-
-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client failed to connect to Self-Hosted NetBird server: failed while getting Management Service public key #3110
Comments
@GeorgeDaGreatt Did you find the solution? I'm also getting the same issue. |
I'm glad to see that I'm not the only one with this error. But sadly, no. |
I'm getting the same issue and I opened a ticket on here too |
Could you share the issue's link with us? (in case I may need to reference it too) |
I resolved my issue myself: Issue was resolved by adding the following in the setup.env file: NETBIRD_MGMT_API_PORT to your reverse-proxy TLS-port (default: 443) running ./configure.sh then modifying docker-compose.yml to map ports 33073 for management to 443 and 10000 for signal to 443. after running docker compose up -d I was able to add peers. for the issue in this thread, make sure also your nginx configuration in the advanced tab as following:
make sure the custom locations tab is blank. Let me know if you have any questions. Thanks. |
After adding the configuration on both NetBird and Nginx Proxy Manager, the dashboard refused to load after authenticating with Authentik. To diagnose the issue, I opened my browser's console to see this error: I made sure that there were no locations configured in Nginx Proxy Manager and that it was forwarding the correct host and ports and the formatting in the advanced section should be correct, because when it isn't Nginx Proxy Manager marks the Proxy Host as disabled and refuses to connect any clients to it. That was before I looked at this message at the bottom of the advanced configuration which states: According to that message, I should be able to modify the configuration so that Nginx accepts gRPC and forwards everything perfectly fine. My question is.. How? And if I can't, is there another solution? |
@GeorgeDaGreatt I would ignore that message in the advanced tab, what that message is saying, which is misleading and kind of confusing, is that you cannot use the set_header or add_header simply by itself without also including code for the location blocks. But since we are including the location blocks in the advanced tab we are fine. What I have come to learn is that proxy manager itself is just a UI kid friendly verison of NGINX itself. So if you do not want to use any nginx code at all, you can use UI and the custom locations tab. If you do want to use standard nginx code you can do that in the advanced tab. I know how frustrating this is, as I spent days on this. So I am commited to helping you resolve this. if you want, you can post screenshots of all the tabs (execpt the advanced tab) and a copy of the code you have in the avanced tab and I will review it for you. Alternatively if you want to direct message me we can try to find time to hop on a zoom or webex or something. |
Thanks for the clarification. I honestly think that they should really add more context about what they are talking about in the advanced tab, it confuses everyone that didn't spend days trying to figure it out. Moving on.. After I found out that both types of configuration didn't work with NetBird (and Nginx didn't care where you placed configuration) I used the configuration @farewarr suggested earlier. Here is the configuration I entered in the advanced tab:
And the base configuration:
I made sure that all configuration was removed in the location tab, and that all ports were matching. However, the configuration still returns the same error when logging in. (Shown below) I only modified the IP address needed in the advanced configuration for the correct forwarding. I can share more configuration if needed to solve this issue, and I really appreciate all the help given to solve it. |
@GeorgeDaGreatt , whats handling your cert? Is Proxy Man terminating the SSL? Whether you are using a custom cert or a LetsEncrypt cert, you want to force SSL (enable that) and HTTP/2 (enable that). Also provide me your latest docker compose and management.json file. Thanks. |
Edit: See next comment for an updateI use Cloudflare to manage my DNS and Certificates. and all my domains go to my Nginx Proxy Manager instance, where SSL is terminated. I requested a LetsEncrypt Certificate in NPM and added it to the NPM configuration for NetBird, then turned on the settings I was suggested. After saving those settings, my browser gave me this error: After some trial and error, the error seemed to be caused by the "Force SSL" setting. Moving on... Here is the docker-compose.yml file and management.json file as requested: docker-compose.yml(some data has been redacted)
management.json(some data has been redacted)
If you need any more configuration or information, I will provide it on request. As always, thank you so much for your help on solving this issue. |
