TLS Certificate fails in NS8

danb35 · March 8, 2023, 12:59pm

NethServer Version: NS8-alpha
Module: cluster-admin

I have a brand-new installation of NS8 under Rocky 9.1 in a public VPS. It has a public IP address, public DNS records, and is accessible to the world on port 80. Rocky itself is completely stock; the only package I’ve installed manually is nano. I’ve created the cluster, set a password, and now I want to create a trusted certificate. So I go to Settings → TLS Certificates, click Request certificate, enter my FQDN, and click request. After a minute or two, it fails. Clicking the “More info” toggle gives me this:

{
  "context": {
    "action": "set-certificate",
    "data": {
      "fqdn": "ns8.familybrown.org",
      "sync": true
    },
    "extra": {
      "description": "Processing",
      "eventId": "5587b712-e89f-4c6a-b4fc-8e026da1b74f",
      "logs": {
        "instance": "traefik1",
        "path": "?searchQuery=&context=module&selectedAppId=traefik1&followLogs=false&startDate=2023-03-08&startTime=07%3A22&autoStartSearch=true"
      },
      "title": "Request certificate for ns8.familybrown.org"
    },
    "id": "fe440fa9-1fd0-48fa-a8d9-6bdaefc167fe",
    "parent": "",
    "queue": "module/traefik1/tasks",
    "timestamp": "2023-03-08T12:22:25.565363044Z",
    "user": "admin"
  },
  "status": "aborted",
  "progress": 99,
  "subTasks": [],
  "validated": true,
  "result": {
    "error": "",
    "exit_code": 2,
    "file": "module/traefik1/task/fe440fa9-1fd0-48fa-a8d9-6bdaefc167fe",
    "output": {
      "obtained": false
    }
  }
}

I don’t see anything helpful in the Traefik logs, but they’re below just in case, with mentions of redis excluded:

