netbird
netbird copied to clipboard
Published
20 hours ago •
netbirdio
netbirdio
netbird dashboard does not open properly
Describe the problem
When I netbird web homepage, the zitadel login page pops up, I entered “[email protected]” (my domain name is 192.168.1.4), then clicked login, it redirects back to the It redirected me back to the netbird page, and after waiting for 5 seconds, it said “Oops, something went wrong! There was an error logging you in. Error: Unauthenticated", which confused me.
Are you using NetBird Cloud? no
NetBird version
0.27.4
NetBird smanagement logs
2024-05-11T02:04:02Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint http://192.168.1.4:8080/.well-known/openid-configuration
2024-05-11T02:04:02Z INFO management/cmd/management.go:460: loaded OIDC configuration from the provided IDP configuration endpoint: http://192.168.1.4:8080/.well-known/openid-configuration
2024-05-11T02:04:02Z INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value http://192.168.1.4:8080, previously configured value: http://192.168.1.4:8080
2024-05-11T02:04:02Z INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value http://192.168.1.4:8080/oauth/v2/keys, previously configured value: http://192.168.1.4:8080/oauth/v2/keys
2024-05-11T02:04:02Z INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/token, previously configured value: http://192.168.1.4:8080/oauth/v2/token
2024-05-11T02:04:02Z INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/device_authorization, previously configured value: http://192.168.1.4:8080/oauth/v2/device_authorization
2024-05-11T02:04:02Z INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: 192.168.1.4:8080, previously configured value: 192.168.1.4:8080
2024-05-11T02:04:02Z INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/token, previously configured value: http://192.168.1.4:8080/oauth/v2/token
2024-05-11T02:04:02Z INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/authorize, previously configured value: http://192.168.1.4:8080/oauth/v2/authorize
2024-05-11T02:04:02Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-05-11T02:04:02Z INFO management/server/store.go:95: using SQLite store engine
2024-05-11T02:04:02Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-11T02:04:02Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-11T02:04:02Z INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird/
Error: failed to build default manager: invalid domain "192.168.1.4" provided for a single account mode. Please review your input for --single-account-mode-domain
root@debian:~#
.
Screenshots
Additional context setup.env
root@debian:/opt/netbird/infrastructure_files# cat setup.env
## example file, you can copy this file to setup.env and update its values
##
# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="192.168.1.4"
# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""
# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""
# -------------------------------------------
# OIDC
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="http://192.168.1.4:8080/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="266484708244783107@netbird"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="266484708244783107@netbird"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="266484708244783107@netbird"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="266484708244783107@netbird"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="zitadel"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="netbird"
NETBIRD_IDP_MGMT_CLIENT_SECRET="v5U1nV35g3UsquePOvUhPunuaPmnJGW6KmHMjooBKmiSGoBvkFmimjcX6e13LsjR"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="http://192.168.1.4:8080/management/v1"
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
# if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. [email protected]
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
root@debian:/opt/netbird/infrastructure_files#
docker-compose.yml
root@debian:/opt/netbird/infrastructure_files/artifacts# cat docker-compose.yml
version: "3"
services:
#UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://192.168.1.4:33073
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://192.168.1.4:33073
# OIDC
- AUTH_AUDIENCE=266484708244783107@netbird
- AUTH_CLIENT_ID=266484708244783107@netbird
- AUTH_CLIENT_SECRET=
- AUTH_AUTHORITY=http://192.168.1.4:8080
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
- AUTH_REDIRECT_URI=/auth
- AUTH_SILENT_REDIRECT_URI=/silent-auth
- NETBIRD_TOKEN_SOURCE=accessToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=192.168.1.4
- LETSENCRYPT_EMAIL=
volumes:
- netbird-letsencrypt:/etc/letsencrypt/
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 10000:80
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "192.168.1.4", "--log-file", "console"]
