After not being able to get the Docker migration to work I tried to install fresh on Docker, looking at the docs it says,
Option 1: Automatic Install
The easiest way to deploy Firezone with Docker is the automatic install script:
I enter curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh | bash -E in a terminal, hit return, absolutely nothing happens ?
Try this instead:
bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)
Nada
Is Docker Compose installed on that machine? The error is getting swallowed – I’ll push up a fix in a moment.
I am using this guide and the command in step 2 includes compose.
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
OK it’s working after trying again however it finished at
Bind for 0.0.0.0:443 failed: port is already allocated
I changed port and can get to the admin web interface now but cant login, anyway to reset? I tried the command below but no joy.
root@docker:~# docker compose exec firezone bin/create-or-reset-admin
no configuration file provided: not found
root@docker:~#
I found the admin email and password in
/var/lib/docker/containers/f98634452c19a689ad0c98d8de5ed521a123a325efd77b0bf345cfdfe01cfe97/config.v2.json
But I still can’t login, just get Error signing in: invalid_credentials
Now it’s working, I left the EXTERNAL_URL section blank and can now log in.
Next problem is, I have this running in Docker on a new server 192.168.0.50 and the Omnibus install is on a different server (192.168.0.70 this has all our users and configs) how to migrate data from old Omnibus server to the new Docker server?
After more than a few goes at the migration script I would rather do it manually if it’s possible.
Hi @HenrysCat – the migration script is simply a Bash script: check here for the DB migration steps:
Not 100% sure what to do with that, lines 165-171 run on old server? and lines 173-180 run on new machine after copying dump over?
Cant be that easy, I’m no expert here 
I have just installed a new Debian server, installed Docker as per docs, run the auto install script, selected the following option,
Would you like to enable automatic SSL cert provisioning? Requires a valid DNS record and port 80 to be reachable. (Y/n): n
and still get SSL_ERROR_INTERNAL_ERROR_ALERT
It should not be this difficult, I tried wg-easy and it just works, what am I doing wrong with firezone?
The Omnibus install works first time every time, why not the Docker install?
Hi @HenrysCat – could you paste your ~/.firezone/.env and ~/.firezone/docker-compose.yml file for further debugging here (secrets removed).
Here they are, both from /root/.firezone I have edited the secrets sufficiently
Thanks
EXTERNAL_URL=https://docker
ADMIN_EMAIL=wireguard@mydomain.com
DEFAULT_ADMIN_PASSWORD=+CUiRLIdSdLRuu1i
GUARDIAN_SECRET_KEY=VEdQ+lsKFWqLEUkvYtKzIBxJ+7ZniWhK6Ngp7rtFyOzI1/HUmOwrcJmPRthuqw8l
SECRET_KEY_BASE=nczLFaWu/KE2FPbuM5SoSl9RcJ9FN+FkYGs80JiyqbYd+mCafCczTBVBMR5fNljt
LIVE_VIEW_SIGNING_SALT=b0hYpfRTt0Zs+SrJWsYwSnZUcOS9iiWR
COOKIE_SIGNING_SALT=TpgDaP2T
COOKIE_ENCRYPTION_SALT=P5CgLO2w
DATABASE_ENCRYPTION_KEY=9aT1Vjl8lUfMNMKWgy3YA+uodxlIvXPPjqSi7ClUpCQ=
DATABASE_PASSWORD=884s44d3fdd669f5
CADDY_OPTS=--internal-certs
# Example compose file for production deployment.
#
# Note: This file is meant to serve as a template. Please modify it
# according to your needs. Read more about Docker Compose:
#
# https://docs.docker.com/compose/compose-file/
#
#
x-deploy: &default-deploy
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
update_config:
order: start-first
version: '3.7'
services:
caddy:
image: caddy:2
volumes:
- ${FZ_INSTALL_DIR:-.}/caddy:/data/caddy
ports:
- 80:80
- 443:443
# See Caddy's documentation for customizing this line
# https://caddyserver.com/docs/quick-starts/reverse-proxy
command: caddy reverse-proxy --to firezone:13000 --from ${EXTERNAL_URL:?err} ${CADDY_OPTS}
deploy:
<<: *default-deploy
firezone:
image: firezone/firezone
ports:
- 51820:51820/udp
env_file:
# This should contain a list of env vars for configuring Firezone.
# See https://docs.firezone.dev/reference/env-vars for more info.
- ${FZ_INSTALL_DIR:-.}/.env
volumes:
# IMPORTANT: Persists WireGuard private key and other data. If
# /var/firezone/private_key exists when Firezone starts, it is
# used as the WireGuard private. Otherwise, one is generated.
- ${FZ_INSTALL_DIR:-.}/firezone:/var/firezone
cap_add:
# Needed for WireGuard and firewall support.
- NET_ADMIN
- SYS_MODULE
sysctls:
# Needed for masquerading and NAT.
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
depends_on:
- postgres
deploy:
<<: *default-deploy
postgres:
image: postgres:15
volumes:
- ${FZ_INSTALL_DIR:-.}/postgres:/var/lib/postgresql/data
environment:
POSTGRES_DB: ${DATABASE_NAME:-firezone}
POSTGRES_USER: ${DATABASE_USER:-postgres}
POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
deploy:
<<: *default-deploy
update_config:
order: stop-first
Thanks! And when you access Firezone in your browser at the EXTERNAL_URL https://docker it’s giving you that SSL error? Or are you accessing Firezone using a different URL / IP?
Accessing from IP, we don’t want the web interface exposed to the internet for security, all devices are configured in house and issued to staff.
Secure Connection Failed
An error occurred during a connection to 192.168.0.184. Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
The URL you’re accessing Firezone with needs to match the EXTERNAL_URL.
I have tried that, http/https
EXTERNAL_URL=http://192.168.0.184/
Always redirects to https with the
SSL_ERROR_INTERNAL_ERROR_ALERT
Thanks for the added info. Caddy takes a more aggressive approach to securing SSL defaults than Nginx, and is likely refusing to provision self-signed IP-based certs. Anything interesting in the caddy log?
Opened SSL_PROTOCOL_ERROR when accessed by IP · Issue #1073 · firezone/firezone · GitHub to investigate.
Caddy log from Portainer
{"level":"warn","ts":1666938547.0945609,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1666938547.0947795,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000daa80"}
{"level":"info","ts":1666938547.0962384,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"proxy","https_port":443}
{"level":"info","ts":1666938547.096259,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"warn","ts":1666938547.1172225,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1666938547.1175494,"msg":"Warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1666938547.1175647,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1666938547.1588328,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1666938547.1591394,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1666938547.1591535,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1666938547.1593375,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1666938547.159309,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1666938547.1594894,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666938547.1595333,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666938547.1595397,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["docker"]}
Caddy proxying https://docker -> firezone:13000
{"level":"info","ts":1666938547.1597757,"logger":"tls.obtain","msg":"acquiring lock","identifier":"docker"}
{"level":"info","ts":1666938547.2773921,"logger":"tls.obtain","msg":"lock acquired","identifier":"docker"}
{"level":"info","ts":1666938547.2775457,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"docker"}
{"level":"info","ts":1666938547.2792954,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"docker"}
{"level":"info","ts":1666938547.2793667,"logger":"tls.obtain","msg":"releasing lock","identifier":"docker"}
{"level":"warn","ts":1666938547.279683,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967817.0768027,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1666967817.0768447,"msg":"exiting; byeee!! đź‘‹","signal":"SIGTERM"}
{"level":"info","ts":1666967817.0772245,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0000daa80"}
{"level":"info","ts":1666967817.0772867,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"warn","ts":1666967818.921369,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1666967818.9221005,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"proxy","https_port":443}
{"level":"info","ts":1666967818.9221208,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"info","ts":1666967818.9224792,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1666967818.922541,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1666967818.9226906,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666967818.9227312,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1666967818.9228055,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["docker"]}
{"level":"warn","ts":1666967818.9231205,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967818.9285345,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000530ee0"}
{"level":"info","ts":1666967818.9292817,"logger":"tls.renew","msg":"acquiring lock","identifier":"docker"}
{"level":"info","ts":1666967818.9367218,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1666967818.937033,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1666967818.9454775,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
Caddy proxying https://docker -> firezone:13000
{"level":"info","ts":1666967818.9893606,"logger":"tls.renew","msg":"lock acquired","identifier":"docker"}
{"level":"info","ts":1666967818.9898055,"logger":"tls.renew","msg":"renewing certificate","identifier":"docker","remaining":13929.010197252}
{"level":"info","ts":1666967818.9911869,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"docker"}
{"level":"info","ts":1666967818.9912145,"logger":"tls.renew","msg":"releasing lock","identifier":"docker"}
{"level":"info","ts":1666967818.9912636,"logger":"tls","msg":"reloading managed certificate","identifiers":["docker"]}
{"level":"warn","ts":1666967818.9915774,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [docker]: no OCSP server specified in certificate","identifiers":["docker"]}
{"level":"info","ts":1666967818.9915946,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["docker"],"new_expiration":1667011019}
I see the fix has been implemented on Github, so I tried a fresh install with the automatic install script and still get SSL_ERROR_INTERNAL_ERROR_ALERT
What should I put when the install script asks
“Enter the external URL that will be used to access this instance.” ?
Obviously I have tried the IP address and there is no URL to put in there.