2023-03-08T07:22:07-05:00 traefik1 module/traefik1/task/35d895ce-0c12-4470-a337-97cde93c5ab4: delete-certificate/20writeconfig is starting
2023-03-08T07:22:07-05:00 traefik1 module/traefik1/task/35d895ce-0c12-4470-a337-97cde93c5ab4: delete-certificate/21waitsync is starting
2023-03-08T07:22:08-05:00 traefik1 module/traefik1/task/35d895ce-0c12-4470-a337-97cde93c5ab4: action "delete-certificate" status is "completed" (0) at step validate-output.json
2023-03-08T07:22:08-05:00 traefik1 module/traefik1/task/ca9a6b10-2420-42bc-a6e1-09455f500869: list-certificates/20readconfig is starting
2023-03-08T07:22:08-05:00 traefik1 module/traefik1/task/ca9a6b10-2420-42bc-a6e1-09455f500869: action "list-certificates" status is "completed" (0) at step validate-output.json
2023-03-08T07:22:25-05:00 traefik1 module/traefik1/task/fe440fa9-1fd0-48fa-a8d9-6bdaefc167fe: set-certificate/20writeconfig is starting
2023-03-08T07:22:25-05:00 traefik1 module/traefik1/task/abe97147-a3ce-4759-a792-1140c555fbaf: list-certificates/20readconfig is starting
2023-03-08T07:22:26-05:00 traefik1 module/traefik1/task/fe440fa9-1fd0-48fa-a8d9-6bdaefc167fe: set-certificate/21waitsync is starting
2023-03-08T07:22:26-05:00 traefik1 module/traefik1/task/abe97147-a3ce-4759-a792-1140c555fbaf: action "list-certificates" status is "completed" (0) at step validate-output.json
2023-03-08T07:22:26-05:00 traefik1 time="2023-03-08T12:22:26Z" level=info msg=Register... providerName=acmeServer.acme
2023-03-08T07:22:26-05:00 traefik1 time="2023-03-08T12:22:26Z" level=error msg="Unable to obtain ACME certificate for domains \"ns8.familybrown.org\" : cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: contact email \"root@localhost.localdomain\" has invalid domain : Domain name does not end with a valid public suffix (TLD)" providerName=acmeServer.acme
2023-03-08T07:22:34-05:00 traefik1 time="2023-03-08T12:22:34Z" level=error msg="Error getting challenge for token retrying in 711.996614ms" providerName=acme
2023-03-08T07:22:34-05:00 traefik1 172.104.24.29 - - [08/Mar/2023:12:22:34 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 727 "-" "-" 0ms
2023-03-08T07:22:34-05:00 traefik1 time="2023-03-08T12:22:34Z" level=error msg="Error getting challenge for token retrying in 488.302953ms" providerName=acme
2023-03-08T07:22:34-05:00 traefik1 time="2023-03-08T12:22:34Z" level=error msg="Error getting challenge for token retrying in 465.09708ms" providerName=acme
2023-03-08T07:22:34-05:00 traefik1 time="2023-03-08T12:22:34Z" level=error msg="Error getting challenge for token retrying in 420.248638ms" providerName=acme
2023-03-08T07:22:34-05:00 traefik1 time="2023-03-08T12:22:34Z" level=error msg="Error getting challenge for token retrying in 780.280093ms" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 596.103886ms" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 386.38415ms" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 743.544178ms" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 1.407986197s" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 993.934089ms" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 1.661320449s" providerName=acme
2023-03-08T07:22:35-05:00 traefik1 time="2023-03-08T12:22:35Z" level=error msg="Error getting challenge for token retrying in 691.405028ms" providerName=acme
2023-03-08T07:22:36-05:00 traefik1 time="2023-03-08T12:22:36Z" level=error msg="Error getting challenge for token retrying in 1.99423624s" providerName=acme
2023-03-08T07:22:36-05:00 traefik1 time="2023-03-08T12:22:36Z" level=error msg="Error getting challenge for token retrying in 939.849301ms" providerName=acme
2023-03-08T07:22:36-05:00 traefik1 time="2023-03-08T12:22:36Z" level=error msg="Error getting challenge for token retrying in 1.321205794s" providerName=acme
2023-03-08T07:22:37-05:00 traefik1 time="2023-03-08T12:22:37Z" level=error msg="Error getting challenge for token retrying in 1.709457141s" providerName=acme
2023-03-08T07:22:37-05:00 traefik1 time="2023-03-08T12:22:37Z" level=error msg="Error getting challenge for token retrying in 1.340581975s" providerName=acme
2023-03-08T07:22:38-05:00 traefik1 time="2023-03-08T12:22:38Z" level=error msg="Error getting challenge for token retrying in 2.622419602s" providerName=acme
2023-03-08T07:22:38-05:00 traefik1 time="2023-03-08T12:22:38Z" level=error msg="Error getting challenge for token retrying in 1.268328847s" providerName=acme
2023-03-08T07:22:39-05:00 traefik1 time="2023-03-08T12:22:39Z" level=error msg="Error getting challenge for token retrying in 1.923739534s" providerName=acme
2023-03-08T07:22:39-05:00 traefik1 time="2023-03-08T12:22:39Z" level=error msg="Error getting challenge for token retrying in 1.349105219s" providerName=acme
2023-03-08T07:22:39-05:00 traefik1 time="2023-03-08T12:22:39Z" level=error msg="Error getting challenge for token retrying in 4.245188031s" providerName=acme
2023-03-08T07:22:40-05:00 traefik1 time="2023-03-08T12:22:40Z" level=error msg="Error getting challenge for token retrying in 4.883333862s" providerName=acme
2023-03-08T07:22:40-05:00 traefik1 time="2023-03-08T12:22:40Z" level=error msg="Error getting challenge for token retrying in 3.0720906s" providerName=acme
2023-03-08T07:22:40-05:00 traefik1 time="2023-03-08T12:22:40Z" level=error msg="Error getting challenge for token retrying in 5.613916506s" providerName=acme
2023-03-08T07:22:43-05:00 traefik1 time="2023-03-08T12:22:43Z" level=error msg="Error getting challenge for token retrying in 3.431484243s" providerName=acme
2023-03-08T07:22:44-05:00 traefik1 time="2023-03-08T12:22:44Z" level=error msg="Error getting challenge for token retrying in 8.077114882s" providerName=acme
2023-03-08T07:22:45-05:00 traefik1 time="2023-03-08T12:22:45Z" level=error msg="Error getting challenge for token retrying in 7.660988297s" providerName=acme
2023-03-08T07:22:46-05:00 traefik1 time="2023-03-08T12:22:46Z" level=error msg="Error getting challenge for token retrying in 11.072479281s" providerName=acme
2023-03-08T07:22:47-05:00 traefik1 time="2023-03-08T12:22:47Z" level=error msg="Error getting challenge for token retrying in 11.170955265s" providerName=acme
2023-03-08T07:22:52-05:00 traefik1 time="2023-03-08T12:22:52Z" level=error msg="Error getting challenge for token retrying in 4.786692673s" providerName=acme
2023-03-08T07:22:53-05:00 traefik1 time="2023-03-08T12:22:53Z" level=error msg="Error getting challenge for token retrying in 8.847417094s" providerName=acme
2023-03-08T07:22:56-05:00 traefik1 time="2023-03-08T12:22:56Z" level=error msg="Error getting challenge for token retrying in 6.85370799s" providerName=acme
2023-03-08T07:22:57-05:00 traefik1 time="2023-03-08T12:22:57Z" level=error msg="Error getting challenge for token retrying in 7.319040675s" providerName=acme
2023-03-08T07:22:58-05:00 traefik1 time="2023-03-08T12:22:58Z" level=error msg="Error getting challenge for token retrying in 13.930501025s" providerName=acme
2023-03-08T07:23:01-05:00 traefik1 time="2023-03-08T12:23:01Z" level=error msg="Error getting challenge for token retrying in 13.121117015s" providerName=acme
2023-03-08T07:23:03-05:00 traefik1 time="2023-03-08T12:23:03Z" level=error msg="Error getting challenge for token retrying in 20.990543871s" providerName=acme
2023-03-08T07:23:04-05:00 traefik1 time="2023-03-08T12:23:04Z" level=error msg="Error getting challenge for token retrying in 16.165087408s" providerName=acme
2023-03-08T07:23:12-05:00 traefik1 time="2023-03-08T12:23:12Z" level=error msg="Cannot retrieve the ACME challenge for ns8.familybrown.org (token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\"): cannot find challenge for token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\" (ns8.familybrown.org)" providerName=acme
2023-03-08T07:23:12-05:00 traefik1 34.217.175.29 - - [08/Mar/2023:12:22:34 +0000] "GET /.well-known/acme-challenge/SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8 HTTP/1.1" 404 0 "-" "-" 732 "acme-http@internal" "-" 37774ms
2023-03-08T07:23:15-05:00 traefik1 time="2023-03-08T12:23:15Z" level=error msg="Cannot retrieve the ACME challenge for ns8.familybrown.org (token \"letsdebug-test\"): cannot find challenge for token \"letsdebug-test\" (ns8.familybrown.org)" providerName=acme
2023-03-08T07:23:15-05:00 traefik1 172.104.24.29 - - [08/Mar/2023:12:22:34 +0000] "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1" 404 0 "-" "-" 726 "acme-http@internal" "-" 40735ms
2023-03-08T07:23:21-05:00 traefik1 time="2023-03-08T12:23:21Z" level=error msg="Cannot retrieve the ACME challenge for ns8.familybrown.org (token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\"): cannot find challenge for token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\" (ns8.familybrown.org)" providerName=acme
2023-03-08T07:23:21-05:00 traefik1 18.219.146.86 - - [08/Mar/2023:12:22:34 +0000] "GET /.well-known/acme-challenge/SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8 HTTP/1.1" 404 0 "-" "-" 730 "acme-http@internal" "-" 46462ms
2023-03-08T07:23:24-05:00 traefik1 time="2023-03-08T12:23:24Z" level=error msg="Cannot retrieve the ACME challenge for ns8.familybrown.org (token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\"): cannot find challenge for token \"SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8\" (ns8.familybrown.org)" providerName=acme
2023-03-08T07:23:24-05:00 traefik1 23.178.112.107 - - [08/Mar/2023:12:22:34 +0000] "GET /.well-known/acme-challenge/SV5nine3_bOirTWrrV6yRRZbKmaNuD9Jk73NoOBIoF8 HTTP/1.1" 404 0 "-" "-" 731 "acme-http@internal" "-" 50128ms
2023-03-08T07:24:26-05:00 traefik1 module/traefik1/task/fe440fa9-1fd0-48fa-a8d9-6bdaefc167fe: action "set-certificate" status is "aborted" (2) at step 21waitsync
2023-03-08T07:24:27-05:00 traefik1 module/traefik1/task/da489931-bad8-4828-ad28-129d2fa1194e: list-certificates/20readconfig is starting
2023-03-08T07:24:27-05:00 traefik1 module/traefik1/task/da489931-bad8-4828-ad28-129d2fa1194e: action "list-certificates" status is "completed" (0) at step validate-output.json
2023-03-08T07:34:24-05:00 traefik1 96.68.219.29 - - [08/Mar/2023:12:34:24 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 988 "-" "-" 0ms
2023-03-08T07:34:24-05:00 traefik1 96.68.219.29 - - [08/Mar/2023:12:34:24 +0000] "GET /favicon.ico HTTP/1.1" 404 19 "-" "-" 989 "-" "-" 0ms
2023-03-08T07:34:50-05:00 traefik1 172.69.208.169 - - [08/Mar/2023:12:34:50 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 990 "-" "-" 0ms
2023-03-08T07:35:37-05:00 traefik1 107.117.176.75 - - [08/Mar/2023:12:35:37 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 991 "-" "-" 0ms
2023-03-08T07:37:51-05:00 traefik1 85.215.2.227 - - [08/Mar/2023:12:37:51 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 992 "-" "-" 0ms
2023-03-08T07:37:52-05:00 traefik1 85.215.2.227 - - [08/Mar/2023:12:37:52 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 993 "-" "-" 0ms
2023-03-08T07:37:57-05:00 traefik1 time="2023-03-08T12:37:57Z" level=error msg="Error getting challenge for token retrying in 685.329261ms" providerName=acme
2023-03-08T07:37:58-05:00 traefik1 time="2023-03-08T12:37:58Z" level=error msg="Error getting challenge for token retrying in 430.860986ms" providerName=acme
2023-03-08T07:37:58-05:00 traefik1 time="2023-03-08T12:37:58Z" level=error msg="Error getting challenge for token retrying in 1.294486357s" providerName=acme
2023-03-08T07:37:59-05:00 traefik1 time="2023-03-08T12:37:59Z" level=error msg="Error getting challenge for token retrying in 1.008312736s" providerName=acme
2023-03-08T07:38:00-05:00 traefik1 time="2023-03-08T12:38:00Z" level=error msg="Error getting challenge for token retrying in 3.363886216s" providerName=acme
