Question: 502 Bad Gateway

[Twiggeh]

Basic information

• On-premises: no
• Cloud-Provider: DigitalOcean VPS
• Installation type: demo
• Kubernetes version:

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

• Helm version: version.BuildInfo{Version:"v3.6.2", GitCommit:"ee407bdf364942bcb8e8c665f82e15aa28009b71", GitTreeState:"clean", GoVersion:"go1.16.5"}
• Installed with Kubespray: think so
• (Helm) Charts version: version: 2.109.0
• List of installed top-level charts: brig-5c5879c6f8 brig-index-migrate-data cannon cargohold-8684996b8 cassandra-ephemeral cassandra-migrations demo-smtp-85557f6877 elasticsearch-ephemeral-86f4b8ff6f elasticsearch-index-create fake-aws-s3-77d9447b8f fake-aws-s3-reaper-78d9f58dd4 fake-aws-sns-6c7c4b7479 fake-aws-sqs-59fbfbcbd4 galley-844799f96b galley-migrate-data gundeck-84cdfbc564 nginx-ingress-controller-controller nginx-ingress-controller-default-backend-dd5c45cf nginz-648647bbc7 redis-ephemeral-master spar-migrate-data webapp-7f9f56969c

* Other related technologies + version:

Ansible : ansible 2.9.0 config file = None configured module search path = ['/home/twiggeh/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible executable location = /usr/local/bin/ansible python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]

How did you install Wire?

I did not deviate from the guide. I installed it on Ubuntu 18. My certificates are from Let's Encrypt made with certbot, and they appear to be working.

Question

I am getting a 502 Bad Gateway, no Idea where to even look on how to fix it.

I am running the demo-version of the wire backend, and everything installed fine, even the status check is okay

But, when I go to the webapp, it redirects to /auth shows an indefinite spinner and a failed xhr request

I don't have SSO enabled; I tried running the commit and hash collection script but it fails too

teamSettings:
  enabled: false
accountPages:
  enabled: false
tls:
  enabled: true
  # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of
  #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
  #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
  useCertManager: false

certManager:
  # NOTE: change to tell cert-manager to issue a valid certificate
  inTestMode: true
  # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
  #                notice and other Letsencrypt related notification
  certmasterEmail:

# NOTE: These values must be adjusted on a per installation basis
config:
  dns:
    https: nginz-https.twiggeh.xyz
    ssl: nginz-ssl.twiggeh.xyz
    webapp: webapp.twiggeh.xyz
    fakeS3: assets.twiggeh.xyz
    teamSettings: teams.twiggeh.xyz
    accountPages: account.twiggeh.xyz

tags:
  proxy: false # enable if you want/need giphy/youtube/etc proxying
  spar: false # enable if you want/need Single-Sign-On (SSO)

cassandra-migrations:
#  images:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  cassandra:
    host: cassandra-ephemeral
    replicaCount: 1

elasticsearch-index:
  elasticsearch:
    host: elasticsearch-ephemeral
  cassandra:
    host: cassandra-ephemeral

brig:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-ephemeral
      replicaCount: 1
    elasticsearch:
      host: elasticsearch-ephemeral
    useSES: false
    aws:
      # change if using real AWS
      region: "eu-west-1"
      sqsEndpoint: http://fake-aws-sqs:4568
      dynamoDBEndpoint: http://fake-aws-dynamodb:4567
      # these must match the table names created on fake or real AWS services
      internalQueue: integration-brig-events-internal
      prekeyTable: integration-brig-prekeys
    externalUrls:
      nginz: https://api.twiggeh.xyz # change this
      teamSettings: https://teams.twiggeh.xyz # change this (on unset if team settings are not used)
      teamCreatorWelcome: https://teams.twiggeh.xyz/login # change this
      teamMemberWelcome: https://wire.twiggeh.xyz/download # change this
    optSettings:
      setFederationDomain: twiggeh.xyz # change this
      # Sync the domain with the 'host' variable in the sftd chart
      # uncomment this section if conference calling is not used
      setSftStaticUrl: "https://sftd.example.om:443"
    emailSMS:
      general:
        emailSender: email@twiggeh.xyz # change this
        smsSender: "insert-sms-sender-for-twilio" # change this if SMS support is desired
    smtp:
      host: demo-smtp # change this if you want to use your own SMTP server
      port: 25        # change this
      connType: plain # change this. Possible values: plain|ssl|tls
#    proxy:
#      httpProxy: "http://proxy.twiggeh.xyz"
#      httpsProxy: "https://proxy.twiggeh.xyz"
#      noProxyList:
#        - "local.twiggeh.xyz"
#        - "10.23.0.0/16"

proxy:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
#  config:
#    proxy:
#      httpProxy: "http://proxy.twiggeh.xyz"
#      httpsProxy: "https://proxy.twiggeh.xyz"
#      noProxyList:
#        - "local.twiggeh.xyz"
#        - "10.23.0.0/16"

cannon:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  # For demo mode only, we don't need to keep websocket connections open on chart upgrades
  drainTimeout: 10

cargohold:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    aws:
      # change if using real AWS
      region: "eu-west-1"
      s3Bucket: dummy-bucket
      s3Endpoint: http://fake-aws-s3:9000
      s3DownloadEndpoint: https://assets.twiggeh.xyz
#    proxy:
#      httpProxy: "http://proxy.twiggeh.xyz"
#      httpsProxy: "https://proxy.twiggeh.xyz"
#      noProxyList:
#        - "local.twiggeh.xyz"
#        - "10.23.0.0/16"

