-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
local error: tls: bad record MAC #2838
Comments
If you're using the stack locally (localhost), then I'd recommend interacting with the stack without TLS (using the http/mqtt/ws/grpc ports).
This is quite wrong. No Certificate Authority will provide you a certificate for localhost and if you're using self-signed certs, please don't use this on a public deployment. |
Thank you for the quick response.
1) How did you generate the SSL Certs? If you've deployed this on a public
machine, you can either use the in-built stack ACME or query certificates
yourself using Lets Encrypt.
- I'm using an existing Let's Encrypt generated by acme.sh and managed
outside of The Things Stack for my domain.
2) Does the CN (Canonical Name) of the certificate match the host where
this is deployed?
- Yes, the certificate I use is a wildcard certificate that I use for other
services that are exposed publicly, The Things Stack is not exposed
publicly and I have not yet decided if I will ever do so. If I do decide to
publicly expose it, then it will be behind an SSL terminated reverse Apache
proxy protected with oauth that I maintain. The goal was to test this out
as a POC before doing anything else.
If you're using the stack locally (localhost), then I'd recommend
interacting with the stack without TLS (using the http/mqtt/ws/grpc ports).
- That was my original intent, but I had received the Token exchange
refused message upon initial login after bringing up the stack and
connecting to http://lora.<redacted>:1885. After searching github and the
forum, I read something about TLS being used on the back end or something (I
can't quite recall), that led me down the path of verifying that my
certificates were in fact valid. I also noticed that the certificates were
not included when bringing up the stack when configured in the config file,
but instead I needed to supply the values using the environment variables
instead.
for host in localhost lora.; do echo ${host}:; curl https://${host}:8885;
echo -e '-----\n'; done
Something must have gotten stripped from that message because its a for
loop testing curl against localhost and a redacted hostname that I was not
comfortable displaying publicly `lora."redacted"` the "redacted" part of
that for loop is my domain, which I demonstrated as being a valid hostname
with the ping statement I mentioned in the issue. The only reason I had
included localhost, was some previous comments on other issues had
mentioned attempting the connection to localhost which succeeded. The
attempt was purely a last ditch "what else can I possibly try" effort.
…On Fri, Jul 3, 2020 at 2:17 PM Krishna Iyer Easwaran < ***@***.***> wrote:
1. How did you generate the SSL Certs? If you've deployed this on a
public machine, you can either use the in-built stack ACME or query
certificates yourself using Lets Encrypt.
2. Does the CN (Canonical Name) of the certificate match the host
where this is deployed?
If you're using the stack locally (localhost), then I'd recommend
interacting with the stack without TLS (using the http/mqtt/ws/grpc ports).
for host in localhost lora.; do echo ${host}:; curl https://${host}:8885;
echo -e '-----\n'; done
This is quite wrong. No Certificate Authority will provide you a
certificate for localhost and if you're using self-signed certs, please
don't use this on a public deployment.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2838 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAKKWYBP4QHVB76IMZYXZIDRZYVEVANCNFSM4OPE4G6A>
.
|
Let me see if understand right
If I have that right, is this machine physically local to you? Are you opening a browser on this machine and hitting |
I'm accessing all resources from my local network at the moment, this is
simply a POC.
I have a UniFi Security Gateway with ports 80 and 443 mapped to a docker
host on a private subnet running Apache. The same docker host that's
running Apache is also running The Things Stack. I'm using split DNS, and I
only have a few services that I'm exposing publicly. I am not yet exposing
lora.redacted either through the Apache reverse proxy nor DNS. All of the
services I'm hosting (both public and private) are using the same Let's
Encrypt wildcard certificate. I'm using dnsmasq on my USG as the internal
resolver. I have multiple CNAME/aliases pointing to the docker host running
Apache/The Things Stack/etc. Apache is only ever involved when attempting
to connect to public DNS from outside of my local network. The DNS entry,
lora.redacted (192.168.1.10) points directly to the docker host.
To simplify things:
- local network -> http://lora.redacted:1885 (192.168.1.10:1885) -> "Token
exchange refused"
- local network -> ssh tunnel (1885:192.168.1.10:1885) ->
http://localhost:1885 -> "Token exchange refused"
- local network -> https://lora.redacted:8885 (192.168.1.10:1885) -> "Token
exchange refused"
- local network -> ssh tunnel (8885:192.168.1.10:8885
<http://192.168.1.10:1885>) -> https://localhost:8885
<http://localhost:1885> -> "SSL_ERROR_BAD_CERT_DOMAIN" -> "Token
exchange refused"
- local network -> https://www.redacted (192.168.1.10:443) -> OK
- public network -> https://www.redacted -> OK
…On Mon, Jul 6, 2020 at 9:14 AM Ben Olayinka ***@***.***> wrote:
Let me see if understand right
- You have a machine exposing lora.redacted with Apache using acme
certificates for TLS
- You're running a docker container on this machine but you're not
exposing The Things Stack with Apache
- You're running all of the above commands on this machine, so a ping
to localhost will never leave the machine but a ping to lora.redacted
should hit a DNS resolver somewhere and then come back to the machine
through Apache
If I have that right, is this machine physically local to you? Are you
opening a browser on this machine and hitting localhost:1885?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2838 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAKKWYGNIGJGWBKYF5U4NR3R2HL2ZANCNFSM4OPE4G6A>
.
|
@jceloria: This has to do with your |
That's most likely the case, I'm sure. I posted both the docker-compose.yml and ttn-lw-stack.yml, under Steps to reproduce (1.) as gists, or were you referring to something else? |
Ah yeah indeed. I just saw that. I think I see the issue here. What values did you use as |
I used Ansible to deploy with the following arguments to docker-compose which I grabbed from the getting-started/installation page:
{{ fqdn }}: lora.redacted In all likelihood, I'm missing something that's not obvious to me with the configuration. I appreciate the assistance. |
I see what you're saying, since this is all local, I should be able to update the config to the following:
|
Exactly. The above looks correct. |
Thank you, that was in fact what I needed. After you had mentioned it, I came across #1752. If anyone is curious, this is the scrubbed & stripped down Ansible role that I'm testing with: https://github.com/jceloria/ansible-ttn-stack Thanks again for everyone's help. |
Summary
This is a new install using docker-compose, following the getting started guide. After running docker-compose up, I proceed to the console and see
Token exchange refused
. I came across #2353, #1818, #2511, and #2521 all of which led me to try different options to resolve this issue, unfortunately nothing has worked for me thus far....
Steps to Reproduce
client-secret
as outlined in the getting-started documentation for console.oauth.client-secretWhat do you see now?
I'm able to resolve the host name from the container:
I have verified the certificates:
When I run curl against localhost and the host name I'm using in the config I get the following:
I get the same outcome when I specify the ca cert:
curl --cacert /run/secrets/ca.pem https://${host}:8885
When viewing the docker logs, I see the following when attempting to connect:
Am I missing something?
What do you want to see instead?
I would like to login to the console.
Environment
How do you propose to implement this?
no idea.
How do you propose to test this?
n/a
Can you do this yourself and submit a Pull Request?
n/a
The text was updated successfully, but these errors were encountered: