Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wings in Docker - "x509: certificate signed by unknown authority" on startup #3096

Closed
Sabinno opened this issue Feb 15, 2021 · 14 comments
Closed

Comments

@Sabinno
Copy link
Contributor

Sabinno commented Feb 15, 2021

Background (please complete the following information):

  • Panel or Daemon: Daemon
  • Version of Panel/Daemon: Panel: "canary" (:latest docker image tag); Wings: 1.2.3
  • Server's OS: CentOS Linux release 8.3.2011
  • Your Computer's OS & Browser: Windows 10 20H2, Microsoft Edge (though this is completely unrelated)
  • Traefik version: 2.4.2
  • Docker server/client version: 20.10.3 Community
  • Panel and daemon are behind Cloudflare

Describe the bug
In my particular configuration -- setting up both the panel and wings in docker, panel and daemon behind Cloudflare (SSL mode: Strict) and the panel alone behind Traefik -- I receive the following error (captured from Portainer)

 INFO: [Feb 15 19:51:18.699] fetching list of servers from API
FATAL: [Feb 15 19:51:18.775] failed to load server configurations error=Get "https://panel.argonaut.network/api/remote/servers?per_page=50": x509: certificate signed by unknown authority

Stacktrace:
Get "https://panel.argonaut.network/api/remote/servers?per_page=50": x509: certificate signed by unknown authority
github.com/pterodactyl/wings/cmd.rootCmdRun
	github.com/pterodactyl/wings/cmd/root.go:192
github.com/spf13/cobra.(*Command).execute
	github.com/spf13/cobra@v1.1.1/command.go:854
github.com/spf13/cobra.(*Command).ExecuteC
	github.com/spf13/cobra@v1.1.1/command.go:958
github.com/spf13/cobra.(*Command).Execute
	github.com/spf13/cobra@v1.1.1/command.go:895
github.com/pterodactyl/wings/cmd.Execute
	github.com/pterodactyl/wings/cmd/root.go:61
main.main
	command-line-arguments/wings.go:8
runtime.main
	runtime/proc.go:204
runtime.goexit
	runtime/asm_amd64.s:1374

I have attempted to resolve the issue with the --ignore-certificate-errors startup arg, but receive a different error altogether.

Lastly, I have attempted to resolve this issue, per the advice of Dr3nz4r in #wings-in-docker in Discord, by starting wings with the arg --auto-tls --tls-hostname node1.argonaut.network. This results in the former error log output, verbatim.

I have confirmed that the correct cert/key pair are located in /etc/letsencrypt/live/<host>.
I have confirmed that SELinux has not thrown any errors, and this still occurs in permissive mode.
I have confirmed that, to my knowledge (I have no idea how to tell, but was asked to verify this as a troubleshooting step), the files that should be located in /etc/ssl/certs are present.
I have confirmed that the necessary ports are open.

Below, you may find my configuration files:

To Reproduce
Steps to reproduce the behavior:

  1. Install panel and wings in docker with docker-compose files created as-is above.
  2. Start wings with docker-compose up -d

Expected behavior
Wings starts normally.

@TDogVoid
Copy link

I had this exact issue. This solved it for me
#2961 (comment)

@schrej
Copy link
Member

schrej commented Feb 25, 2021

Are your ca ca certificates up to date? The package should be ca-certificates.

@Sabinno
Copy link
Contributor Author

Sabinno commented Mar 1, 2021

I had this exact issue. This solved it for me
#2961 (comment)

Check my Wings docker-compose. That's definitely something I made sure I did.

@Sabinno
Copy link
Contributor Author

Sabinno commented Mar 1, 2021

Are your ca ca certificates up to date? The package should be ca-certificates.

I will check when I'm at a computer.

@DaneEveritt
Copy link
Member

Cannot reproduce, and from what I've seen in the past this has always been an issue with the system ca store not being updated correctly.

@TheFrisianClause
Copy link

TheFrisianClause commented Sep 1, 2021

How did you resolve this, as I currently followed the Wings installation instructions and imported the Letsencrypt certificates generated by ACME in PFsense. But I am getting this error:

FATAL: [Sep 1 21:01:03.689] failed to load server configurations error=http: request creation failed: Get "https://{SERVER_URL}/api/remote/servers?page=0&per_page=50": x509: certificate signed by unknown authority

Stacktrace:
Get "https://{SERVER_URL}/api/remote/servers?page=0&per_page=50": x509: certificate signed by unknown authority
http: request creation failed

I have done some troubleshooting, but cannot resolve the issue...

@schrej
Copy link
Member

schrej commented Sep 7, 2021

Try updating your ca-certificates.

@haugli92
Copy link

If you moved your panel from another server, renew certificates. That was my problem.

@dylif
Copy link

dylif commented Jun 14, 2022

I'm currently having this issue while running both Panel and Wings under docker. My system CA store was correctly mapped for wings to use. Not really sure what could be causing this as running Wings outside of docker fixes this issue.

@Sabinno
Copy link
Contributor Author

Sabinno commented Sep 13, 2022

The only way to fix this at this time has been to use --ignore-certificate-errors while running Wings.

@Alth3r
Copy link

Alth3r commented Nov 29, 2022

I have encountered this issue as well and after some detective work I have found the error and a possible solution. Although I am not sure if my way of solving this can be considered "best practice".

Running
docker inspect ghcr.io/pterodactyl/wings
shows that apparently the following file is needed in order to verify a TLS certificate:
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"

This file is being mounted via the docker-compose.yml.
So let's take a look at the ca-certificates.crt file on the host system:
ls -la /etc/ssl/certs/ca-certificates.crt
Output:
lrwxrwxrwx 1 root root 49 Sep 5 23:59 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

So the ca-certificates.crt is just a symlink which points to a file at the location /etc/ca-certificates/extracted/tls-ca-bundle.pem. This directory is not mounted to the container.
Then I simply tried adding the following line to the volumes section:
- "/etc/ca-certificates/extracted/tls-ca-bundle.pem:/etc/ca-certificates/extracted/tls-ca-bundle.pem"

And voilà the container starts without any error messages. TLS certificates are now being correctly verified.

I hope this helps anyone who might run into the same problem. Have a great day :D

argonaut-network added a commit to argonaut-network/wings-1 that referenced this issue Dec 10, 2022
Works around pterodactyl/panel#3096 (which couldn't be reproduced at the time, presumably due to no one happening to run EL) by adding documentation of alternative location for CA certs. The location of CA certificates varies by distribution. Debian/Ubuntu and derivatives use /etc/ssl/certs as the location for CA certs, but that path is hardcoded into the official Wings image, so adding an alt path to mount is the next best thing.

Without having the correct cert location, you can fall back to the one inside the container of course, but it's preferable to use the host's. I don't know about other distros, but I found what is necessary for it to work on EL. By default, on EL, an x509 error occurs and Wings is unreachable.
@argonaut-network
Copy link
Contributor

Should be able to work around this with pterodactyl/wings#154

Basically, just mount /etc/ssl/certs/certificates.crt to /etc/pki/ca-trust/extracted/openssl/ca-trust.bundle.crt which is the location of openSSL CA certs on EL/Fedora based distros.

@jonxor
Copy link

jonxor commented Jun 26, 2024

For future generations that land here, this can happen if you decide to use just the hostname.cer instead of fullchain.cer. Make sure you use fullchain on both wings SSL cert and the panel's SSL cert.

@daviddempsey
Copy link

This took me way too long to figure out, but commenting out the CA cert mounting in docker-compose resolved this for me. 🤦🏻 Thanks @danny6167.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests