We Keep Coding

TLS challenge with docker-compose: acme: error presenting token: timeout

I'm running the basic TLS challenge docker example:
version: "3.3"
services:
traefik:
image: "traefik:v2.4"
restart: always
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.mytlschallenge.acme.email=${SSL_EMAIL}"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- ${DATA_FOLDER}/letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
n8n:
image: mjysci/n8n:latest-rpi
restart: always
ports:
- "127.0.0.1:5678:5678"
labels:
- traefik.enable=true
- traefik.http.routers.n8n.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
- traefik.http.routers.n8n.tls=true
- traefik.http.routers.n8n.entrypoints=websecure
- traefik.http.routers.n8n.tls.certresolver=mytlschallenge
- traefik.http.middlewares.n8n.headers.SSLRedirect=true
- traefik.http.middlewares.n8n.headers.STSSeconds=315360000
- traefik.http.middlewares.n8n.headers.browserXSSFilter=true
- traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
- traefik.http.middlewares.n8n.headers.forceSTSHeader=true
- traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
- traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.n8n.headers.STSPreload=true
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER
- N8N_BASIC_AUTH_PASSWORD
- N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
- N8N_PORT=5678
- N8N_PROTOCOL=https
- NODE_ENV=production
- WEBHOOK_TUNNEL_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${DATA_FOLDER}/.n8n:/home/node/.n8n
But when I'm running it says:
level=error msg="Unable to obtain ACME certificate for domains \"<MY_DOMAIN>\": unable to generate a certificate for the domains [<MY_DOMAIN>]: error: one or more domains had a problem:\n[<MY_DOMAIN>] [<MY_DOMAIN>] acme: error presenting token: timeout 2021-02-01 10:09:04.491784271 +0000 UTC m=+378.657940910\n" providerName=mytlschallenge.acme routerName=n8n#docker rule="Host(`<MY_DOMAIN>`)"
In the browser, the application is available and works well with HTTPS but it says the certificate isn't valid (obviously). What could be wrong here?

i'm having the same problem on some domains.
It looks like its a timeout.
i tried to restart traefik now. same issue again.
ps: add traefik in the title of the thread, you may gain more visibility and answers.
EDIT: I reverted to version 2.3.7 and it works again.
there must be a bug in 2.4 (latest)
i created an issue :
https://github.com/traefik/traefik/issues/7848

Dockerized certbot can not find mounted directory

I'm trying to deploy my service on a vm and I have this part in my docker-compose.yaml:
certbot:
container_name: certbot
image: certbot/certbot:v1.9.0
logging:
driver: "json-file"
options:
max-size: 500m
volumes:
- {vm_path}/certbot/certbot-etc:/etc/letsencrypt
- {vm_path}/certbot/certbot-var:/var/lib/letsencrypt
- {vm_path}/nginx/certbot-web-root:/var/www/certbot/html
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
command:
- certonly
- --webroot
- -w /var/www/certbot/html
- --email={email}
- --agree-tos
- --no-eff-email
- --dry-run
- -d {domain}
but when I run docker-compose up, I get this error from certbot:
certbot | /var/www/certbot/html does not exist or is not a directory
also the directory {vm_path}/nginx/certbot-web-root:/var/www/certbot/html exists on my vm and is absolute.
------UPDATE:
My VM's OS is Ubuntu 18.04.
I checked docker-compose config and there is no problem in it.
Also the result of run ls -l /var/www/certbot:
certbot | total 4
certbot | drwxr-xr-x 2 1001 1001 4096 Nov 4 10:54 html
and also the /var/www/certbot/html/ exists and is empty.

I've found the answer. The problem is the command section syntax, it should be:
command:
- certonly
- --webroot
- -w
- /var/www/certbot/html
- --email={email}
- --agree-tos
- --no-eff-email
- --dry-run
- -d
- {domain}

How do you enable Feature Gates in K8s?

I need to enable a few Feature Gates on my bare-metal K8s cluster(v1.13). I've tried using the kubelet flag --config to enable them, as kubelet --feature-gates <feature gate> throws an error saying that the feature has been deprecated.
I've created a .yml file with the following configuration:
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
feature-gates:
VolumeSnapshotDataSource=true
and after running: "kubelet --config , I got the following error:
I0119 21:59:52.987945 29087 server.go:417] Version: v1.14.2
I0119 21:59:52.988165 29087 plugins.go:103] No cloud provider specified.
W0119 21:59:52.988188 29087 server.go:556] standalone mode, no API client
F0119 21:59:52.988203 29087 server.go:265] failed to run Kubelet: no client provided, cannot use webhook authentication
Does anyone know what could be happening and how to fix this problem?

You don't apply --feature-gates to the kubelet. You do it to the API-server. Depending on how have you installed kubernetes on bare metal, you would need to either stop API-server, edit the command you start it with and add the following parameter:
--feature-gates=VolumeSnapshotDataSource=true
Or, if it is in a pod, find the manifest, edit it and re-deploy it (it should happen automatically, once you finish editing). It should look like this:
...
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.132.0.48
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --feature-gates=VolumeSnapshotDataSource=true
image: k8s.gcr.io/kube-apiserver:v1.16.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.132.0.48
path: /healthz
port: 6443
scheme: HTTPS
...

It(VolumeSnapshotDataSource) is a default feature in 1.17 beta releases. It needs to be enabled in API server if the kubernetes version is less than 1.17.

How to enforce authentication and authorization modules on insecure kubernetes api server port

I have enabled the API server over insecure port on the private subnet, with the following flag
- --insecure-port=8080
- --insecure-bind-address=0.0.0.0
As a result of this it bypasses authentication and authorization modules. which is perfectly well documented in the https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
I tried to adding the flag --anonymous-auth=false doesn't solve the purpose
Here is the complete list of API command
- kube-apiserver
- --advertise-address=192.0.3.6
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=8080
- --insecure-bind-address=0.0.0.0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
As per security I know insecure shouldn't be used for communication this is complete isolated network and i'm trying to enable authentication and authorization modules over the insecure port

By default, the insercure port will bypass authentication and authorization modules, as its primary task is to bosstrap and test the server, not to actually act as the main port.
The authentication and authorization modules can be enabled in the secure port.
Wrapping up, the port you want to secure, is not meant to have these modules enabled.

Hyperledger Fabric - Timeout instantiating chaincode

I have issues instantiating my chaincode on a channel (timeout), and as I'm quite new to Docker and containerisation it may come from network setup.
Here is the command:
docker exec -e "CORE_PEER_LOCALMSPID=ControlTowerMSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#controltower.com/msp" peer0.controltower.com peer chaincode instantiate -C frenchspoonchannel -n nodecc -v 1.0 -c '{"Args":["init","a","100","b","200"]}'
The chaincode container is created but not up and the command timeout
Peer logs:
2018-12-05 13:46:20.263 UTC [endorser] SimulateProposal -> ERRO 036 [frenchspoonchannel][b33ded8e] failed to invoke chaincode name:"lscc" , error: timeout expired while starting chaincode nodecc:1.0 for transaction b33ded8e61c100521c4e08ab9402b5324cb967f63e1163d1963e2293ce0445f6
dev-peer logs:
Error: Cannot find module '/usr/local/src/chaincode_example02.js'
at Function.Module._resolveFilename (module.js:538:15)
at Function.Module._load (module.js:468:25)
at Function.Module.runMain (module.js:684:10)
at startup (bootstrap_node.js:187:16)
at bootstrap_node.js:608:3
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! chaincode_example02#1.0.0 start: `node chaincode_example02.js "-- peer.address" "192.168.176.5:7052"`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the chaincode_example02#1.0.0 start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
Orderer & Peer docker-compose.yaml
orderer.com:
container_name: orderer.com
image: hyperledger/fabric-orderer
environment:
- ORDERER_GENERAL_LOGLEVEL=info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/orderer
command: orderer
ports:
- 7050:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/controltower.com/orderers/orderer.controltower.com/:/etc/hyperledger/msp/orderer
- ./crypto-config/peerOrganizations/controltower.com/peers/devpeer/:/etc/hyperledger/msp/peer0.controlTower.com
networks:
- controltower.com
peer0.controltower.com:
container_name: peer0.controltower.com
image: hyperledger/fabric-peer
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_PEER_ID=peer0.controltower.com
- CORE_LOGGING_PEER=info
- CORE_CHAINCODE_LOGGING_LEVEL=info
- CORE_PEER_ADDRESSAUTODETECT=true
- CORE_PEER_LOCALMSPID=ControlTowerMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/
- CORE_PEER_ADDRESS=peer0.controltower.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=p0.controltower.co:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=p0.controltower.co:7051
#- CORE_PEER_CHAINCODELISTENADDRESS=peer0.controltower.com:7052
# # the following setting starts chaincode containers on the same
# # bridge network as the peers
# # https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_controltower.com
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
# The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD
# provide the credentials for ledger to connect to CouchDB. The username and password must
# match the username and password set for the associated CouchDB.
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: peer node start
# command: peer node start --peer-chaincodedev=true
ports:
- 7051:7051
#- 7052:7052
- 7053:7053
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/controltower.com/peers/devpeer/msp:/etc/hyperledger/msp/peer
- ./crypto-config/peerOrganizations/controltower.com/users:/etc/hyperledger/msp/users
- ./config:/etc/hyperledger/configtx
- ./chaincode:/etc/hyperledger/chaincode
depends_on:
- orderer.com
- couchdb
networks:
- controltower.com
As you see I tried with the env var chaincode.listen.address and open new port 7052 but it didn't work.
Thanks !