search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.86k stars 491 forks source link

Certbot issue #2726

Closed fr33n0rm closed 2 days ago

fr33n0rm commented 3 days ago

Describe the problem

Certbot certificate creation issue. I am using Google Workspace as IdP and followed the step provided. I have run the ./configure script however im still having issue with the let's encrypt cert even though all ports are open to the internet(80,443).

To Reproduce

Steps to reproduce the behavior:

  1. Go to 'setup.env' and added config ` NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG=""

NETBIRD_DOMAIN="nb2.example.com"

NETBIRD_TURN_DOMAIN=""

NETBIRD_TURN_EXTERNAL_IP="35.221.174.49"

NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://accounts.google.com/.well-known/openid-configuration" NETBIRD_AUTH_AUDIENCE="44444444-uklmene.apps.googleusercontent.com" NETBIRD_AUTH_CLIENT_ID="44444444-uklmene.apps.googleusercontent.com" NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email" NETBIRD_AUTH_CLIENT_SECRET="GOCSPAUTH_CLIENT_SECRET" NETBIRD_USE_AUTH0="false" NETBIRD_AUTH_REDIRECT_URI="/auth" NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth" NETBIRD_TOKEN_SOURCE="idToken" NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" NETBIRD_MGMT_IDP="google" NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="" NETBIRD_IDP_MGMT_EXTRA_SERVICE_ACCOUNT_KEY="b64key" NETBIRD_IDP_MGMT_EXTRA_CUSTOMER_ID="909098d9s" NETBIRD_DISABLE_LETSENCRYPT=false NETBIRD_LETSENCRYPT_EMAIL="it@example.com" NETBIRD_DISABLE_ANONYMOUS_METRICS=false NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

NETBIRD_RELAY_DOMAIN=""

NETBIRD_RELAY_PORT="" ``

  1. Run ./configure

  2. Compose file ` version: "3" services:

    UI dashboard

    dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports:

    • 80:80
    • 443:443 environment:

      Endpoints

    • NETBIRD_MGMT_API_ENDPOINT=https://nb2.example.com:33073
    • NETBIRD_MGMT_GRPC_API_ENDPOINT=https://nb2.example.com:33073

      OIDC

    • AUTH_AUDIENCE=44444444-uklmene.apps.googleusercontent.com
    • AUTH_CLIENT_ID=44444444-uklmene.apps.googleusercontent.com
    • AUTH_CLIENT_SECRET=GOCSPAUTH_CLIENT_SECRET
    • AUTH_AUTHORITY=https://accounts.google.com
    • USE_AUTH0=false
    • AUTH_SUPPORTED_SCOPES=openid profile email
    • AUTH_REDIRECT_URI=/auth
    • AUTH_SILENT_REDIRECT_URI=/silent-auth
    • NETBIRD_TOKEN_SOURCE=idToken

      SSL

    • NGINX_SSL_PORT=443

      Letsencrypt

    • LETSENCRYPT_DOMAIN=nb2.example.com
    • LETSENCRYPT_EMAIL=it@example.com volumes:
    • netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2"

      Signal

      signal: image: netbirdio/signal:latest restart: unless-stopped volumes:

    • netbird-signal:/var/lib/netbird ports:
    • 10000:80

      port and command for Let's Encrypt validation

      - 443:443

      command: ["--letsencrypt-domain", "nb2.example.com", "--log-file", "console"]

      logging: driver: "json-file" options: max-size: "500m" max-file: "2"

      Relay

      relay: image: netbirdio/relay:latest restart: unless-stopped environment:

      • NB_LOG_LEVEL=info
      • NB_LISTEN_ADDRESS=:33080
      • NB_EXPOSED_ADDRESS=nb2.example.com:33080

        todo: change to a secure secret

      • NB_AUTH_SECRET=jt7373737773/ojO83838383883838388383 ports:
    • 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2"

    Management

    management: image: netbirdio/management:latest restart: unless-stopped depends_on:

    • dashboard volumes:
    • netbird-mgmt:/var/lib/netbird
    • netbird-letsencrypt:/etc/letsencrypt:ro
    • ./management.json:/etc/netbird/management.json ports:
    • 33073:443 #API port

      command for Let's Encrypt validation without dashboard container

      command: ["--letsencrypt-domain", "nb2.example.com", "--log-file", "console"]

      command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=nb2.example.com", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment:

    • NETBIRD_STORE_ENGINE_POSTGRES_DSN=

    Coturn

    coturn: image: coturn/coturn:latest restart: unless-stopped

    domainname: nb2.example.com # only needed when TLS is enabled

    volumes:

    • ./turnserver.conf:/etc/turnserver.conf:ro

      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro

      - ./cert.pem:/etc/coturn/certs/cert.pem:ro

      network_mode: host command:

    • -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: `
  3. See error dashboard-1 | dashboard-1 | Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: dashboard-1 | Domain: nb2.example.com dashboard-1 | Type: connection dashboard-1 | Detail: During secondary validation: 35.221.174.49: Fetching http://nb2.example.com/.well-known/acme-challenge/IpkLf3E7NL8-vVivqWl9U9rS7xFhAy1ivXrUApnFA-s: Timeout during connect (likely firewall problem) dashboard-1 | dashboard-1 | Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet. dashboard-1 | dashboard-1 | Some challenges have failed. dashboard-1 | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Expected behavior

Create a letsencrypt certificate and will automatically renew using http-01 challenge

Are you using NetBird Cloud?

Please specify whether you use NetBird Cloud or self-host NetBird's control plane.

NetBird version

0.30

mlsmaycon commented 3 days ago

Hello @fr33n0rm, the errors is this:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
dashboard-1 | Domain: nb2.example.com
dashboard-1 | Type: connection
dashboard-1 | Detail: During secondary validation: 35.221.174.49: Fetching http://nb2.example.com/.well-known/acme-challenge/IpkLf3E7NL8-vVivqWl9U9rS7xFhAy1ivXrUApnFA-s: Timeout during connect (likely firewall problem)

Have you checked your firewall? And is the domain pointing to the right address?

fr33n0rm commented 3 days ago

@mlsmaycon Yes i have checked the firewall and allowed all IP 0.0.0.0/0 to connect

fr33n0rm commented 3 days ago

please ignore.. i think it's the firewall.. i tried adding 0.0.0.0/0 again and it successfully created a new cert. Thanks

mlsmaycon commented 2 days ago

That's great. I will close this one.