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- ./management.json:/etc/netbird/management.json
ports:
- 33073:443 #API port
# # command for Let's Encrypt validation without dashboard container
# command: ["--letsencrypt-domain", "192.168.1.4", "--log-file", "console"]
command: [
"--port", "443",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=192.168.1.4",
"--dns-domain=netbird.selfhosted"
]
# Coturn
coturn:
image: coturn/coturn:latest
restart: unless-stopped
domainname: 192.168.1.4
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
root@debian:/opt/netbird/infrastructure_files/artifacts#
management.json
root@debian:/opt/netbird/infrastructure_files/artifacts# cat management.json
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:192.168.1.4:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "turn:192.168.1.4:3478",
"Username": "self",
"Password": "D5wXUTViscSnPavpxjAokNQ1nzQKJyu5P+rMq8kQOPI"
}
]
},
"Signal": {
"Proto": "http",
"URI": "192.168.1.4:10000",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "4Jn+QdWfQuGclAlgYflBD6gq2eCE9wbfRTP+bIZfmqs=",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "/etc/letsencrypt/live/192.168.1.4/fullchain.pem",
"CertKey": "/etc/letsencrypt/live/192.168.1.4/privkey.pem",
"AuthAudience": "266484708244783107@netbird",
"AuthIssuer": "http://192.168.1.4:8080",
"AuthUserIDClaim": "",
"AuthKeysLocation": "http://192.168.1.4:8080/oauth/v2/keys",
"OIDCConfigEndpoint": "http://192.168.1.4:8080/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": true
},
"IdpManagerConfig": {
"ManagerType": "zitadel",
"ClientConfig": {
"Issuer": "http://192.168.1.4:8080",
"TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
"ClientID": "netbird",
"ClientSecret": "v5U1nV35g3UsquePOvUhPunuaPmnJGW6KmHMjooBKmiSGoBvkFmimjcX6e13LsjR",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"ManagementEndpoint": "http://192.168.1.4:8080/management/v1"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "266484708244783107@netbird",
"ClientSecret": "",
"Domain": "192.168.1.4:8080",
"Audience": "266484708244783107@netbird",
"TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
"DeviceAuthEndpoint": "http://192.168.1.4:8080/oauth/v2/device_authorization",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "266484708244783107@netbird",
"ClientSecret": "",
"Domain": "",
"Audience": "266484708244783107@netbird",
"TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "http://192.168.1.4:8080/oauth/v2/authorize",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": [
"http://localhost:53000"
]
}
},
"StoreConfig": {
"Engine": "sqlite"
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
}
}root@debian:/opt/netbird/infrastructure_files/artifacts#
openid-configuration.json
root@debian:/opt/netbird/infrastructure_files/artifacts# cat openid-configuration.json
{"issuer":"http://192.168.1.4:8080","authorization_endpoint":"http://192.168.1.4:8080/oauth/v2/authorize","token_endpoint":"http://192.168.1.4:8080/oauth/v2/token","introspection_endpoint":"http://192.168.1.4:8080/oauth/v2/introspect","userinfo_endpoint":"http://192.168.1.4:8080/oidc/v1/userinfo","revocation_endpoint":"http://192.168.1.4:8080/oauth/v2/revoke","end_session_endpoint":"http://192.168.1.4:8080/oidc/v1/end_session","device_authorization_endpoint":"http://192.168.1.4:8080/oauth/v2/device_authorization","jwks_uri":"http://192.168.1.4:8080/oauth/v2/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["bg","cs","de","en","es","fr","it","ja","mk","nl","pl","pt","ru","zh"],"request_parameter_supported":true,"request_uri_parameter_supported":false}
root@debian:/opt/netbird/infrastructure_files/artifacts#
Hello @linkinuul, the setup requires an SSL certificate, so a public IP with a public DNS is mandatory.
Hello @linkinuul, unless you know how to use SSL certificate it mandatory to have a public IP and public DNS to use letsencrypt to have your certificate.
Unfortunately i have other test to do and cant do test for your case for now but here what i can say:
- The SSL is mandatory
- The check for SSL is done in the code and for now i have not find where but you have two case possible. - Use of curl and public check for certificate CA (harder to manage as your certificate need to be valid for internet) - Use of computer store (easier as you just need to add the CA that signed you certificate in the store)
- In either case you will need a DNS pointing to your IP as SSL certificate for IP are not easly obtainable for internet (even more for local IP)
- Your case may be possible to work but need to know how to manage SSL certificate and even a PKI
My advice is to use it with public IP and public DNS as say by mlsmaycon.
@nuterum @mlsmaycon Good suggestion, I can follow your advice and study it again.
I have a public IP and Public DNS... All installation was clear and OK, but the initial page doenst load