2023-03-08T07:38:04-05:00 traefik1 time="2023-03-08T12:38:04Z" level=error msg="Error getting challenge for token retrying in 4.332760697s" providerName=acme
2023-03-08T07:38:07-05:00 traefik1 85.215.2.227 - - [08/Mar/2023:12:38:07 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 995 "-" "-" 0ms
2023-03-08T07:38:08-05:00 traefik1 time="2023-03-08T12:38:08Z" level=error msg="Error getting challenge for token retrying in 8.348312171s" providerName=acme
2023-03-08T07:38:16-05:00 traefik1 time="2023-03-08T12:38:16Z" level=error msg="Error getting challenge for token retrying in 7.560480044s" providerName=acme
2023-03-08T07:38:24-05:00 traefik1 time="2023-03-08T12:38:24Z" level=error msg="Error getting challenge for token retrying in 12.92092416s" providerName=acme
2023-03-08T07:38:37-05:00 traefik1 time="2023-03-08T12:38:37Z" level=error msg="Cannot retrieve the ACME challenge for ns8.familybrown.org (token \"check-your-website-dot-server-daten-dot-de\"): cannot find challenge for token \"check-your-website-dot-server-daten-dot-de\" (ns8.familybrown.org)" providerName=acme
2023-03-08T07:38:37-05:00 traefik1 85.215.2.227 - - [08/Mar/2023:12:37:57 +0000] "GET /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de HTTP/1.1" 404 0 "-" "-" 994 "acme-http@internal" "-" 39960ms
2023-03-08T07:40:39-05:00 traefik1 172.105.77.209 - - [08/Mar/2023:12:40:39 +0000] "GET /0bef HTTP/1.0" - - "-" "-" 996 "-" "-" 0ms
2023-03-08T07:41:12-05:00 traefik1 172.105.77.209 - - [08/Mar/2023:12:41:12 +0000] "GET /0bef HTTP/1.0" 404 19 "-" "-" 997 "-" "-" 0ms
2023-03-08T07:50:17-05:00 traefik1 time="2023-03-08T12:50:17Z" level=error msg="Error getting challenge for token retrying in 615.904159ms" providerName=acme
2023-03-08T07:50:17-05:00 traefik1 time="2023-03-08T12:50:17Z" level=error msg="Error getting challenge for token retrying in 443.373148ms" providerName=acme
2023-03-08T07:50:18-05:00 traefik1 time="2023-03-08T12:50:18Z" level=error msg="Error getting challenge for token retrying in 603.609902ms" providerName=acme
2023-03-08T07:50:18-05:00 traefik1 time="2023-03-08T12:50:18Z" level=error msg="Error getting challenge for token retrying in 2.188708749s" providerName=acme
2023-03-08T07:50:21-05:00 traefik1 time="2023-03-08T12:50:21Z" level=error msg="Error getting challenge for token retrying in 2.392672707s" providerName=acme
2023-03-08T07:50:23-05:00 traefik1 time="2023-03-08T12:50:23Z" level=error msg="Error getting challenge for token retrying in 2.021352396s" providerName=acme
2023-03-08T07:50:25-05:00 traefik1 time="2023-03-08T12:50:25Z" level=error msg="Error getting challenge for token retrying in 6.726437073s" providerName=acme
2023-03-08T07:50:32-05:00 traefik1 time="2023-03-08T12:50:32Z" level=error msg="Error getting challenge for token retrying in 11.10308917s" providerName=acme
2023-03-08T07:50:43-05:00 traefik1 time="2023-03-08T12:50:43Z" level=error msg="Error getting challenge for token retrying in 18.440134467s" providerName=acme
2023-03-08T07:51:01-05:00 traefik1 time="2023-03-08T12:51:01Z" level=error msg="Error getting challenge for token retrying in 10.615601233s" providerName=acme
2023-03-08T07:51:12-05:00 traefik1 time="2023-03-08T12:51:12Z" level=error msg="Cannot retrieve the ACME challenge for 66.94.117.228 (token \"letsdebug-test\"): cannot find challenge for token \"letsdebug-test\" (66.94.117.228)" providerName=acme
2023-03-08T07:51:12-05:00 traefik1 96.68.219.29 - - [08/Mar/2023:12:50:17 +0000] "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1" 404 0 "-" "-" 1004 "acme-http@internal" "-" 55167ms
2023-03-08T07:52:20-05:00 traefik1 module/traefik1/task/7f8c95b2-1ca2-4341-8623-a63b6e2babd2: list-routes/20readconfig is starting
2023-03-08T07:52:20-05:00 traefik1 module/traefik1/task/7f8c95b2-1ca2-4341-8623-a63b6e2babd2: action "list-routes" status is "completed" (0) at step validate-output.json

