EventStoreDB v5 Fail to run after using sudo - eventstoredb

I normally run eventstore with eventstore --run-projections=System but trying to run queries, macos throw a security complain: “libjs1.dylib” cannot be opened because the developer cannot be verified.
So I ran sudo eventstore --run-projections=System. This did not fix the issue. I wen to system preferences > security > general and gave access to libjs1.dylib and the Query ran and returned no value.
I realized all the data from event store was gone.
I though maybe it becase sudo? I ran without sudo and now I get this error:
[34307,01,18:12:12.463]
“ES VERSION:” “5.0.5.0” (“HEAD”/“b92e517ced0aada066f9f525e02082cdbdb34d7f”, “Fri, 13 Sep 2019 16:29:49 +0200”)
[34307,01,18:12:12.487] “OS:” MacOS (Unix 19.5.0.0)
[34307,01,18:12:12.494] “RUNTIME:” “5.16.0.220 (2018-06/bb3ae37d71a Fri Nov 16 17:12:11 EST 2018)” (64-bit)
[34307,01,18:12:12.494] “GC:” “2 GENERATIONS”
[34307,01,18:12:12.494] “LOGS:” “/var/log/eventstore”
MODIFIED OPTIONS:
RUN PROJECTIONS: System (Command Line)
DEFAULT OPTIONS:
HELP: False (<DEFAULT>)
VERSION: False (<DEFAULT>)
LOG: /var/log/eventstore (<DEFAULT>)
CONFIG: <empty> (<DEFAULT>)
DEFINES: <empty> (<DEFAULT>)
WHAT IF: False (<DEFAULT>)
START STANDARD PROJECTIONS: False (<DEFAULT>)
DISABLE HTTP CACHING: False (<DEFAULT>)
MONO MIN THREADPOOL SIZE: 10 (<DEFAULT>)
INT IP: 127.0.0.1 (<DEFAULT>)
EXT IP: 127.0.0.1 (<DEFAULT>)
INT HTTP PORT: 2112 (<DEFAULT>)
EXT HTTP PORT: 2113 (<DEFAULT>)
INT TCP PORT: 1112 (<DEFAULT>)
INT SECURE TCP PORT: 0 (<DEFAULT>)
EXT TCP PORT: 1113 (<DEFAULT>)
EXT SECURE TCP PORT ADVERTISE AS: 0 (<DEFAULT>)
EXT SECURE TCP PORT: 0 (<DEFAULT>)
EXT IP ADVERTISE AS: <empty> (<DEFAULT>)
EXT TCP PORT ADVERTISE AS: 0 (<DEFAULT>)
EXT HTTP PORT ADVERTISE AS: 0 (<DEFAULT>)
INT IP ADVERTISE AS: <empty> (<DEFAULT>)
INT SECURE TCP PORT ADVERTISE AS: 0 (<DEFAULT>)
INT TCP PORT ADVERTISE AS: 0 (<DEFAULT>)
INT HTTP PORT ADVERTISE AS: 0 (<DEFAULT>)
INT TCP HEARTBEAT TIMEOUT: 700 (<DEFAULT>)
EXT TCP HEARTBEAT TIMEOUT: 1000 (<DEFAULT>)
INT TCP HEARTBEAT INTERVAL: 700 (<DEFAULT>)
EXT TCP HEARTBEAT INTERVAL: 2000 (<DEFAULT>)
GOSSIP ON SINGLE NODE: False (<DEFAULT>)
CONNECTION PENDING SEND BYTES THRESHOLD: 10485760 (<DEFAULT>)
CONNECTION QUEUE SIZE THRESHOLD: 50000 (<DEFAULT>)
FORCE: False (<DEFAULT>)
CLUSTER SIZE: 1 (<DEFAULT>)
NODE PRIORITY: 0 (<DEFAULT>)
MIN FLUSH DELAY MS: 2 (<DEFAULT>)
COMMIT COUNT: -1 (<DEFAULT>)
PREPARE COUNT: -1 (<DEFAULT>)
ADMIN ON EXT: True (<DEFAULT>)
STATS ON EXT: True (<DEFAULT>)
GOSSIP ON EXT: True (<DEFAULT>)
DISABLE SCAVENGE MERGING: False (<DEFAULT>)
SCAVENGE HISTORY MAX AGE: 30 (<DEFAULT>)
DISCOVER VIA DNS: True (<DEFAULT>)
CLUSTER DNS: fake.dns (<DEFAULT>)
CLUSTER GOSSIP PORT: 30777 (<DEFAULT>)
GOSSIP SEED: <empty> (<DEFAULT>)
STATS PERIOD SEC: 30 (<DEFAULT>)
CACHED CHUNKS: -1 (<DEFAULT>)
READER THREADS COUNT: 4 (<DEFAULT>)
CHUNKS CACHE SIZE: 536871424 (<DEFAULT>)
MAX MEM TABLE SIZE: 1000000 (<DEFAULT>)
HASH COLLISION READ LIMIT: 100 (<DEFAULT>)
DB: /var/lib/eventstore (<DEFAULT>)
INDEX: <empty> (<DEFAULT>)
MEM DB: False (<DEFAULT>)
SKIP DB VERIFY: False (<DEFAULT>)
WRITE THROUGH: False (<DEFAULT>)
UNBUFFERED: False (<DEFAULT>)
CHUNK INITIAL READER COUNT: 5 (<DEFAULT>)
PROJECTION THREADS: 3 (<DEFAULT>)
WORKER THREADS: 5 (<DEFAULT>)
PROJECTIONS QUERY EXPIRY: 5 (<DEFAULT>)
FAULT OUT OF ORDER PROJECTIONS: False (<DEFAULT>)
INT HTTP PREFIXES: <empty> (<DEFAULT>)
EXT HTTP PREFIXES: <empty> (<DEFAULT>)
ENABLE TRUSTED AUTH: False (<DEFAULT>)
ADD INTERFACE PREFIXES: True (<DEFAULT>)
CERTIFICATE STORE LOCATION: <empty> (<DEFAULT>)
CERTIFICATE STORE NAME: <empty> (<DEFAULT>)
CERTIFICATE SUBJECT NAME: <empty> (<DEFAULT>)
CERTIFICATE THUMBPRINT: <empty> (<DEFAULT>)
CERTIFICATE FILE: <empty> (<DEFAULT>)
CERTIFICATE PASSWORD: <empty> (<DEFAULT>)
USE INTERNAL SSL: False (<DEFAULT>)
DISABLE INSECURE TCP: False (<DEFAULT>)
SSL TARGET HOST: n/a (<DEFAULT>)
SSL VALIDATE SERVER: True (<DEFAULT>)
AUTHENTICATION TYPE: internal (<DEFAULT>)
AUTHENTICATION CONFIG: <empty> (<DEFAULT>)
DISABLE FIRST LEVEL HTTP AUTHORIZATION: False (<DEFAULT>)
PREPARE TIMEOUT MS: 2000 (<DEFAULT>)
COMMIT TIMEOUT MS: 2000 (<DEFAULT>)
UNSAFE DISABLE FLUSH TO DISK: False (<DEFAULT>)
BETTER ORDERING: False (<DEFAULT>)
UNSAFE IGNORE HARD DELETE: False (<DEFAULT>)
SKIP INDEX VERIFY: False (<DEFAULT>)
INDEX CACHE DEPTH: 16 (<DEFAULT>)
OPTIMIZE INDEX MERGE: False (<DEFAULT>)
GOSSIP INTERVAL MS: 1000 (<DEFAULT>)
GOSSIP ALLOWED DIFFERENCE MS: 60000 (<DEFAULT>)
GOSSIP TIMEOUT MS: 500 (<DEFAULT>)
ENABLE HISTOGRAMS: False (<DEFAULT>)
LOG HTTP REQUESTS: False (<DEFAULT>)
LOG FAILED AUTHENTICATION ATTEMPTS: False (<DEFAULT>)
ALWAYS KEEP SCAVENGED: False (<DEFAULT>)
SKIP INDEX SCAN ON READS: False (<DEFAULT>)
REDUCE FILE CACHE PRESSURE: False (<DEFAULT>)
INITIALIZATION THREADS: 1 (<DEFAULT>)
STRUCTURED LOG: True (<DEFAULT>)
MAX AUTO MERGE INDEX LEVEL: 2147483647 (<DEFAULT>)
WRITE STATS TO DB: True (<DEFAULT>)
[34307,01,18:12:12.508] {“defaults”:{“Help”:“False”,“Version”:“False”,“Log”:"/var/log/eventstore",“Config”:"",“Defines”:“System.String[]”,“WhatIf”:“False”,“StartStandardProjections”:“False”,“DisableHTTPCaching”:“False”,“MonoMinThreadpoolSize”:“10”,“IntIp”:“127.0.0.1”,“ExtIp”:“127.0.0.1”,“IntHttpPort”:“2112”,“ExtHttpPort”:“2113”,“IntTcpPort”:“1112”,“IntSecureTcpPort”:“0”,“ExtTcpPort”:“1113”,“ExtSecureTcpPortAdvertiseAs”:“0”,“ExtSecureTcpPort”:“0”,“ExtIpAdvertiseAs”:null,“ExtTcpPortAdvertiseAs”:“0”,“ExtHttpPortAdvertiseAs”:“0”,“IntIpAdvertiseAs”:null,“IntSecureTcpPortAdvertiseAs”:“0”,“IntTcpPortAdvertiseAs”:“0”,“IntHttpPortAdvertiseAs”:“0”,“IntTcpHeartbeatTimeout”:“700”,“ExtTcpHeartbeatTimeout”:“1000”,“IntTcpHeartbeatInterval”:“700”,“ExtTcpHeartbeatInterval”:“2000”,“GossipOnSingleNode”:“False”,“ConnectionPendingSendBytesThreshold”:“10485760”,“ConnectionQueueSizeThreshold”:“50000”,“Force”:“False”,“ClusterSize”:“1”,“NodePriority”:“0”,“MinFlushDelayMs”:“2”,“CommitCount”:"-1",“PrepareCount”:"-1",“AdminOnExt”:“True”,“StatsOnExt”:“True”,“GossipOnExt”:“True”,“DisableScavengeMerging”:“False”,“ScavengeHistoryMaxAge”:“30”,“DiscoverViaDns”:“True”,“ClusterDns”:“fake.dns”,“ClusterGossipPort”:“30777”,“GossipSeed”:“System.Net.IPEndPoint[]”,“StatsPeriodSec”:“30”,“CachedChunks”:"-1",“ReaderThreadsCount”:“4”,“ChunksCacheSize”:“536871424”,“MaxMemTableSize”:“1000000”,“HashCollisionReadLimit”:“100”,“Db”:"/var/lib/eventstore",“Index”:null,“MemDb”:“False”,“SkipDbVerify”:“False”,“WriteThrough”:“False”,“Unbuffered”:“False”,“ChunkInitialReaderCount”:“5”,“ProjectionThreads”:“3”,“WorkerThreads”:“5”,“ProjectionsQueryExpiry”:“5”,“FaultOutOfOrderProjections”:“False”,“IntHttpPrefixes”:“System.String[]”,“ExtHttpPrefixes”:“System.String[]”,“EnableTrustedAuth”:“False”,“AddInterfacePrefixes”:“True”,“CertificateStoreLocation”:"",“CertificateStoreName”:"",“CertificateSubjectName”:"",“CertificateThumbprint”:"",“CertificateFile”:"",“CertificatePassword”:"",“UseInternalSsl”:“False”,“DisableInsecureTCP”:“False”,“SslTargetHost”:“n/a”,“SslValidateServer”:“True”,“AuthenticationType”:“internal”,“AuthenticationConfig”:"",“DisableFirstLevelHttpAuthorization”:“False”,“PrepareTimeoutMs”:“2000”,“CommitTimeoutMs”:“2000”,“UnsafeDisableFlushToDisk”:“False”,“BetterOrdering”:“False”,“UnsafeIgnoreHardDelete”:“False”,“SkipIndexVerify”:“False”,“IndexCacheDepth”:“16”,“OptimizeIndexMerge”:“False”,“GossipIntervalMs”:“1000”,“GossipAllowedDifferenceMs”:“60000”,“GossipTimeoutMs”:“500”,“EnableHistograms”:“False”,“LogHttpRequests”:“False”,“LogFailedAuthenticationAttempts”:“False”,“AlwaysKeepScavenged”:“False”,“SkipIndexScanOnReads”:“False”,“ReduceFileCachePressure”:“False”,“InitializationThreads”:“1”,“StructuredLog”:“True”,“MaxAutoMergeIndexLevel”:“2147483647”,“WriteStatsToDb”:“True”},“modified”:{“RunProjections”:“System”}}
[34307,01,18:12:12.518] Quorum size set to 1
[34307,01,18:12:12.526] Cannot find plugins path: “/usr/local/share/eventstore/plugins”
[34307,01,18:12:12.558] Unhandled exception while starting application:
EXCEPTION OCCURRED
Access to the path “/var/lib/eventstore/writer.chk” is denied.
[34307,01,18:12:12.572] “Access to the path “/var/lib/eventstore/writer.chk” is denied.”
EXCEPTION OCCURRED
Access to the path “/var/lib/eventstore/writer.chk” is denied.
(I tried to ran with sudo again and the program starts without problem, but with no data)
I’m guessing sudo changes default paths, and doesn’t get reversed without sudo.
Also added this in the forum: https://discuss.eventstore.com/t/fail-to-run-after-using-sudo/2748/2

