netmaker icon indicating copy to clipboard operation
netmaker copied to clipboard

Published 20 hours ago verified publisher icon gravitl

Can not create initiate user via WebUi

Open bintis opened this issue 2 years ago • 17 comments

image

Sorry for question here but i really had read document and google a lot but got no way to fix .

Error is as above,I am sure I have disable firewall in both system and cloud firewall(Set to all allow). And i install this with nm-quick.sh and have speficied *.net.mydomin.com point to public ip. I can open Web UI with https://dashboard.net.mydomin.com or vpsip:8082 Did I miss any thing? Also i have tried manual install binrary but got same result.

bintis avatar Apr 09 '22 08:04 bintis

We need more logs here to help. Try the standard troubleshooting docs. It sounds like server is either not running or is unreachable.

afeiszli avatar May 18 '22 21:05 afeiszli

the web UI using 8082 port, and the api using 8081 port, which will cause cors error you can open chrome or other browser develop tool to see the api request

imwower avatar May 21 '22 13:05 imwower

Thanks very much for reply. I have checked that process is running and all firewalls are disabled. However it just do not work.

Could you please teach me what kind of setting I need for do a test on ip? I set a vm in my PC to test and got same error.Assume vm is 192.168.1.3

bintis avatar Jun 07 '22 14:06 bintis

PS: Tried again today and tested lastest version: v0.14.2

bintis avatar Jun 07 '22 14:06 bintis

how are you installing? Do you use the quick start guide, or the script from the readme?

afeiszli avatar Jun 07 '22 14:06 afeiszli

how are you installing? Do you use the quick start guide, or the script from the readme?

I was using script from the GitHub readme.

how are you installing? Do you use the quick start guide, or the script from the readme?

Performed installation by script from read me as below.

wget -qO - https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/nm-quick.sh | sudo bash

bintis avatar Jun 07 '22 15:06 bintis

Where are you deploying? Home network, AWS, Oracle Cloud?

afeiszli avatar Jun 07 '22 16:06 afeiszli

Deployed it on Oracle Cloud.(ubuntu 20.04) thought encountered same issue as this https://github.com/gravitl/netmaker/issues/565 Even I deploy it in my homelab (Esxi7.ubuntu 20.04.Public ip with NAT) Same error occours.

bintis avatar Jun 08 '22 11:06 bintis

same issue on aws

cxwx avatar Jun 22 '22 08:06 cxwx

v.0.14.4 Same problem. Followed quick install guide.

squromiv avatar Jul 05 '22 10:07 squromiv

@squromiv @cxwx @bintis please run the following:

curl -H 'Content-Type: application/json' https://api.nm.67-207-85-236.nip.io/api/users/adm/hasadmin

If this returns "false" then the setup is normal, but it may return some error about the certificate, in which case this is the problem that must be solved.

afeiszli avatar Jul 28 '22 16:07 afeiszli

@afeiszli

Well seems like I found the issue here. There are too many certificates generated for nip.io. I looked up the logs for the traefik container.

time="2022-08-08T11:38:18Z" level=error msg="Unable to obtain ACME certificate for domains \"api.nm.48-11-247-165.nip.io\": unable to generate a certificate for the domains [api.nm.48-11-247-165.nip.io]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for: nip.io: see https://letsencrypt.org/docs/rate-limits/" providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=netmaker-api@docker rule="Host(`api.nm.48-11-247-165.nip.io`)"

JonnyBDev avatar Aug 08 '22 11:08 JonnyBDev

This happens from time to time as letsencrypt does rate limiting. We can't really help this. If you restart the traefik container (docker restart traefik) it should work at some point. Other options include:

  1. Use your own domain and point DNS to the machine
  2. use another nip.io-like domain service: https://moss.sh/free-wildcard-dns-services/

afeiszli avatar Aug 08 '22 12:08 afeiszli

Same here. It would be nice if the docs could describe how to use your own certificates instead of letsencrypt

manuelbuil avatar Sep 29 '22 12:09 manuelbuil

The traefik docs (and numerous blog posts) cover using your own certs. No need to duplicate and potential have out of date information when a quick google search will suffice.

that being said you need to place your certs (fullchain.pem and privkey.pem) in /root/certs; update the docker-compose file as follows

 traefik:
    image: traefik:v2.6
    container_name: traefik
    command:
      #  - "[email protected]"
      #- "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
      #- "--certificatesresolvers.http.acme.tlschallenge=true"
      - --providers.file.directory=/etc/traefik/dynamic
      ...
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_certs:/letsencrypt
      - /root/certs/:/etc/certs/
      - /root/certs-traefik.yml:/etc/traefik/dynamic/certs-traefik.yml

and create /root/certs-traefik.yml with content

tls:
  certificates:
    - certFile: /etc/certs/fullchain.pem
      keyFile: /etc/certs/privkey.pem

mattkasun avatar Sep 29 '22 12:09 mattkasun

Having this issue the best way in my experience is to use a DNS challenge but I am not sure how to implement that

elibrody avatar Oct 17 '22 16:10 elibrody

Having this issue the best way in my experience is to use a DNS challenge but I am not sure how to implement that

Please see my working docker compose getting certs with dns challenge linking Source https://major.io/2021/08/16/wildcard-letsencrypt-certificates-traefik-cloudflare/ I am adding it as an attachment since I am not sure if the code block will display right attached as txt make sure to rename docker-compose-dns.txt

`version: "3.4"

services: netmaker: container_name: netmaker image: gravitl/netmaker:v0.16.1 cap_add: - NET_ADMIN - NET_RAW - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 restart: always volumes: - dnsconfig:/root/config/dnsconfig - sqldata:/root/data - mosquitto_data:/etc/netmaker environment: SERVER_NAME: "broker.domain.com" SERVER_HOST: "150.136.134.105" SERVER_API_CONN_STRING: "api.domain.com:443" COREDNS_ADDR: "150.136.134.105" DNS_MODE: "on" SERVER_HTTP_HOST: "api.domain.com" API_PORT: "8081" CLIENT_MODE: "on" MASTER_KEY: "REPLACE" CORS_ALLOWED_ORIGIN: "" DISPLAY_KEYS: "on" DATABASE: "sqlite" NODE_ID: "netmaker-server-1" MQ_HOST: "mq" MQ_PORT: "443" MQ_SERVER_PORT: "1883" HOST_NETWORK: "off" VERBOSITY: "1" MANAGE_IPTABLES: "on" PORT_FORWARD_SERVICES: "dns" MQ_ADMIN_PASSWORD: "REPLACE" ports: - "51821-51830:51821-51830/udp" expose: - "8081" labels: - traefik.enable=true - traefik.http.routers.netmaker-api.entrypoints=websecure - traefik.http.routers.netmaker-api.rule=Host(api.domain.com) - traefik.http.routers.netmaker-api.service=netmaker-api - traefik.http.services.netmaker-api.loadbalancer.server.port=8081 netmaker-ui: container_name: netmaker-ui image: gravitl/netmaker-ui:v0.16.1 depends_on: - netmaker links: - "netmaker:api" restart: always environment: BACKEND_URL: "https://api.domain.com" expose: - "80" labels: - traefik.enable=true - traefik.http.middlewares.nmui-security.headers.accessControlAllowOriginList=.domain.com - traefik.http.middlewares.nmui-security.headers.stsSeconds=31536000 - traefik.http.middlewares.nmui-security.headers.browserXssFilter=true - traefik.http.middlewares.nmui-security.headers.customFrameOptionsValue=SAMEORIGIN - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.X-Robots-Tag=none - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.Server= # Remove the server name - traefik.http.routers.netmaker-ui.entrypoints=websecure - traefik.http.routers.netmaker-ui.middlewares=nmui-security@docker - traefik.http.routers.netmaker-ui.rule=Host(dashboard.domain.com) - traefik.http.routers.netmaker-ui.service=netmaker-ui - traefik.http.services.netmaker-ui.loadbalancer.server.port=80 coredns: container_name: coredns image: coredns/coredns command: -conf /root/dnsconfig/Corefile depends_on: - netmaker restart: always volumes: - dnsconfig:/root/dnsconfig traefik: image: traefik:v2.6 container_name: traefik command: - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "[email protected]" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - "--entrypoints.websecure.address=:443" - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" - "--log.level=info" - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - "--serverstransport.insecureskipverify=true" restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - traefik_certs:/letsencrypt environment: - CLOUDFLARE_EMAIL=CLOUDFLARE_ACCOUNT_EMAIL_ADDRESS - CLOUDFLARE_DNS_API_TOKEN=CLOUDFLARE_TOKEN_GOES_HERE ports: - "443:443" mq: container_name: mq image: eclipse-mosquitto:2.0.11-openssl depends_on: - netmaker restart: unless-stopped command: ["/mosquitto/config/wait.sh"] environment: NETMAKER_SERVER_HOST: "https://api.domain.com" volumes: - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf - /root/wait.sh:/mosquitto/config/wait.sh - mosquitto_data:/mosquitto/data - mosquitto_logs:/mosquitto/log expose: - "8883" labels: - traefik.enable=true - traefik.tcp.routers.mqtt.rule=HostSNI(broker.domain.com) - traefik.tcp.routers.mqtt.tls.certresolver=http - traefik.tcp.services.mqtt.loadbalancer.server.port=8883 - traefik.tcp.routers.mqtt.entrypoints=websecure volumes: traefik_certs: {} sqldata: {} dnsconfig: {} mosquitto_data: {} mosquitto_logs: {} `

elibrody avatar Oct 17 '22 17:10 elibrody