Online Let’s Encrypt diagnostic tools (e.g., ns8.familybrown.org - Make your website better - DNS, redirects, mixed content, certificates) report that my server is responding to general queries on port 80, but timing out for the ACME challenges. Is there something else I should have configured or installed before trying to request a cert?

danb35 · March 8, 2023, 1:59pm

…and I’m not sure if it’s related, but the system seems to think its FQDN is localhost.localdomain. When I created the cluster, I set its FQDN (to the one above), and that’s also the system hostname. Is there some other place I need to tell the system its FQDN?

giacomo · March 8, 2023, 4:13pm

The problem should be this one:

2023-03-08T07:22:26-05:00 traefik1 time="2023-03-08T12:22:26Z" level=error msg="Unable to obtain ACME certificate for domains \"ns8.familybrown.org\" : cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: contact email \"root@localhost.localdomain\" has invalid domain : Domain name does not end with a valid public suffix (TLD)" providerName=acmeServer.acme

I’ve never seen it before. How did you changed the machine name?

danb35 · March 8, 2023, 4:40pm

Interesting, but kind of consistent with what I’d seen elsewhere. When I installed Prometheus, it formed a URL of http://localhost.localdomain/blahblahblah.

hostnamectl set-hostname ns8.familybrown.org. And it seems to have been effective:

➜  ~ hostnamectl
 Static hostname: ns8.familybrown.org
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: 1fccd70d2d3941e7a3ccaaf4976225b7
         Boot ID: d9162a400ab64eb9a70c8ff61bfb52cd
  Virtualization: kvm
Operating System: Rocky Linux 9.1 (Blue Onyx)
     CPE OS Name: cpe:/o:rocky:rocky:9::baseos
          Kernel: Linux 5.14.0-162.12.1.el9_1.0.2.x86_64
    Architecture: x86-64
 Hardware Vendor: QEMU
  Hardware Model: Standard PC _i440FX + PIIX, 1996_

or:

➜  ~ cat /etc/hostname
ns8.familybrown.org

or:

➜  ~ hostname
ns8.familybrown.org

…and if I run nmtui and select Set system hostname, it’s set to the correct FQDN as well.

…and I’ve rebooted at least once since changing the hostname.

danb35 · March 9, 2023, 12:28pm

How does NS8 determine what its FQDN is, and how can it be changed? I don’t see that there’s a setting in the cluster-admin dashboard to do it.

giacomo · March 9, 2023, 3:34pm

It doesn’t: most containers inherit the system configuration.
Since different distributions have different tools, NS8 leaves the network and FQDN to the admin.

I didn’t test a machine named localhost, but I’ve set the hostname using hostnamctl and this is the result (even after reboot):

 hostnamectl 
 Static hostname: rck.nethserver.local
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: fbda4d0f90e84917a577228570dba1bc
         Boot ID: a38db325968049299545a53fcedfb24d
  Virtualization: kvm
Operating System: Rocky Linux 9.1 (Blue Onyx)       
     CPE OS Name: cpe:/o:rocky:rocky:9::baseos
          Kernel: Linux 5.14.0-162.18.1.el9_1.x86_64
    Architecture: x86-64
 Hardware Vendor: QEMU
  Hardware Model: Standard PC _Q35 + ICH9, 2009_

But:

# hostname -f
localhost

So verify that the systems really sees your hostname.

danb35 · March 9, 2023, 4:18pm

Well, that’s interesting. hostname returns the expected result, but hostname -f returns localhost.localdomain–which is likely where the problem’s coming from. An edit to /etc/hosts seems to have resolved the problem, at least to the point where hostname -f returns the correct FQDN. For the sake of posterity, I’d previously added the FQDN on the same line as localhost (so that line read 127.0.0.1 localhost.localdomain localhost ns8.familybrown.org. I removed the FQDN from that line, and put in a second line reading 127.0.0.1 ns8.familybrown.org ns8.

