Docker automatic install script

After not being able to get the Docker migration to work I tried to install fresh on Docker, looking at the docs it says,

Option 1: Automatic Install
The easiest way to deploy Firezone with Docker is the automatic install script:

I enter curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh | bash -E in a terminal, hit return, absolutely nothing happens ?

Try this instead:

bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)

Nada
Screenshot 2022-10-21 at 17.28.53

Is Docker Compose installed on that machine? The error is getting swallowed – I’ll push up a fix in a moment.

I am using this guide and the command in step 2 includes compose.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

OK it’s working after trying again however it finished at

Bind for 0.0.0.0:443 failed: port is already allocated

I changed port and can get to the admin web interface now but cant login, anyway to reset? I tried the command below but no joy.


root@docker:~# docker compose exec firezone bin/create-or-reset-admin
no configuration file provided: not found
root@docker:~#

I found the admin email and password in
/var/lib/docker/containers/f98634452c19a689ad0c98d8de5ed521a123a325efd77b0bf345cfdfe01cfe97/config.v2.json
But I still can’t login, just get Error signing in: invalid_credentials

Now it’s working, I left the EXTERNAL_URL section blank and can now log in.

Next problem is, I have this running in Docker on a new server 192.168.0.50 and the Omnibus install is on a different server (192.168.0.70 this has all our users and configs) how to migrate data from old Omnibus server to the new Docker server?

After more than a few goes at the migration script I would rather do it manually if it’s possible.

Hi @HenrysCat – the migration script is simply a Bash script: check here for the DB migration steps:

Not 100% sure what to do with that, lines 165-171 run on old server? and lines 173-180 run on new machine after copying dump over?
Cant be that easy, I’m no expert here :thinking:

I have just installed a new Debian server, installed Docker as per docs, run the auto install script, selected the following option,

Would you like to enable automatic SSL cert provisioning? Requires a valid DNS record and port 80 to be reachable. (Y/n): n

and still get SSL_ERROR_INTERNAL_ERROR_ALERT

It should not be this difficult, I tried wg-easy and it just works, what am I doing wrong with firezone?

The Omnibus install works first time every time, why not the Docker install?

Hi @HenrysCat – could you paste your ~/.firezone/.env and ~/.firezone/docker-compose.yml file for further debugging here (secrets removed).

Here they are, both from /root/.firezone I have edited the secrets sufficiently
Thanks

EXTERNAL_URL=https://docker
ADMIN_EMAIL=wireguard@mydomain.com
DEFAULT_ADMIN_PASSWORD=+CUiRLIdSdLRuu1i
GUARDIAN_SECRET_KEY=VEdQ+lsKFWqLEUkvYtKzIBxJ+7ZniWhK6Ngp7rtFyOzI1/HUmOwrcJmPRthuqw8l
SECRET_KEY_BASE=nczLFaWu/KE2FPbuM5SoSl9RcJ9FN+FkYGs80JiyqbYd+mCafCczTBVBMR5fNljt
LIVE_VIEW_SIGNING_SALT=b0hYpfRTt0Zs+SrJWsYwSnZUcOS9iiWR
COOKIE_SIGNING_SALT=TpgDaP2T
COOKIE_ENCRYPTION_SALT=P5CgLO2w
DATABASE_ENCRYPTION_KEY=9aT1Vjl8lUfMNMKWgy3YA+uodxlIvXPPjqSi7ClUpCQ=
DATABASE_PASSWORD=884s44d3fdd669f5
CADDY_OPTS=--internal-certs
# Example compose file for production deployment.
#
# Note: This file is meant to serve as a template. Please modify it
# according to your needs. Read more about Docker Compose:
#
# https://docs.docker.com/compose/compose-file/
#
#
x-deploy: &default-deploy
  restart_policy:
    condition: on-failure
    delay: 5s
    max_attempts: 3
    window: 120s
  update_config:
    order: start-first

version: '3.7'

services:
  caddy:
    image: caddy:2
    volumes:
      - ${FZ_INSTALL_DIR:-.}/caddy:/data/caddy
    ports:
      - 80:80
      - 443:443
        # See Caddy's documentation for customizing this line
        # https://caddyserver.com/docs/quick-starts/reverse-proxy
    command: caddy reverse-proxy --to firezone:13000 --from ${EXTERNAL_URL:?err} ${CADDY_OPTS}
    deploy:
      <<: *default-deploy