UPDATESince that clearly didn't work, I tried downloading a Cloudflare Origin server certificate to replace the LetsEncrypt certificate, I also changed some Cloudflare settings (Setting the SSL settings to be "Full (Strict)") which fixed the "Too many redirects" error. However, my browser still reported the same error found a little bit before: |
ok in your docker compose file, signal port is set to 10000:443 and needs to be set to 10000:80 also, your relay domain (since its redacted, no worries) just make sure you have a separate domain for you relay pointing directly to the ip address of the nebird server, and not your reverse proxy. because we are not proxying the relay and if you have it pointing to the ip address of your proxy server it will try to access 33080 on the proxy server and not the netbird server. as for cloudflare, not too familiar with it, are you using it as a tunnel? or does the cloudfalre itself terminate the SSL? |
I changed the value in the docker-compose.yml file from My Relay domain is separate, strictly not forwarded through Nginx Proxy Manager and (In Cloudflare) DNS queries are not proxied for that domain specifically. Thanks for the reassurance on that. Cloudflare does have cloudflared (Cloudflare Tunnels), which I used to use when I didn't have NPM running. But now It is used mainly for DNS and SSL (And its very effective Proxying). Cloudflare (On its free plan), provides a free SSL certificate and Proxying for your DNS queries, among other things. As for how SSL on Cloudflare works here is a little breakdown: Cloudflare by default provides a Universal Certificate for your zone (domain). How Cloudflare handles encrypted traffic is a choice you make. Cloudflare gives you these options for how SSL traffic is handled: StrictEnforces and ensures encryption between Cloudflare and your Origin Server. You would normally use this to make sure ALL traffic is encrypted, regardless of user choice. Full (Strict) *Basically End-To-End encryption using Cloudflare's Origin certificates on your server, which your server HAS to have in order to use. (This is what I now use) FullEnd-To End encryption but without the Certificate Cloudflare provides, people normally use this if they already have a certificate (Like LetsEncrypt). FlexibleCloudflare serves traffic with encryption enabled, but connections made from Cloudflare to the Origin Server are unencrypted. OffPlain HTTP, no encryption whatsoever. Your browser doesn't trust your website by default. | *=Its important to mention that the Origin Certificate you download and import on your Servers, is only valid for encryption between Cloudflare and your origin server. You CANNOT use the certificate for traffic served outside Cloudflare. I hope that this provides a helpful guide for how SSL works on Cloudflare. I still cannot thank you enough for the help provided to me. |
Thanks @farewarr, this solved my problems. Before I used custom locations and always had trouble wiht correct forwarding. After adding the content to the advanced tab and removing all custom locations, everything is working fine with NPM. @GeorgeDaGreatt not sure if this is really your issue, but as far as I can see, you are using more or less the default compose file, that is running the containers in bridge network. Make sure to set the container/service names and not the server IP as proxy and grpc destinations. E.g. |
I failed to mention that Nginx Proxy Manager runs on a separate machine, not on the same one running NetBird. (Sorry about that..) And (To my knowledge), you can't reference containers in a bridge that aren't on the same machine. I had it working perfectly fine with an IP address previously (Excluding client connection), and I'm not sure if Docker creating a Bridge network had/has any interference. |
Describe the problem
I have a NetBird instance running locally behind Nginx Proxy Manager, with the IdP being Authentik. (Also behind NPM), the dashboard logs in fine through Authentik, and is able to operate just fine. But getting any client to work is near impossible because of the error. The ports that are needed for the server to communicate with clients have been forwarded and tested to work fine. NPM should be forwarding everything for it to work (Otherwise, the dashboard wouldn't load).
I tried using this solution, but I still encountered the same error. The error shows up regardless.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
All clients were expected to work when connecting to the Self-Hosted NetBird Server, using the server URL provided in the dashboard.
Are you using NetBird Cloud?
No, Self-Hosted. And not in the cloud either.
NetBird version
netbird version 0.34.1
NetBird status -dA output:
Additional context
Here is some of the configuration of the NetBird server, be aware that some details have been modified to ensure privacy.
Management.json
docker-compose.yml
setup.env (Copied example file and modified it)
I can provide further Information when requested, I hope all of this helps.
The text was updated successfully, but these errors were encountered: