[2022-04-15T14:49:30,508] <webapi-1> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:50:06,855] <webapi-2> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:50:26,957] <check-iot-certificate> WARN  sdn    - failed to get connectivity details: config.ubnt.com
[2022-04-15T14:51:33,620] <webapi-1> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:51:43,487] <webapi-1> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:52:05,076] <webapi-2> WARN  api    - failed to authenticate to SSO: sso.ui.com
[2022-04-15T14:54:31,850] <webapi-2> WARN  api    - failed to authenticate to SSO: sso.ui.com

unifi_controller_ERROR_logs.txt

There are all sorts of errors like this. I can confirm that my host is able to access (ping, resolve) all of these URLs, it is as though the docker container itself doesn't haven external route capability? or are we blocking unifi online access?

I can also not access even apt repositories .. (went to go install ping/dig utils)

root@2bae1318f021:/usr/lib/unifi# apt update
0% [Connecting to archive.ubuntu.com]
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
fermulator commented 2 years ago

currently looking into https://docs.docker.com/network/bridge/ I suspect the default network/bridge settings here are not setup correctly (NOTE: my DNS is on pihole docker container, accessible via host subnet)

fermulator commented 2 years ago

OK it wasn't DNS. After I switched from the default bridge mode, to host mode (for networking) then i was able to egress out of the container (tested with 'apt update').

    network_mode: "host"
    dns:
      - 10.0.0.60
root@docker:/usr/lib/unifi# apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Fetched 228 kB in 1s (212 kB/s)   
Reading package lists... Done
Building dependency tree       
Reading state information... Done
21 packages can be upgraded. Run 'apt list --upgradable' to see them.

And then was able to enable remote access

[2022-05-18T07:30:47,443] <webapi-5> INFO  productinfo - Using controller channel=RELEASE, firmware channel=RELEASE. Available controller channels=[RELEASE, RELEASE_CANDIDATE, BETA], available firmware channels=[RELEASE, RELEASE_CANDIDATE, BETA]. SSO is enabled.

Maintainers how do we want to tackle fixing this in the README? I can't quite put my finger on why docker bridge networking isn't working out of the box.

fermulator commented 2 years ago

@johenkel fyi SMTP cloud also didn't work for me - had to manually enter valid SMTP server/auth from my mail provider.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

fermulator commented 2 years ago

@github-actions go away

johenkel commented 2 years ago

(I don't see why SMTP would be required to login to Unifi's online cloud account services)

When one ads a new user, the system is trying to e-mail that user an invite. But it cannot send the email as there isn't a smtp set up.

aptalca commented 2 years ago

If you're using pihole in a container, that's most likely the issue. One of the reasons we don't recommend or support dns/dhcp in a container.

Unifi SSO works just fine here.

fermulator commented 2 years ago

This is the first time I've ever run into a networking issue like this from a container application (all others work; home-assistant, nextcloud, etc), and yes I'm running pihole in a container. This shouldn't affect anything because it is exposed host-networking mode to the local subnet. The router doles out DHCP, and with this instructs clients to request DNS from a local subnet IP address.

And therein lies the problem. If this container doesn't have access to the local subnet by default (and it didn't until I requested it to move to host networking mode), then it cannot access the pihole. (regardless whether it is in a container or not...)

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

thommo17 commented 2 years ago

I've actually had the exact same issue on jacobalberty/unifi too.

I have Pi-Hole running by itself not in docker as I'm trying to move everything into docker and learn about it all but once I went from bridge to host network everything worked fine for me too.

I'll keep an eye on it but it doesn't seem isolated to this image I guess.

fermulator commented 1 year ago

go away bot

drizuid commented 1 year ago

I tested today and was able to enable unifi sso (though I immediately turned it off because I'm not an idiot). Unless someone can provide some data indicating that this issue isn't self inflicted, I plan to close this.

fermulator commented 1 year ago

(for me can confirm my docker host default bridge docker0 is a bit fub'ard - my other containers were running host or macvlan mode so this was the first one; user error on my part!)

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.