Lightsail Deployment Times out at DNS_Encryption

axiomdata commented 6 years ago

OS / Environment (where do you run Algo on)

Linux Surface4 4.4.0-17134-Microsoft #137-Microsoft Thu Jun 14 18:46:00 PST 2018 x86_64 x86_64 x86_64 GNU/Linux

Cloud Provider (where do you deploy Algo to)

Lightsail

Summary of the problem

Deployment gets stuck at DNS_Encryption. After 10 tries deployment times out.

Steps to reproduce the behavior

Create a ssh keypair on local machine.
Log into Lightsail and upload your newly created SSH key to the region in which you plan to deploy your VPN server.
Create a new Ubuntu 16.04 LTS Lightsail instance in your desired location
Create and attach a static IP address to your new instance
Log into the newly created instance and run: do-release-upgrade - this will update the 16.04 instance to 18.04
Follow the directions in README.md to deploy the Algo server, selecting "Install Algo to existing Ubuntu 18.04 server" when prompted and using the user "ubuntu" when asked.

Full log

./algo

PLAY [Ask user for the input] **

TASK [Gathering Facts] ***** ok: [localhost] [pause] What provider would you like to use?

DigitalOcean
Amazon EC2
Vultr
Microsoft Azure
Google Compute Engine
Scaleway
OpenStack (DreamCompute optimised)
Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider : 8

TASK [pause] *** ok: [localhost]

TASK [Set facts based on the input] **** ok: [localhost] [pause] Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks? [y/N] :

TASK [pause] *** ok: [localhost] [pause] Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi? [y/N] :

TASK [pause] *** ok: [localhost] [pause] Do you want to install a DNS resolver on this VPN server, to block ads while surfing? [y/N] : y

TASK [pause] *** ok: [localhost] [pause] Do you want each user to have their own account for SSH tunneling? [y/N] :

TASK [pause] *** ok: [localhost] [pause] Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N] : y

TASK [pause] *** ok: [localhost] [pause] Do you want to retain the CA key? (required to add users in the future, but less secure) [y/N] : n

TASK [pause] *** ok: [localhost]

TASK [Set facts based on the input] **** ok: [localhost]

PLAY [Provision the server] ****

TASK [Gathering Facts] ***** ok: [localhost]

TASK [Generate the SSH private key] **** ok: [localhost]

TASK [Generate the SSH public key] ***** ok: [localhost] [local : pause] Enter the IP address of your server: (or use localhost for local installation): [localhost] : 54.191.236.248

TASK [local : pause] *** ok: [localhost]

TASK [local : Set the facts] *** ok: [localhost] [local : pause] What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) [root] : ubuntu

TASK [local : pause] *** ok: [localhost]

TASK [local : Set the facts] *** ok: [localhost] [local : pause] Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) [54.191.236.248] : 54.191.236.248

TASK [local : pause] *** ok: [localhost]

TASK [local : Set the facts] *** ok: [localhost]

TASK [Set subjectAltName as afact] ***** ok: [localhost]

TASK [Add the server to an inventory group] **** changed: [localhost]

TASK [Wait until SSH becomes ready...] ***** ok: [localhost]

TASK [debug] *** ok: [localhost] => { "IP_subject_alt_name": "54.191.236.248" } Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] **** ok: [localhost]

PLAY [Configure the server and install required software] **

TASK [common : Check the system] *** changed: [54.191.236.248]

TASK [common : include_tasks] ** included: /home/axiomdata/algo/roles/common/tasks/ubuntu.yml for 54.191.236.248 changed: [54.191.236.248] => (item=[u'python2.7', u'sudo'])

TASK [common : Ubuntu | Install prerequisites] *****

TASK [common : Ubuntu | Configure defaults] **** changed: [54.191.236.248]

TASK [common : Gather facts] *** ok: [54.191.236.248]

TASK [common : Install unattended-upgrades] **** ok: [54.191.236.248]

TASK [common : Configure unattended-upgrades] ** changed: [54.191.236.248]

TASK [common : Periodic upgrades configured] *** changed: [54.191.236.248] changed: [54.191.236.248] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) changed: [54.191.236.248] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] *****

TASK [common : Loopback for services configured] *** changed: [54.191.236.248] changed: [54.191.236.248] => (item=systemd-networkd) ok: [54.191.236.248] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] ***

RUNNING HANDLER [common : restart systemd-networkd] **** changed: [54.191.236.248]

TASK [common : Check apparmor support] ***** changed: [54.191.236.248]

TASK [common : set_fact] *** ok: [54.191.236.248]

TASK [common : set_fact] *** ok: [54.191.236.248] ok: [54.191.236.248] => (item=git) ok: [54.191.236.248] => (item=screen) changed: [54.191.236.248] => (item=apparmor-utils) ok: [54.191.236.248] => (item=uuid-runtime) ok: [54.191.236.248] => (item=coreutils) changed: [54.191.236.248] => (item=iptables-persistent) changed: [54.191.236.248] => (item=cgroup-tools) ok: [54.191.236.248] => (item=openssl,linux-headers-4.15.0-1020-aws)

TASK [common : Install tools] **

TASK [common : Generate password for the CA key] *** changed: [54.191.236.248 -> localhost]

TASK [common : Generate p12 export password] *** changed: [54.191.236.248 -> localhost]

TASK [common : Define facts] *** ok: [54.191.236.248]

TASK [common : set_fact] *** ok: [54.191.236.248] changed: [54.191.236.248] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) changed: [54.191.236.248] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) changed: [54.191.236.248] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] **

TASK [dns_adblocking : Dnsmasq installed] ** changed: [54.191.236.248]

TASK [dns_adblocking : The dnsmasq directory created] ** changed: [54.191.236.248]

TASK [dns_adblocking : include_tasks] ** included: /home/axiomdata/algo/roles/dns_adblocking/tasks/ubuntu.yml for 54.191.236.248

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *** changed: [54.191.236.248]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] *** changed: [54.191.236.248]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] *** changed: [54.191.236.248]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***** changed: [54.191.236.248]

TASK [dns_adblocking : Dnsmasq configured] ***** changed: [54.191.236.248]

TASK [dns_adblocking : Adblock script created] ***** changed: [54.191.236.248]

TASK [dns_adblocking : Adblock script added to cron] *** changed: [54.191.236.248]

TASK [dns_adblocking : Update adblock hosts] *** changed: [54.191.236.248]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] ***** changed: [54.191.236.248]

RUNNING HANDLER [vpn : daemon-reload] ** changed: [54.191.236.248]

TASK [dns_adblocking : Dnsmasq enabled and started] **** ok: [54.191.236.248]

TASK [dns_encryption : Include tasks for Ubuntu] *** included: /home/axiomdata/algo/roles/dns_encryption/tasks/ubuntu.yml for 54.191.236.248 FAILED - RETRYING: Add the repository (10 retries left). FAILED - RETRYING: Add the repository (9 retries left). FAILED - RETRYING: Add the repository (8 retries left). FAILED - RETRYING: Add the repository (7 retries left). FAILED - RETRYING: Add the repository (6 retries left). FAILED - RETRYING: Add the repository (5 retries left). FAILED - RETRYING: Add the repository (4 retries left). FAILED - RETRYING: Add the repository (3 retries left). FAILED - RETRYING: Add the repository (2 retries left). FAILED - RETRYING: Add the repository (1 retries left).

TASK [dns_encryption : Add the repository] ***** fatal: [54.191.236.248]: FAILED! => {"attempts": 10, "changed": false, "msg": "Failed to connect to launchpad.net at port 443: [Errno -3] Temporary failure in name resolution"}

PLAY RECAP ***** 54.191.236.248 : ok=36 changed=26 unreachable=0 failed=1 localhost : ok=24 changed=1 unreachable=0 failed=0

jackivanov commented 6 years ago

Fixed in https://github.com/trailofbits/algo/pull/1097

louy2 commented 6 years ago

Saw this from default algo installation, too. I don't use DNS adblocking so no dnsmasq for me but otherwise the error message is the same.

TASK [common : Sysctl tuning] **************************************************

TASK [dns_encryption : Include tasks for Ubuntu] *******************************
included: /Users/<username>/algo/roles/dns_encryption/tasks/ubuntu.yml for 207.148.97.42
FAILED - RETRYING: Add the repository (10 retries left).
FAILED - RETRYING: Add the repository (9 retries left).
FAILED - RETRYING: Add the repository (8 retries left).
FAILED - RETRYING: Add the repository (7 retries left).
FAILED - RETRYING: Add the repository (6 retries left).
FAILED - RETRYING: Add the repository (5 retries left).
FAILED - RETRYING: Add the repository (4 retries left).
FAILED - RETRYING: Add the repository (3 retries left).
FAILED - RETRYING: Add the repository (2 retries left).
FAILED - RETRYING: Add the repository (1 retries left).

TASK [dns_encryption : Add the repository] *************************************
fatal: [207.148.97.42]: FAILED! => {"attempts": 10, "changed": false, "msg": "Failed to connect to launchpad.net at port 443: [Errno -3] Temporary failure in name resolution"}

trailofbits / algo