RequestError: unable to verify the first certificate
niklasgrewe opened this issue · 14 comments
Hi, i have reinstalled exoframe with traefik on my Debian 10 server. So I deleted the exoframe-server and exoframe-traefik container and also deleted the .exoframe directory except for the server.config.yml file. Afterwards I could access my website (which I already deployed) as usual via my domain.
My problem now is that I can't log in via the CLI. I get the following error:
Error logging in! Error getting login request phrase. Make sure your endpoint is correct! RequestError: unable to verify the first certificate
When I enter my exoframe endpoint url in the browser, I see the standard exoframe website with the logo via HTTP. When I access the site via HTTPS, I get a 404 NOT FOUND ERROR
When I then check the certificate in the browser, I notice that Traefik uses the standard certificate.
How can I fix this?
Please refer to Installation and usage with Letsencrypt part of server docs and see if that helps.
@yamalight thanks for the reference. I have actually used the wrong configuration 🙈But now I have a different error message when I try to login with exoframe login
Error logging in! Check your username and password and try again. HTTPError: Response code 405 (Method Not Allowed)
Note: I am using the 6.1.0 Version
I already had the same error during my first installation. Unfortunately I don't remember how I fixed it. I have used this config to create exoframe-server docker container:
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/exoframe-folder:/root/.exoframe \
-v /home/user/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
-e EXO_PRIVATE_KEY=your_private_key \
--label traefik.enable=true \
--label "traefik.http.routers.exoframe-server.rule=Host(\`exoframe.your-host.com\`)" \
--label "traefik.http.routers.exoframe-server-web.rule=Host(\`exoframe.your-host.com\`)" \
--label traefik.http.routers.exoframe-server.tls.certresolver=exoframeChallenge \
--label traefik.http.middlewares.exoframe-server-redirect.redirectscheme.scheme=https \
--label traefik.http.routers.exoframe-server-web.entrypoints=web \
--label traefik.http.routers.exoframe-server-web.middlewares=exoframe-server-redirect@docker \
--label traefik.http.routers.exoframe-server.entrypoints=websecure \
--label entryPoints.web.address=:80 \
--label entryPoints.websecure.address=:443 \
--restart always \
--name exoframe-server \
exoframe/serverand then I tested the config with this line:
-v $HOME/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
i'm pretty sure i fixed the bug somehow by changing this line, but it didn't work that way
my server.config.yml looks like this
# whether to enable letsencrypt, default "false"
letsencrypt: true
# email used for letsencrypt
letsencryptEmail: niklas@grewe.io
# whether to apply gzip compression, default "true"
compress: true
# base top-level domain to use for deployments without domains specified, default "false"
# used as postfix, e.g. if you specify ".example.com" (dot is auto-prepended if not present)
# all your deployments will be autodeployed as "deployment-id.example.com"
baseDomain: false
# CORS support; can be "true" ("*" header) or object with "origin" property, default "false"
cors: false
# Traefik image to be used; set to "false" to disable traefik management, default "traefik:latest"
traefikImage: 'traefik:latest'
# Traefik container name, default "exoframe-traefik"
traefikName: 'exoframe-traefik'
# Additional Traefik start args, default []
traefikArgs: []
# Network used by traefik to connect services to, default "exoframe"
exoframeNetwork: 'exoframe'
# server image update channel; can be "stable" or "nightly", default "stable"
updateChannel: 'stable'
# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/user/.ssh'
# whether Exoframe server would be running in swarm mode, default "false"
swarm: false
# plugins config
# plugins:
# list of plugins that has to be installed and loaded by exoframe-server on startup
# install: ['exoframe-plugin-swarm']
# specific plugin config (see plugins docs to know what property they use)
# swarm:
# enabled: trueand when i do
docker exec -t exoframe-server /bin/sh -c 'cat /root/.ssh/authorized_keys'
i get the ssh keys as output ✅I have not changed anything else on the server or on the client
@niklasgrewe does your ssh key uses supported format?
@yamalight definitely yes
I'll also try the Installation with this line
-v /home/user/.ssh/:$HOME/.ssh/
but the server.config.yml is otherwise already correct, right?
@niklasgrewe So, error 405 means exoframe-server cannot read authorized_keys file, let's try to figure out why.
the right part definitely should be /root/.ssh/authorized_keys.
I'm not sure docker understands $HOME correctly - never tried it to be honest 🤔
Are permissions set correctly?
@yamalight Okay, this is really weird. Here's what I've done:
Generated a new SSH key on my macOS client
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m 'PEM'
Transfer the SSH key to my server
ssh-copy-id username@server-ip
tested SSH login via Terminal like this
ssh username@server-ip
Connection successful - without requesting a password. Does the SSH key work ✅
Reinstalled exoframe-server and exoframe-traefik without remove .exoframe directory
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /home/myusername/.exoframe:/root/.exoframe \
-v /home/myusername/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro \
-e EXO_PRIVATE_KEY=myprivatekey \
--label traefik.enable=true \
--label "traefik.http.routers.exoframe-server.rule=Host(\`my.domain.com\`)" \
--label "traefik.http.routers.exoframe-server-web.rule=Host(\`my.domain.com\`)" \
--label traefik.http.routers.exoframe-server.tls.certresolver=exoframeChallenge \
--label traefik.http.middlewares.exoframe-server-redirect.redirectscheme.scheme=https \
--label traefik.http.routers.exoframe-server-web.entrypoints=web \
--label traefik.http.routers.exoframe-server-web.middlewares=exoframe-server-redirect@docker \
--label traefik.http.routers.exoframe-server.entrypoints=websecure \
--label entryPoints.web.address=:80 \
--label entryPoints.websecure.address=:443 \
--restart always \
--name exoframe-server \
exoframe/server
check if ssh keys passed to exoframe-container
docker exec -t exoframe-server /bin/sh -c 'cat /root/.ssh/authorized_keys'
Output:
ssh-rsa.... (and longer longer longer)
so that worked, too. ✅
check if server.config.yml is correct
# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/myusername/.ssh/'Try to login
exoframe login
Output:
Login in to https://my.domain.com
? Username: myusername
? Private key: id_rsa
? Private key passpharse (leave blank if not set): [input is hidden]
Error logging in! Check your username and password and try again. HTTPError: Response code 405 (Method Not Allowed)
Oh, man, what is wrong with this thing?
I think I found the issue that I haven't noticed yesterday.
You've changed the config to:
# path to folder with authorized_keys, default "~/.ssh"
publicKeysPath: '/home/myusername/.ssh/'
which means exoframe-server will look for authorized_keys under /home/myusername/.ssh/ inside container, not under /root/.ssh/ where you mount it.
Either change the mount, or remove that property - that should fix it
@yamalight i changed the server.config.yaml to
# path to folder with authorized_keys, default "~/.ssh"
# publicKeysPath: ''If I try to log in again afterwards, I still get the error. Or do I have to reinstall the containers again?
You have to re-create the server container again, yep
ok do I have to create the .exoframe directory again, or will it be overwritten?
just re-creating the container will do :)
@yamalight yeah it works now. Successfully logged in! ✅
thanks for your help and sorry that I didn't figure it out myself 🙈
@niklasgrewe cool, glad it was that easy to figure out :)