Then, after a reboot, the UI failed to come up at all. Rather than try to troubleshoot that, I decided to just start over–reinstall the OS to this VPS, update, configure SSH for security, set the hostname, and re-run the NS8 installer. The hostname appears to be set correctly:

[root@ns8 ~]# hostname
ns8.familybrown.org
[root@ns8 ~]# hostname -f
ns8.familybrown.org
[root@ns8 ~]# hostnamectl
 Static hostname: ns8.familybrown.org
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: 0b37212375724aae94dc12eee22ea18e
         Boot ID: 3dce4490e99349ef851dbada7fee8413
  Virtualization: kvm
Operating System: Rocky Linux 9.1 (Blue Onyx)
     CPE OS Name: cpe:/o:rocky:rocky:9::baseos
          Kernel: Linux 5.14.0-162.18.1.el9_1.x86_64
    Architecture: x86-64
 Hardware Vendor: QEMU
  Hardware Model: Standard PC _i440FX + PIIX, 1996_

…but when I try to create a cluster, the system’s still seeing localhost.localdomain as its address:

It’s easy enough to change on that screen, of course, but this suggests to me that there’s something else lurking in the system that’s going to continue to be a problem. But with that concern expressed, I am now able to get a cert. But Prometheus still creates its Public URL as http://localhost.localdomain/foo, so something’s still wrong–but I guess that’s a different topic.

danb35 · March 10, 2023, 1:37pm

4 posts were split to a new topic: NS8 - how to set system hostname

yummiweb · March 10, 2023, 3:13pm

I had exactly the same problem with my first NS8 test installation from two days ago.

When installing the base system (Debian 11) I gave the maschine the name: “servername.local”. After that, I installed NS8 and created the cluster with the first node (leader).

Then i installed the samba AD with a name like: “ad.sub.domain.tld”. In the following basic and module installations (samba mail, webtop, nextcloud, mariaDB, webserver) I used names like: “servicename.domain.tld” (more precisely: servicename.sub.domain.tld).

With the exception of Webtop, things seemed to be working, I was able to open the respective interfaces and log in. However, Webtop always returned the error:
“HTTP Status 404 – Not Found
Type: Status Report
Message: The requested resource [/webtop/login] is not available.
Description: The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
Apache Tomcat/8.5.86”.

So I started troubleshooting. I started with the certificates, because in the Webtop instructions you should activate Letsencrypt certificate. However, not a single Letsencrypt certificate was issued. In the logs I also found a non-public e-mail address as the cause of the certificate request. So I changed the domain name of the machine to “sub.domain.tld” - more precisely - I added the name “servername.sub.domain.tld” in the file “/etc/hosts” (first among the loopback entries). But that didn’t help, not even after a reboot.

Since the location and structure of the configuration files in NS8 is not yet known to me (and I couldn’t find anything on the fly), I went back step by step in the respective saved snapshots. I even went back to before setting up the cluster or the first node, but that didn’t change anything. The non-local e-mail address was always sent with the certificate request, although the external domain name was always active.

Only a further step back BEFORE the installation of the NS8 (i.e. directly after the installation of the underlying Debian system) brought a change. The cluster (leader node) set up after this could then receive Letsencrypt certificates. (unfortunately webtop still brings the same error)

So far this is just an analog case description of the problem of “danb35” . Now my questions:

Is there already some kind of documentation on how and where the corresponding configuration files are or are created?
How does the access from the main console to the commands and files of the individual containers work at all?

I have been using scripts on the Nethserver 7 more often, for example to search for and evaluate e-mails using the Doveadm command or to change settings (mailbox sharing) using crontab. How can I implement something like this in NS8?

Regards yummiweb

Sorry, wrong topic, please move.

giacomo · March 13, 2023, 9:59am

I’ve added a card for this issue: Trello