Have you checked the docs? https://developers.eventstore.com/server/5.0.9/server/server/default-directories.html#macos
The data isn't gone, but the database path for the root user won't match the path for the regular user, so your database has been created elsewhere.
Here is the docs note:
On macOS you will get permissions error if you run eventstore without sudo. We advise changing the configuration file and change the Db option to a place where you have access as the normal user.
When running with sudo, the database is located at /var/lib/eventstore. I suspect then when you run it without sudo, the database was places under /usr/local/Caskroom/eventstore/5.0.8/EventStore-OSS-MacOS-macOS-v5.0.8 somewhere.
Honestly, I avoid running EventStoreDB on macOS from the cask and use Docker instead. It's more predictable, doesn't have issues and allows you to run different versions without issues.

Related

Thingsboard-Gateway - |ERROR| - [mqtt_connector.py] - mqtt_connector - __connect - 285 - [Errno 111] Connection refused"

Tried setting up the gateway bu this error when starting the docker, tb_gateway.yaml is setup correctly and the ports are open (Have a raspi sending data via the same connection).
thingsboard:
host: xxxxx.xxxxxx.com
port: 1883
remoteShell: false
remoteConfiguration: false
statistics:
enable: true
statsSendPeriodInSeconds: 3600
configuration: statistics.json
maxPayloadSizeBytes: 1024
minPackSendDelayMS: 0
checkConnectorsConfigurationInSeconds: 60
handleDeviceRenaming: true
checkingDeviceActivity:
checkDeviceInactivity: false
inactivityTimeoutSeconds: 300
inactivityCheckPeriodSeconds: 10
security:
accessToken: wn4k3xxxxxxxxxGeZ
Log -> https://logpaste.com/Gwculy3u

