search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.76k stars 485 forks source link

Can't start management service behind traefik reverse proxy #2082

Closed vincent-lg18 closed 4 months ago

vincent-lg18 commented 4 months ago

Describe the problem

Management service can't start behind a traefik reverse proxy.

Are you using NetBird Cloud?

I'm using the self hosted version of netbird.

Additional context

I have followed all steps from https://docs.netbird.io/selfhosted/selfhosted-guide#configuration-for-net-bird to set-up netbird behind traefik.

From my docker-compose.yml, here is my dashboard and management services configuration:

version: "3"
services:
  dashboard:
    image: netbirdio/dashboard:v2.3.0
    restart: unless-stopped
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=$API_ENDPOINT
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$API_ENDPOINT
      # OIDC
      - ...
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
      - NETBIRD_DISABLE_LETSENCRYPT=true
#    volumes:
#      - netbird-letsencrypt:/etc/letsencrypt/
    networks:
      - interne
      - public
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-dashboard.rule=Host(`vpn.company.sh`)
    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80

  management:
    image: netbirdio/management:0.27.9
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
      #- netbird-letsencrypt:/etc/letsencrypt:ro
    #ports:
    #  - 33073:443
    command: [
      "--port", "443",
      "--log-file", "console",
      "--disable-anonymous-metrics=true",
      "--single-account-mode-domain=vpn.company.sh",
      "--dns-domain=company.vpn"
      ]
    networks:
      - interne
      - public
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`vpn.company.sh`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=443

    - traefik.http.routers.netbird-management.rule=Host(`vpn.company.sh`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=443
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c

The only lines related to TLS from management.json file are the following ones:

    "HttpConfig": {
        "Address": "0.0.0.0:443",
        "CertFile": "",
        "CertKey": "",
    },

My dashboard is up and running : 

$ docker logs -f netbird-dashboard-1
+ LETSENCRYPT_DOMAIN=none
+ LETSENCRYPT_EMAIL=example@local
+ NGINX_SSL_PORT=443
+ '[' none-x == none-x ']'
+ exit 0
NetBird latest version:
+ LETSENCRYPT_DOMAIN=none
+ LETSENCRYPT_EMAIL=example@local
+ NGINX_SSL_PORT=443
+ '[' none-x == none-x ']'
+ exit 0
NetBird latest version:

But the management service is restarting again and again, looking for TLS credentials:

2024-05-31T08:13:28Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://auth.company.sh/application/o/netbird/.well-known/openid-configuration
2024-05-31T08:13:29Z INFO management/cmd/management.go:460: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.company.sh/application/o/netbird/.well-known/openid-configuration
2024-05-31T08:13:29Z INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value https://auth.company.sh/application/o/netbird/, previously configured value: https://auth.company.sh/application/o/netbird/
2024-05-31T08:13:29Z INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.company.sh/application/o/netbird/jwks/, previously configured value: https://auth.company.sh/application/o/netbird/jwks/
2024-05-31T08:13:29Z INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.company.sh/application/o/token/, previously configured value: https://auth.company.sh/application/o/token/
2024-05-31T08:13:29Z INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.company.sh/application/o/device/, previously configured value: https://auth.company.sh/application/o/device/
2024-05-31T08:13:29Z INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.company.sh, previously configured value: auth.company.sh
2024-05-31T08:13:29Z INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.company.sh/application/o/token/, previously configured value: https://auth.company.sh/application/o/token/
2024-05-31T08:13:29Z INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.company.sh/application/o/authorize/, previously configured value: https://auth.company.sh/application/o/authorize/
2024-05-31T08:13:29Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-05-31T08:13:29Z INFO management/server/store.go:109: using Postgres store engine
2024-05-31T08:13:29Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-31T08:13:29Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-31T08:13:29Z INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird/
2024-05-31T08:13:29Z INFO management/server/account.go:889: single account mode enabled, accounts number 0
2024-05-31T08:13:29Z ERRO management/cmd/management.go:227: cannot load TLS credentials: open /etc/letsencrypt/live/vpn.company.sh/fullchain.pem: no such file or directory
Error: open /etc/letsencrypt/live/vpn.company.sh/fullchain.pem: no such file or directory

How the management service can stop looking for TLS credentials, and then starting & waiting for traefik connections?

bibius commented 3 months ago

Hi, I have the same issue. How can I solve?

vincent-lg18 commented 3 months ago

Don't forget to build your docker image, it was my problem.