level=error msg="failed to load x509 key pair: tls: failed to find PEM stat in certificate imputes"

[kerwinkfs]

Hello Luca,

I"m using your example as is. I run docker-compose build and up. I'm not able to reach localhost after compose up is complete. Looking through the output I see the error: level-error msg=failed to load x509 key pair: tls: failed to find PEM stat in certificate imputes"

I tried replacing the authentication method to the GitLab example as well, but still the same error.

They cert files are there.

Any thoughts?
Thanks
Kerwin

[defeo]

This error seems to be related to TLS keys and certficates, which are not related to the present configuration. Maybe related to the way you have another web server (ngingx or apache, maybe) set up?

[kerwinkfs]

Thank you for your quick response. Ok, I got pass that point with the certs. Now when I go to localhost:8000 I Safari Can't Connect to Server.

Thoughts?
Kerwin

[defeo]

Sorry about my previous nonsense answer. I should have told you to look into /etc/certs, but somehow forgot that traefik was managing the certs.

Re you newer question, I don't know why you're trying to connect on port 8000. The traefik proxy is set to listen on ports 80 (http) and 443 (https):

jupyterhub-docker/docker-compose.yml

Lines 30 to 33 in d2e20a3

	ports:
	- "80:80"
	- "443:443"
	- "8080:8080"

If you haven't touched the configuration, then that's where you should point your browser.

[kerwinkfs]

Hello Luca, Yep, I tried all of the different ports options.All would not launch the jupyterhub. I can’t get to the Traefik dashboard. I’m sorry, I’m having these issues. Thoughts? Kerwin

…

On Mar 15, 2019, at 6:28 PM, Luca De Feo ***@***.***> wrote: Sorry about my previous nonsense answer. I should have told you to look into /etc/certs, but somehow forgot that traefik was managing the certs. Re you newer question, I don't know why you're trying to connect on port 8000. The traefik proxy is set to listen on ports 80 (http) and 443 (https): https://github.com/defeo/jupyterhub-docker/blob/d2e20a3fa1a899b9f9cd8e8de17597d679a0786e/docker-compose.yml#L30-L33 <https://github.com/defeo/jupyterhub-docker/blob/d2e20a3fa1a899b9f9cd8e8de17597d679a0786e/docker-compose.yml#L30-L33> If you haven't touched the configuration, then that's where you should point your browser. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af4fKbniRHPgxrgVN58sjXZDQnMplnrtks5vXCyvgaJpZM4b10eW>.

[defeo]

No problem. But it's hard for me to help without seeing your docker-compose.yml at the very least.

[kerwinkfs]

Here you go… version: '3' services: jupyterhub: build: jupyterhub image: jupyterhub_img container_name: jupyterhub volumes: - /var/run/docker.sock:/var/run/docker.sock - jupyterhub_data:/srv/jupyterhub environment: DOCKER_JUPYTER_CONTAINER: jupyterlab_img DOCKER_NETWORK_NAME: ${COMPOSE_PROJECT_NAME}_default DOCKER_JUPYTER_IMAGE: jupyterlab/scipy-notebook:1145fb1198b2 HUB_IP: jupyterhub labels: - "traefik.enable=true" - "traefik.frontend.rule=Host:http://jupyterhub:8081" restart: on-failure jupyterlab: build: jupyterlab image: jupyterlab_img container_name: jupyterlab-throaway network_mode: none command: echo reverse-proxy: image: traefik container_name: reverse-proxy ports: - "80:80" - "443:443" - "8080:8080" volumes: - ./reverse-proxy/traefik.toml:/etc/traefik/traefik.toml - /tmp/certs:/etc/certs - /var/run/docker.sock:/var/run/docker.sock restart: on-failure volumes: jupyterhub_data:

[defeo]

So, given this file, the traefik dashboard should be listening on port 8080, and the jupyterhub server on port 80. If those ports are unresponsive, then check that trafik is running.

I don't understand what you are trying to achieve with this rule: "traefik.frontend.rule=Host:http://jupyterhub:8081". Presumably, because of this, traefik will fail to forward traffic from port 80 to the jupyterhub host. Please read about Traefik fronteds to understand what goes in this rule (and whether you need it at all).

[kerwinkfs]

Let me change it back to the original. Its was one of the options I had tried to see if I would get a different action. Thank you for you help. Kerwin

…

On Mar 16, 2019, at 8:29 AM, Luca De Feo ***@***.***> wrote: So, given this file, the traefik dashboard should be listening on port 8080, and the jupyterhub server on port 80. If those ports are unresponsive, then check that trafik is running. I don't understand what you are trying to achieve with this rule: "traefik.frontend.rule=Host:http://jupyterhub:8081". Presumably, because of this, traefik will fail to forward traffic from port 80 to the jupyterhub host. Please read about Traefik fronteds <https://docs.traefik.io/basics/#frontends> to understand what goes in this rule (and whether you need it at all). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af4fKa1TQSWRlBoelCXruQDnLhKxrxo9ks5vXPG6gaJpZM4b10eW>.

[defeo]

The original will not work for you either. That's the name of the server where you're going to host the service. You do have a server with an assigned DNS name, right?

[kerwinkfs]

Here is the output from the docker up command. Attaching to jupyterlab-throaway, jupyterhub, reverse-proxy jupyterlab-throaway | jupyterlab-throaway exited with code 0 jupyterhub | [I 2019-03-16 13:55:11.661 JupyterHub app:1667] Using Authenticator: builtins.UVSQAuthenticator jupyterhub | [I 2019-03-16 13:55:11.661 JupyterHub app:1667] Using Spawner: dockerspawner.dockerspawner.DockerSpawner-0.10.0 jupyterhub | [I 2019-03-16 13:55:11.664 JupyterHub app:1014] Loading cookie_secret from /srv/jupyterhub/jupyterhub_cookie_secret jupyterhub | [I 2019-03-16 13:55:11.683 JupyterHub proxy:431] Generating new CONFIGPROXY_AUTH_TOKEN jupyterhub | [I 2019-03-16 13:55:11.707 JupyterHub app:1199] Not using whitelist. Any authenticated user will be allowed. jupyterhub | [I 2019-03-16 13:55:11.747 JupyterHub app:1849] Hub API listening on http://jupyterhub:8081/hub/ jupyterhub | [W 2019-03-16 13:55:11.749 JupyterHub proxy:565] Running JupyterHub without SSL. I hope there is SSL termination happening somewhere else... jupyterhub | [I 2019-03-16 13:55:11.749 JupyterHub proxy:567] Starting proxy @ http://:8000 jupyterhub | 13:55:12.104 - info: [ConfigProxy] Proxying http://*:8000 to (no default) jupyterhub | 13:55:12.108 - info: [ConfigProxy] Proxy API at http://127.0.0.1:8001/api/routes jupyterhub | [I 2019-03-16 13:55:12.153 JupyterHub app:1870] Starting managed service cull_idle jupyterhub | [I 2019-03-16 13:55:12.153 JupyterHub service:302] Starting service 'cull_idle': ['python', '/srv/jupyterhub/cull_idle_servers.py', '--timeout=3600'] jupyterhub | [I 2019-03-16 13:55:12.156 JupyterHub service:114] Spawning python /srv/jupyterhub/cull_idle_servers.py --timeout=3600 jupyterhub | 13:55:12.173 - info: [ConfigProxy] 200 GET /api/routes jupyterhub | [I 2019-03-16 13:55:12.174 JupyterHub proxy:301] Checking routes jupyterhub | [I 2019-03-16 13:55:12.174 JupyterHub proxy:370] Adding default route for Hub: / => http://jupyterhub:8081 jupyterhub | 13:55:12.178 - info: [ConfigProxy] Adding route / -> http://jupyterhub:8081 jupyterhub | 13:55:12.180 - info: [ConfigProxy] 201 POST /api/routes/ jupyterhub | [I 2019-03-16 13:55:12.181 JupyterHub app:1906] JupyterHub is now running at http://:8000 jupyterhub | [I 2019-03-16 13:55:12.318 JupyterHub log:158] 200 GET /hub/api/users (cull_idle@172.18.0.3) 17.17ms I have to be doing something wrong because I still can not reach jupyterhub. Current compose file.. version: '3' services: jupyterhub: build: jupyterhub image: jupyterhub_img container_name: jupyterhub volumes: - /var/run/docker.sock:/var/run/docker.sock - jupyterhub_data:/srv/jupyterhub environment: DOCKER_JUPYTER_CONTAINER: jupyterlab_img DOCKER_NETWORK_NAME: ${COMPOSE_PROJECT_NAME}_default DOCKER_JUPYTER_IMAGE: jupyterlab/scipy-notebook:1145fb1198b2 HUB_IP: jupyterhub labels: - "traefik.enable=true" restart: on-failure jupyterlab: build: jupyterlab image: jupyterlab_img container_name: jupyterlab-throaway network_mode: none command: echo reverse-proxy: image: traefik container_name: reverse-proxy ports: - "80:80" - "443:443" - "8080:8080" volumes: - ./reverse-proxy/traefik.toml:/etc/traefik/traefik.toml - /tmp/certs:/etc/certs - /var/run/docker.sock:/var/run/docker.sock restart: on-failure volumes: jupyterhub_data:

…

On Mar 16, 2019, at 8:29 AM, Luca De Feo ***@***.***> wrote: So, given this file, the traefik dashboard should be listening on port 8080, and the jupyterhub server on port 80. If those ports are unresponsive, then check that trafik is running. I don't understand what you are trying to achieve with this rule: "traefik.frontend.rule=Host:http://jupyterhub:8081". Presumably, because of this, traefik will fail to forward traffic from port 80 to the jupyterhub host. Please read about Traefik fronteds <https://docs.traefik.io/basics/#frontends> to understand what goes in this rule (and whether you need it at all). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af4fKa1TQSWRlBoelCXruQDnLhKxrxo9ks5vXPG6gaJpZM4b10eW>.

[kerwinkfs]

Yes I do..

…

On Mar 16, 2019, at 8:58 AM, Luca De Feo ***@***.***> wrote: The original will not work for you either. That's the name of the server where you're going to host the service. You do have a server with an assigned DNS name, right? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af4fKcJme2S4Kn1uWAOIZu1uq7yXCUfXks5vXPiZgaJpZM4b10eW>.

[defeo]

You should disregard the URLs that JupyterHub writes in the logs, such as http://localhost:8081: those are local to the container, and not reachable from outside (e.g., from your browser).

Traefik is doing the job of proxying connections to the various containers. That Host:... rule is telling Traefik to proxy all connections to jupyter.ens.uvsq.fr to the jupyterhub container. You should replace jupyter.ens.uvsq.fr with the name of your server everywhere. You will not be able to reach JupyterHub via localhost, only via that name.

If you want to also access JupyterHub via localhost, then you can add more Traefik directives in the labels section. Check out the Traefik docs.

If you're unsure whether traefik is running and/or properly detecting docker containers, go to the dashboard on http://localhost:8080/.