Traefik failing TLS handshake with Let's Encrypt Certificate

I am attempting to have Traefik serve as a reverse proxy for services running in Docker containers. I've been following the documentation that Traefik provides and have a small docker environment configured via docker compose that successfully serves data via HTTP. Traefik sits behind HAProxy running in TCP mode forwarding packets received from the Internet to Traefik.
However when I tried to add a new router for serving the same content via HTTPS, I receive the following esoteric (to me) error when I run a curl directed to https://my.domain.tld/: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Full curl output:
curl -v https://my.domain.tld/
* Trying <IP Address of Domain>...
* TCP_NODELAY set
* Connected to my.domain.tld (<IP Address of Domain>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
When I attempt to browse to the site via Firefox (web browser) I receive an error code of SSL_ERROR_RX_RECORD_TOO_LONG. When googling this error I was unable to find a post that seemed to have my specific issue.
Below is the docker-compose for the setup I am using to configure the applications
version: "3.9"
secrets:
cloudflare_dns_token:
file: ./secrets/cf_dns_api_token.txt
networks:
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: 192.168.0.0/24
container_bridge:
name: container_bridge
driver: bridge
ipam:
config:
- subnet: 192.168.1.0/24
services:
socket-proxy:
image: tecnativa/docker-socket-proxy
container_name: socket-proxy
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
socket_proxy:
ipv4_address: 192.168.0.2 # Static IP address
environment:
EVENTS: 1
PING: 1
VERSION: 1
CONTAINERS: 1
NETWORKS: 1
traefik:
# The official v2 Traefik docker image
image: traefik:v2.8.1
container_name: traefik-proxy
command:
# Log Level for Traefik
- "--log.level=DEBUG"
# Enables the web UI
- "--api.insecure=true"
# Traefik enables docker as the provider to look for services
- "--providers.docker=true"
# Traefik will use the Docker Socket proxy to communicate with the docker socket
- "--providers.docker.endpoint=tcp://192.168.0.2:2375"
# Traefik will not expose services if they aren't labled for export
- "--providers.docker.exposedByDefault=false"
# Port where Traefik will listen for web (http) traffic for routing
- "--entrypoints.web.address=:80"
# Port where Traefik will listen for web secure (https) traffic for routing
- "--entrypoints.websecure.address=:443"
# Trust Proxy Protocol Packets from only the listed IP address
- "--entryPoints.web.proxyProtocol.trustedIPs=10.0.8.1/32"
# Trust Proxy Protocol Packets from only the listed IP address
- "--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.8.1/32"
# Enable a ACME DNS challenge named "letsencrypt"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
# Tell Traefik which provider to use for DNS Challenge
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
# Staging environment for let's encrypt for testing
- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
# Email to provide to let's encrypt
- "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
# Tell Traefik to store the certificate on a path under our volume
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
networks:
# Tells Traefik to connect to both the socket proxy network and the container bridge network where the other containers will be connected
socket_proxy:
container_bridge:
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
secrets:
- "cloudflare_dns_token"
environment:
# To Be Removed Need Secret Working Properly
- "CF_DNS_API_TOKEN=${CF_DNS_TOKEN}"
#- "CF_DNS_API_TOKEN=/run/secrets/cloudflare_dns_token"
volumes:
# Create a letsencrypt dir within the folder where the docker-compose file is
- "./letsencrypt:/letsencrypt"
whoami:
image: traefik/whoami
container_name: whoami-server
networks:
container_bridge:
labels:
# Tells Traefik to proxy to the service (container)
- "traefik.enable=true"
#####################################################################
#
# Labels for HTTPS Proxying
#
#####################################################################
# Explicitly stating 'whoami-secure' route is HTTPS
- "traefik.http.routers.whoami-secure.tls=true"
# Rule for determing when to route requests to this service for the secure http router
- "traefik.http.routers.whoami-secure.rule=Host(`whoami.${FQDN}`)"
# Entry point for requests to this service for the secure http router
- "traefik.http.routers.whoami-secure.entrypoints=websecure"
# Uses the Host rule to define which certificate to issue
- "traefik.http.routers.whoami-secure.tls.certresolver=letsencrypt"
#####################################################################
#
# Labels for HTTP Proxying
#
#####################################################################
# Rule for determing when to route requests to this service for the unsecure http router
- "traefik.http.routers.whoami.rule=Host(`whoami.${FQDN}`)"
# Entry point for requests to this service for the unsecure http router
- "traefik.http.routers.whoami.entrypoints=web"
My expectation is that Traefik would gracefully handle the request via HTTPS and manage the TLS handshake without issue. I can confirm that Traefik is able to successfully generate a certificate via Let's Encrypt DNS Challenge for Cloudflare. I am using the Let's Encrypt staging environment at the moment so I did expect an error about the certificate being served as invalid, but it seems that TLS handshake errors out before a determination of validity.
EDIT #1: Running OpenSSL and Wireshark
OpenSSL returns the following when run ```openssl s_client -connect my.domain.tld:443``
CONNECTED(00000003)
140330304906560:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Wireshark logs show the following:
3 TCP packets preceding the first TLSv1 Client Hello
The Client Hello is acknowledged by the server
Then the server returns a HTTP 400 error - Bad Request
Wireshark dump of error
Transmission Control Protocol, Src Port: 443, Dst Port: 50085, Seq: 1, Ack: 518, Len: 207
Source Port: 443
Destination Port: 50085
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 207]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1488204866
[Next Sequence Number: 208 (relative sequence number)]
Acknowledgment Number: 518 (relative ack number)
Acknowledgment number (raw): 500352812
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 501
[Calculated window size: 64128]
[Window size scaling factor: 128]
Checksum: 0x1155 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[SEQ/ACK analysis]
TCP payload (207 bytes)
Hypertext Transfer Protocol
[Expert Info (Warning/Security): Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]
[Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]
[Severity level: Warning]
[Group: Security]
HTTP/1.1 400 Bad request\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 400 Bad request\r\n]
[HTTP/1.1 400 Bad request\r\n]
[Severity level: Chat]
[Group: Sequence]
Response Version: HTTP/1.1
Status Code: 400
[Status Code Description: Bad Request]
Response Phrase: Bad request
Content-length: 90\r\n
Cache-Control: no-cache\r\n
Connection: close\r\n
Content-Type: text/html\r\n
\r\n
[HTTP response 1/1]
File Data: 90 bytes
5 packets later the connection is reset
Wireguard dump of connection reset
Transmission Control Protocol, Src Port: 443, Dst Port: 50085, Seq: 208, Len: 0
Source Port: 443
Destination Port: 50085
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 0]
Sequence Number: 208 (relative sequence number)
Sequence Number (raw): 1488205073
[Next Sequence Number: 208 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
0101 .... = Header Length: 20 bytes (5)
Flags: 0x004 (RST)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Warning/Sequence): Connection reset (RST)]
[Connection reset (RST)]
[Severity level: Warning]
[Group: Sequence]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·········R··]
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 128]
Checksum: 0x6dc9 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]

