DNS challenge from traefik to PowerDNS - docker

Trying to setup the DNS challenge to get a wildcard certificate.
This is what our environment variables look like:
environment:
- TRAEFIK_ENTRYPOINTS_HTTP=true
- TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:80
- TRAEFIK_ENTRYPOINTS_HTTPS=true
- TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=:443
- TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS=true
- TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_CERTRESOLVER=default
- TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_MAIN=mydomain.net
- TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_SANS=*.mydomain.net
- TRAEFIK_PROVIDERS_DOCKER=true
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT=true
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_EMAIL=info#mydomain.net
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE=true
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_PROVIDER=pdns
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_RESOLVERS=8.8.8.8:53
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_DELAYBEFORECHECK=15
- TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_STORAGE=/data/acme.json
- PDNS_API_URL=http://192.168.123.10:8081/
- PDNS_API_KEY=pdns-api-key
And this is the log it outputs:
time="2021-09-06T08:53:39+02:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.net,*.mydomain.net\" : unable to generate a certificate for the domains [mydomain.net *.mydomain.net]: error: one or more domains had a problem:\n[*.mydomain.net] time limit exceeded: last error: read udp 192.168.160.2:38270->195.141.155.147:53: i/o timeout\n[mydomain.net] time limit exceeded: last error: read udp 192.168.160.2:49936->195.141.155.147:53: i/o timeout\n" providerName=default.acme
Already tried to increase DELAYBEFORECHECK and to set a RESOLVER without success.
The ACME challenges get created correctly in PowerDNS:
PowerDNS TXT challenge
May be someone can help or has an idea on how to get this work?

NAT reflection via UDP was not correctly setup. Now it works.

Related

NAT traversal requires STUN or TURN

I'm a novice setting up a server for the first time to implement WebRTC
Linux is using Centos7 and has set up KMS and Coturn.
However, there is one problem.
The client and server are not connected on the screen, so I checked the logs of kms
docker logs --follow kms
0:00:01.206579656 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:90:ServerMethods: Using above 80% of system limits will throw NOT_ENOUGH_RESOURCES exception
0:00:01.206607827 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:109:ServerMethods: System limits: unlimited threads, 32768 files
0:00:01.206902099 1 0x56191aac5010 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:00:01.207158442 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:144:ServerMethods: RPC Request Cache is ENABLED
0:00:01.207351433 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:187:initWebSocket: WebSocket server (ws://) listening on address '::', port 8888
0:00:01.207411744 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:88:WebSocketTransport: Secure WebSocket server (wss://) not enabled
0:00:01.208078290 1 0x56191aac5010 INFO KurentoMediaServer main.cpp:259:main: Kurento Media Server started
0:02:29.095818552 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:164:generateDefaultCertificates: Unable to load the RSA certificate from file. Using the default certificate.
0:02:29.284074137 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:174:generateDefaultCertificates: Unable to load the ECDSA certificate from file. Using the default certificate.
0:02:29.290405426 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint0> Removing not supported codec 'AMR/8000'
0:02:29.515589312 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint0> Media 'video' has REMB
0:02:29.515721223 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> Creating REMB for session ID 0 (kmswebrtcendpoint0-sess0) and remote video SSRC 3653849939
0:02:29.515746113 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1089:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> REMB: Set RTCP min interval to 500 ms
0:02:29.519063004 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:823:kms_webrtc_session_set_stun_server_info:<kmswebrtcsession0> STUN server not configured! NAT traversal requires STUN or TURN
0:02:29.519107324 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:843:kms_webrtc_session_set_relay_info:<kmswebrtcsession0> TURN relay server not configured! NAT traversal requires STUN or TURN
0:02:29.522346434 1 0x7f50700054f0 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:02:40.930306053 1 0x7f5050001630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint1> Removing not supported codec 'AMR/8000'
0:02:40.951376487 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint1> Media 'video' has REMB
0:02:40.951898082 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint1> Creating REMB for session ID 0 (kmswebrtcendpoint1-sess0) and remote video SSRC 3442416509
"NAT traversal requires STUN or TURN."
I don't know how to solve this part.
This is because the STUN server results from Trickle ICE were also successful.
If you know what I need to do, I'd appreciate it if you could tell me all the actions.
And please let me know if there is anything else I need to fill out!
STUN and TURN
You dont have to have coturn if you are doing local testing. The warning is saying if you want to go outside of your network (out of your router and to the web) you will need a STUN or TURN server.
Docker
Docker doesn't open the port 8888 by itself. You may need to open that port manually. To do this, add this -p 8888:8888 when creating your container.
Or if you are using the Desktop version you can enter it into Host port under the Optional settings when you first run it.

How to stop Traefik stop SSL Termination

By default looks like Traefik terminates the SSL and webserver only sees the http request. As a result I'm getting this error below when trying to set Auth cookie on asp.net form
These cookies require the browser to issue the request over SSL (https protocol)
I tried below on web site label but no luck. How do we stop Traefik terminating SSL?
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.force-STS-Header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.force-STS-Header.headers.stsSeconds=31536000"
- "traefik.http.routers.cm-secure.entrypoints=websecure"
- "traefik.http.routers.cm-secure.rule=Host(`${CM_HOST}`)"
- "traefik.http.routers.cm-secure.tls=true"
- "traefik.http.routers.cm-secure.middlewares=force-STS-Header"
- "traefik.tcp.routers.cm-secure.rule=HostSNI(`${CM_HOST}`)"
- "traefik.tcp.routers.cm-secure.entrypoints=https"
- "traefik.tcp.routers.cm-secure.tls.passthrough=true"
- "traefik.tcp.routers.cm-secure.service=cm"
- "traefik.tcp.services.cm-secure.loadbalancer.server.port=443"

Docker Redis TLS authentication failure with .netcore app

I am trying to use redis with tls with a netcore application and I get an authentication error
The Setup:
Docker:
I created a redis docker container using redis:6.2.0
docker-compose.yaml:
.
.
redis:
image: redis:6.2.0
command: redis-server /usr/local/etc/redis/redis.conf --appendonly yes
container_name: "cxm-redis"
ports:
- "6379:6379"
volumes:
- cxm-redis-data:/data
- C:/SaaS/certs/redis.conf:/usr/local/etc/redis/redis.conf
- C:/SaaS/certs/tests/tls/redis.crt:/usr/local/etc/redis/redis.crt
- C:/SaaS/certs/tests/tls/redis.key:/usr/local/etc/redis/redis.key
- C:/SaaS/certs/tests/tls/ca.crt:/usr/local/etc/redis/ca.crt
up to here all looks good, (as far as I can tell) I managed to authenticate using the following command
redis-cli --tls --cert ../usr/local/etc/redis/redis.crt --key /usr/local/etc/redis/redis.key --cacert /usr/local/etc/redis/ca.crt and I can succesfully ping and request keys.
I created the certificates with openssl and for the redis.conf i am using the redis.conf example from redis
The important bits:
### TLS
tls-port 6379
tls-cert-file /usr/local/etc/redis/redis.crt
tls-key-file /usr/local/etc/redis/redis.key
tls-ca-cert-file /usr/local/etc/redis/ca.crt
netcore:
For my .netcore application I am using the StackExchange library and for the TLS connection I followed the instructions here, like so
var options = new ConfigurationOptions
{
EndPoints = { "redis-test:6379" },
Password = "not-the-actual-password",
Ssl = true
};
options.CertificateSelection += delegate {
return new X509Certificate2("./redis_certificate.p12");
};
_db = ConnectionMultiplexer.Connect(options).GetDatabase();
the redis_certificate.p12 was generated using openssl with this command line
openssl pkcs12 -export -out sample_certificate.p12 -inkey redis.key -in redis.crt
The Issue:
When I make a request to redis from my app I get the following error:
It was not possible to connect to the redis server(s). There was an authentication failure; check that passwords (or client certificates) are configured correctly. AuthenticationFailure on redis-test:6379/Interactive, Initializing/NotStarted
in my apps logs, and I get the following in my redis logs:
Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Error accepting a client connection: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca,
Error accepting a client connection: (null)
Are there any apparent mistakes in my setup I am failing to see? This is my first time trying this and maybe I am assuming too much or heading down the wrong way..
Trying to resolve this I found several questions with a similar issue but implementing their fixes did not resolve my issue..
a few of the things I tried
sending different ssl protocols from my .netcore app
sending the pfx/p12 certificate in different ways
several different redis configurations
Edit: I can provide as much code as needed!
For any one facing the same issue, it seems the server was using a non routed CA for the server certificates, the solution I found was to use the CertificateValidation callback of StackExchange.Redis library with the following code
private static bool CheckServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)
{
// check that the untrusted ca is in the chain
var ca = new X509Certificate2(_redisSettings.CertificatePath);
var caFound = chain.ChainElements
.Cast<X509ChainElement>()
.Any(x => x.Certificate.Thumbprint == ca.Thumbprint);
return caFound;
}
return false;
}
also an important part of the code being the condition
if((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)

How can I get letsencrypt working with docker-compose for existing website that already has fullchain.pem

I am working on getting Nginx to work with letsencrypt and docker-compose. That is, I am Dockerizing an existing website and running docker-compose up locally to verify everything is working. I am following this really excellent article on Nginx and letsencrypt with Docker Compose. However, when I run ./init-letsencrypt.sh I get the error:
### Reloading nginx ...
2020/07/05 10:27:43 [emerg] 32#32: cannot load certificate "/etc/letsencrypt/live/mysite.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mysite.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/mysite.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mysite.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
The site I am trying to get this working on is already running in production. I have and can access fullchain.pem on my remote server. To get letsencrypt to work locally using docker-compose for and existing website should I:
Copy this fullchain.pem file to my local machine and add fullchain.pem to my .gitignore?
Or is there another better way that is recommended for getting Nginx to work with letsencrypt on a local docker-compose up run?
Do I need to get a new certificate for this website to get letsencrypt working with docker-compose both locally and remote?
None of the above?
The full (modified) error message is below:
(base) ➜ ✗ ./init-letsencrypt.sh
Existing data found for <mysite>.com. Continue and replace existing certificate? (y/N) y
### Downloading recommended TLS parameters ...
### Creating dummy certificate for <mysite>.com ...
Generating a RSA private key
.............................+++++
...................+++++
writing new private key to '/etc/letsencrypt/live/<mysite>.com/privkey.pem'
-----
### Starting nginx ...
Recreating my_postgres ... done
Recreating <mysite>dotcom_django_web ... done
Recreating <mysite>dotcom_nginx_1 ... done
### Deleting dummy certificate for <mysite>.com ...
### Requesting Let's Encrypt certificate for <mysite>.com ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: No
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <mysite>.com
http-01 challenge for www.<mysite>.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain <mysite>.com
Challenge failed for domain www.<mysite>.com
http-01 challenge for <mysite>.com
http-01 challenge for www.<mysite>.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <mysite>.com
Type: unauthorized
Detail: Invalid response from
https://<mysite>.com/.well-known/acme-challenge/Yw9a6TdSiXWltjD4T6fKWDiaCSJ4GDHCaBTdmKGdWmY
[111.my.real.ip.111]: "<h1>Not Found</h1><p>The requested URL
/.well-known/acme-challenge/Yw9a6TdSiXWltjD4T6fKWDiaCSJ4GDHCaBTdmKGdWmY
was not found on "
Domain: www.<mysite>.com
Type: unauthorized
Detail: Invalid response from
https://www.<mysite>.com/.well-known/acme-challenge/Ylt1PYbjJ4bRLHsW9Dtrx2wpq06M_zCOlCV9YGq4UNY
[111.my.real.ip.111]: 400
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
### Reloading nginx ...
2020/07/05 10:27:43 [emerg] 32#32: cannot load certificate "/etc/letsencrypt/live/<mysite>.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/<mysite>.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/<mysite>.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/<mysite>.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
~

How can I deploy my raft orderer nodes on separate hosts?

I'm using HyperLedger Fabric(v1.4.1) on 3 host machines(server1:client, server2:peer nodes server3:orderer nodes).
And I want to put my raft nodes on multiple hosts.(like server1:orderer1,orderer2, server2:orderer3)
I edited docker-compose-cli.yaml below
extra hosts: (in client and peer)
- orderer1.example.com:${SERVER1}
- orderer2.example.com:${SERVER1}
- orderer3.example.com:${SERVER2}
extra hosts: (in orderer1,2)
- orderer3.example.com:${SERVER2}
extra hosts: (in orderer3)
- orderer1.example.com:${SERVER1}
- orderer2.example.com:${SERVER1}
in this case,I got that messages like this from orderer3 logs...
**
'Failed to send StepRequest to 2, because: rpc error: code = Unavailable desc = all SubConns are TransientFailure , latest
connection error: connection error: desc = "transport: authentication
handshake failed: x509: certificate is valid for orderer1.example.com,
orderer1, not orderer2.example.com" '
**
What should I do except docker-compose-cli.yaml configurations?
Thank you very mutch for all of your help.
you should also make change on configtx.yaml.

Resources