galley:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-ephemeral
      replicaCount: 1
    settings:
      federationDomain: twiggeh.xyz # change this
      # prefix URI used when inviting users to a conversation by link
      conversationCodeURI: https://twiggeh.xyz/join/ # change this
    aws:
      region: "eu-west-1"
#    proxy:
#      httpProxy: "http://proxy.twiggeh.xyz"
#      httpsProxy: "https://proxy.twiggeh.xyz"
#      noProxyList:
#        - "local.twiggeh.xyz"
#        - "10.23.0.0/16"

gundeck:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-ephemeral
      replicaCount: 1
    aws:
      # change if using real AWS
      account: "123456789012"
      region: "eu-west-1"
      arnEnv: integration
      queueName: integration-gundeck-events
      sqsEndpoint: http://fake-aws-sqs:4568
      snsEndpoint: http://fake-aws-sns:4575
#    proxy:
#      httpProxy: "http://proxy.twiggeh.xyz"
#      httpsProxy: "https://proxy.twiggeh.xyz"
#      noProxyList:
#        - "local.twiggeh.xyz"
#        - "10.23.0.0/16"

nginz:
  replicaCount: 1
  config:
    ws:
      useProxyProtocol: false
#  images:
#    nginz:
#      tag: some-tag (only override if you want a newer/different version than what is in the chart)
  nginx_conf:
    # using prod means mostly that some internal endpoints are not exposed
    env: prod
    external_env_domain: twiggeh.xyz
  # For demo mode only, we don't need to keep websocket connections open on upgrade:
  drainTimeout: 10
  terminationGracePeriodSeconds: 30

webapp:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: nginz-https.twiggeh.xyz
      backendWebsocket: nginz-ssl.twiggeh.xyz
      backendDomain: twiggeh.xyz
      # When 'tags.team-settings: true'
      backendTeamSettings: teams.twiggeh.xyz
      appHost: webapp.twiggeh.xyz
  # See full list of available environment variables: https://github.com/wireapp/wire-webapp/blob/dev/server/config.ts
  envVars:
    APP_NAME: "Webapp"
    ENFORCE_HTTPS: "false"
    FEATURE_CHECK_CONSENT: "false"
    FEATURE_ENABLE_ACCOUNT_REGISTRATION: "true"
    FEATURE_ENABLE_DEBUG: "false"
    FEATURE_ENABLE_PHONE_LOGIN: "false"
    FEATURE_ENABLE_SSO: "false"
    FEATURE_SHOW_LOADING_INFORMATION: "false"
    URL_ACCOUNT_BASE: "https://account.twiggeh.xyz"
    #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
    URL_PRIVACY_POLICY: "https://www.twiggeh.xyz/terms-conditions"
    URL_SUPPORT_BASE: "https://www.twiggeh.xyz/support"
    URL_TEAMS_BASE: "https://teams.twiggeh.xyz"
    URL_TEAMS_CREATE: "https://teams.twiggeh.xyz"
    URL_TERMS_OF_USE_PERSONAL: "https://www.twiggeh.xyz/terms-conditions"
    URL_TERMS_OF_USE_TEAMS: "https://www.twiggeh.xyz/terms-conditions"
    URL_WEBSITE_BASE: "https://www.twiggeh.xyz"
    CSP_EXTRA_CONNECT_SRC: "https://*.twiggeh.xyz, wss://*.twiggeh.xyz"
    CSP_EXTRA_IMG_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_SCRIPT_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_DEFAULT_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_FONT_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_FRAME_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_MANIFEST_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_OBJECT_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_MEDIA_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_PREFETCH_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_STYLE_SRC: "https://*.twiggeh.xyz"
    CSP_EXTRA_WORKER_SRC: "https://*.twiggeh.xyz"

team-settings:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: nginz-https.twiggeh.xyz
      backendWebsocket: nginz-ssl.twiggeh.xyz
      backendDomain: twiggeh.xyz
      appHost: teams.twiggeh.xyz

account-pages:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    externalUrls:
      backendRest: nginz-https.twiggeh.xyz
      backendDomain: twiggeh.xyz
      appHost: account.twiggeh.xyz

I'm deeply sorry if I borked a config, but I don't think I did.

[arthurwolf]

I'm assuming you followed the instructions at docs.wire.com Did you use option 1 or 2 here: https://docs.wire.com/how-to/install/dependencies.html ?

[Twiggeh]

@arthurwolf Option 1, did not use cachix

[arthurwolf]

Just FYI I get the same thing right now ( error 502 ) for a similar setup (used the docker version though). I also skipped certificates and just told my browser to ignore that.

[Twiggeh]

You need to use SSO, the bad Gateway comes from the missing spar service.

Just go into the wire-server folder and add this at the end of values

spar:
  replicaCount: 1
#  image:
#    tag: some-tag (only override if you want a newer/different version than what is in the chart)
  config:
    cassandra:
      host: cassandra-ephemeral
    logLevel: Debug
    domain: twiggeh.xyz
    appUri: https://nginz-https.twiggeh.xyz
    ssoUri: https://nginz-https.twiggeh.xyz/sso
    maxttlAuthreq: 28800
    maxttlAuthresp: 28800
    # maxScimTokens: 16 # uncomment this if you want to use SCIM provisioning
    contacts:
    - type: ContactSupport
      company: TwigCompany
      email: email:support@twiggeh.xyz
#    proxy:
#      httpProxy: "http://proxy.example.com"
#      httpsProxy: "https://proxy.example.com"
#      noProxyList:
#        - "local.example.com"
#        - "10.23.0.0/16"

Make sure to enable SSO as well. That resolved the 502 error for me :)