TLS with Rabbitmq Docker-Image: handshake_failure

I am running rabbitmq:3.10.7-management for AMQPS on a VM and I am using chained TLS-Certificates.
When I configure Rabbitmq according to the How-To-TLS website from Rabbitmq I get no errors starting the container but I can't connect via TLS and get an immediate Connection-Error. Depending on which Tool I use or where I use it I get a connection reset by peer. But it seems like the handshake does not work at all.
When I enable TCP I can just connect fine with a non-TLS-client.
The Rabbitmq part of the Docker-Compose looks like this:
rabbitmq:
restart: unless-stopped
hostname: rabbitmq
image: rabbitmq:3.10.7-management
networks:
- traefik
ports:
- "5672:5672"
- "5671:5671"
logging:
options:
max-size: "10m"
max-file: "3"
volumes:
- ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf
- ./certs:/certs
- /data/rabbitmq_data:/var/lib/rabbitmq
labels:
- "traefik.enable=true"
- "traefik.http.routers.rabbitmq-secure.priority=150"
- "traefik.http.services.rabbitmq-secure.loadbalancer.server.port=15672"
- "traefik.http.routers.rabbitmq-secure.rule=Host(`<myDomain>`) && PathPrefix(`/`)"
- "traefik.http.routers.rabbitmq-secure.entrypoints=web-secure"
- "traefik.http.routers.rabbitmq-secure.tls=true"
- "traefik.http.routers.rabbitmq-secure.tls.options=myTLSOptions#file"
- "traefik.http.routers.rabbitmq.rule=Host(`<myDomain>`) && PathPrefix(`/`)"
- "traefik.http.routers.rabbitmq.entrypoints=web"
I am using the same certs to serve the management frontend with no problems.
ca_certificate.pem ->
CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Chain-Cert 1
Chain-Cert 2
server_certificate.pem ->
Wild-Card-Cert
server_key.pem ->
Key for Wild-Card-Cert
I think I tried almost every other configuration as well, for which part goes where.
RabbitMQ-Conf:
log.console.level = debug
listeners.ssl.default = 5671
listeners.tcp = none
ssl_options.cacertfile = /certs/ca_certificate.pem
ssl_options.certfile = /certs/server_certificate.pem
ssl_options.keyfile = /certs/server_key.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
ssl_options.honor_cipher_order = false
ssl_options.honor_ecc_order = false
ssl_handshake_timeout = 10000
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
ssl_options.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
ssl_options.ciphers.7 = DHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.8 = DHE-RSA-AES256-GCM-SHA384
Logs seem to be OK:
...
2022-09-06 14:42:22.024539+00:00 [info] <0.615.0> started TLS (SSL) listener on [::]:5671
...
Going through "Troubleshooting TLS-enabled Connections" I can check all the boxes I can find up until connecting with TLS:
Check Listeners:
rabbitmq#rabbitmq:/$ rabbitmq-diagnostics listeners
Asking node rabbit#rabbitmq to report its protocol listeners ...
Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS
Check permissions:
rabbitmq#rabbitmq:/certs$ ls -ll
total 20
-rw-r--r-- 1 rabbitmq rabbitmq 1366 Sep 6 14:39 ca_certificate.pem
-rw-r--r-- 1 rabbitmq rabbitmq 6943 Sep 6 14:39 server_certificate.pem
-rw-r--r-- 1 rabbitmq rabbitmq 3275 Sep 5 13:20 server_key.pem
Check TLS-support in erlang:
rabbitmq#rabbitmq:/certs$ rabbitmq-diagnostics --silent tls_versions
tlsv1.3
tlsv1.2
tlsv1.1
tlsv1
Attempt TLS-Connection with openssl
rabbitmq#rabbitmq:/certs$ openssl s_client -connect localhost:5671
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
The debug logs don't even show any error when trying to connect.
Trying to connect with TLS to TCP throws an error, though. Somehow the listener does not accept connections at all.
Maybe someone experienced something similar already or I am just dumb overlooking the obvious. But for everything else the VM and the certs work just fine (e.g. Mosquitto-MQTTS).
Help would be really appreciated.

Trying to start eureka and config server with docker container

I'm a new learner of docker. Trying to start the eureka server and configure the server but the config server gives an error: Cannot execute the request on any known server at and due to this error I can't start other microservice.
application.yml(eureka service)
server:
port: 5002
eureka:
client:
service-url:
defaultZone: http://localhost:5002/eureka/
register-with-eureka: false
fetch-registry: false
application.yml(config microservice)
server:
port: 9095
spring:
application:
name: config-server
profiles:
active:
- native
cloud:
config:
server:
native:
search-locations:
- classpath:/
eureka:
instance:
hostname: localhost
port: 5002
client:
register-with-eureka: true
fetch-registry: true
service-url:
defaultZone: http://${eureka.instance.hostname}:${eureka.instance.port}/eureka/
and having two separate dockerfiles for the same in which FROM, ADD, EXPOSE, ENTRYPOINT is used

elasticsearch not unable to know the cluster's nodes

I have a a cluster of 4 nodes, 2 masters and 2 slaves all running on dockers.
The config of the master is below:
network:
host: 0.0.0.0
publish_host: myIP
http:
port: 9201
transport.tcp.port: 9301
path:
logs: "/usr/share/elasticsearch/logs"
discovery.zen.minimum_master_nodes: 2
http.cors.enabled : true
http.cors.allow-origin : "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Authorization, Content-Length
cluster.name: lpfrlogsconcentration
node:
name: "node-1"
master: true
data: false
ingest: true
discovery.zen.ping.unicast.hosts:
- myIP:9301
- myIP:9302
- myIP:9303
- myIP:9304
And for the slaves, it is:
network:
host: 0.0.0.0
publish_host: myIP
http:
port: 9203
transport.tcp.port: 9303
path:
logs: "/usr/share/elasticsearch/logs"
discovery.zen.minimum_master_nodes: 2
http.cors.enabled : true
http.cors.allow-origin : "*"
http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Authorization, Content-Length
cluster.name: lpfrlogsconcentration
node:
name: "node-3"
master: false
data: true
ingest: true
discovery.zen.ping.unicast.hosts:
- myIP:9301
- myIP:9302
- myIP:9303
- myIP:9304
But when I run the dockers, I get on the nodes 1 & 2 (the masters) this error :
[2018-06-14T08:41:02,744][INFO ][o.e.d.z.ZenDiscovery ]
[node-1] failed to send join request to master
[{node-2}{UNxVYf5mQUSUV3Z9h6c7Pw}{4xJAijDHTfCNfdjyUDLvtQ}{221.128.56.131}{221.128.56.131:9302}],
reason [RemoteTransportException[[node-2][172.17.0.2:9302][internal:discovery/zen/join]];
nested: NotMasterException[Node [{node-2}{UNxVYf5mQUSUV3Z9h6c7Pw}{4xJAijDHTfCNfdjyUDLvtQ}
{221.128.56.131}{221.128.56.131:9302}] not master for join request]; ],
tried [3] times
Can you help me debug this?

Resources