  firezone:
    image: firezone/firezone
    ports:
      - 51820:51820/udp
    env_file:
      # This should contain a list of env vars for configuring Firezone.
      # See https://docs.firezone.dev/reference/env-vars for more info.
      - ${FZ_INSTALL_DIR:-.}/.env
    volumes:
      # IMPORTANT: Persists WireGuard private key and other data. If
      # /var/firezone/private_key exists when Firezone starts, it is
      # used as the WireGuard private. Otherwise, one is generated.
      - ${FZ_INSTALL_DIR:-.}/firezone:/var/firezone
    cap_add:
      # Needed for WireGuard and firewall support.
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      # Needed for masquerading and NAT.
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    depends_on:
      - postgres
    deploy:
      <<: *default-deploy

  postgres:
    image: postgres:15
    volumes:
      - ${FZ_INSTALL_DIR:-.}/postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: ${DATABASE_NAME:-firezone}
      POSTGRES_USER: ${DATABASE_USER:-postgres}
      POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
    deploy:
      <<: *default-deploy
      update_config:
        order: stop-first

Thanks! And when you access Firezone in your browser at the EXTERNAL_URL https://docker it’s giving you that SSL error? Or are you accessing Firezone using a different URL / IP?

Accessing from IP, we don’t want the web interface exposed to the internet for security, all devices are configured in house and issued to staff.

Secure Connection Failed

An error occurred during a connection to 192.168.0.184. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The URL you’re accessing Firezone with needs to match the EXTERNAL_URL.

I have tried that, http/https
EXTERNAL_URL=http://192.168.0.184/
Always redirects to https with the
SSL_ERROR_INTERNAL_ERROR_ALERT

Thanks for the added info. Caddy takes a more aggressive approach to securing SSL defaults than Nginx, and is likely refusing to provision self-signed IP-based certs. Anything interesting in the caddy log?

Opened SSL_PROTOCOL_ERROR when accessed by IP · Issue #1073 · firezone/firezone · GitHub to investigate.

1 Like

Caddy log from Portainer

{"level":"warn","ts":1666938547.0945609,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1666938547.0947795,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000daa80"}
{"level":"info","ts":1666938547.0962384,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"proxy","https_port":443}
{"level":"info","ts":1666938547.096259,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"warn","ts":1666938547.1172225,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1666938547.1175494,"msg":"Warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1666938547.1175647,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1666938547.1588328,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1666938547.1591394,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1666938547.1591535,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1666938547.1593375,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1666938547.159309,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1666938547.1594894,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666938547.1595333,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666938547.1595397,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["docker"]}
Caddy proxying https://docker -> firezone:13000
{"level":"info","ts":1666938547.1597757,"logger":"tls.obtain","msg":"acquiring lock","identifier":"docker"}
{"level":"info","ts":1666938547.2773921,"logger":"tls.obtain","msg":"lock acquired","identifier":"docker"}
{"level":"info","ts":1666938547.2775457,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"docker"}
{"level":"info","ts":1666938547.2792954,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"docker"}
{"level":"info","ts":1666938547.2793667,"logger":"tls.obtain","msg":"releasing lock","identifier":"docker"}
{"level":"warn","ts":1666938547.279683,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967817.0768027,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1666967817.0768447,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1666967817.0772245,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0000daa80"}
{"level":"info","ts":1666967817.0772867,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"warn","ts":1666967818.921369,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1666967818.9221005,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"proxy","https_port":443}
{"level":"info","ts":1666967818.9221208,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"info","ts":1666967818.9224792,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1666967818.922541,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1666967818.9226906,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666967818.9227312,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666967818.9228055,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["docker"]}
{"level":"warn","ts":1666967818.9231205,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967818.9285345,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000530ee0"}
{"level":"info","ts":1666967818.9292817,"logger":"tls.renew","msg":"acquiring lock","identifier":"docker"}
{"level":"info","ts":1666967818.9367218,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1666967818.937033,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1666967818.9454775,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
Caddy proxying https://docker -> firezone:13000
{"level":"info","ts":1666967818.9893606,"logger":"tls.renew","msg":"lock acquired","identifier":"docker"}
{"level":"info","ts":1666967818.9898055,"logger":"tls.renew","msg":"renewing certificate","identifier":"docker","remaining":13929.010197252}
{"level":"info","ts":1666967818.9911869,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"docker"}
{"level":"info","ts":1666967818.9912145,"logger":"tls.renew","msg":"releasing lock","identifier":"docker"}
{"level":"info","ts":1666967818.9912636,"logger":"tls","msg":"reloading managed certificate","identifiers":["docker"]}
{"level":"warn","ts":1666967818.9915774,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967818.9915946,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["docker"],"new_expiration":1667011019}

I see the fix has been implemented on Github, so I tried a fresh install with the automatic install script and still get SSL_ERROR_INTERNAL_ERROR_ALERT

What should I put when the install script asks
“Enter the external URL that will be used to access this instance.” ?

Obviously I have tried the IP address and there is no URL to put in there.