Unable to login with default admin password

RedPanda · December 4, 2022, 3:13am

Hello,

i have just set up successfull firezone (0.6.10) installation on my docker host.
As i wanted to use traefik as my reverse proxy i set up the configuration according to the documentation here: Traefik | Firezone

I also set the environment variables directly in my docker-compose.yaml instead of using a .env file.

docker-compose.yaml firezone & postgres

version: '3.8'

x-deploy: &default-deploy
  restart_policy:
    condition: on-failure
    delay: 5s
    max_attempts: 3
    window: 120s
  update_config:
    order: start-first

services:
  firezone:
    image: firezone/firezone:0.6.10
    container_name: webgui-vpn
    depends_on:
      - postgres
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    environment:
      - TZ=Europe/Berlin
	  - EXTERNAL_URL=vpn.mydomain.xyz
      - ADMIN_EMAIL=admin@mydomain.xyz
      - DEFAULT_ADMIN_PASSWORD=default
      - DATABASE_PASSWORD=default_db
      - DATABASE_ENCRYPTION_KEY=base64-encoded-string
      - GUARDIAN_SECRET_KEY=base64-encoded-string
      - COOKIE_ENCRYPTION_SALT=base64-encoded-string
      - COOKIE_SIGNING_SALT=base64-encoded-string
      - LIVE_VIEW_SIGNING_SALT=base64-encoded-string
      - SECRET_KEY_BASE=base64-encoded-string
      - EXTERAL_TRUSTED_PROXIES=['traefik-container-ip']
    networks:
      - frontend
      - db_backend
    ports:
      - 51820:51820/udp
    volumes:
      - firezone_data:/var/firezone
    labels:
  	 # Basic access configuration
     - traefik.enable=true
     - traefik.docker.network=frontend
     # Redirect http to https
     - traefik.http.routers.firezone_http.entrypoints=web_tcp
     - traefik.http.routers.firezone_http.rule=Host(`vpn.mydomain.xyz`)
     - traefik.http.middlewares.firezone_redirect.redirectscheme.scheme=https
     - traefik.http.routers.firezone_http.middlewares=firezone_redirect
     # Https
     - traefik.http.routers.firezone_https.entrypoints=web_secure_tcp
     - traefik.http.routers.firezone_https.rule=Host(`vpn.mydomain.xyz`)
     - traefik.http.routers.firezone_https.tls=true
     - traefik.http.routers.firezone_https.tls.certresolver=tlsresolver
     - traefik.http.services.firezone.loadbalancer.server.port=13000
    deploy:
      <<: *default-deploy

  postgres:
    image: postgres:15.1
    container_name: db-vpn
    environment:
      - TZ=Europe/Berlin
      - POSTGRES_DB=firezone
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=default_db
    networks:
      - firezoneDBNetwork
    volumes:
      - postgres_data:/var/lib/postgresql/data
    deploy:
      <<: *default-deploy
      update_config:
        order: stop-first

volumes:
  firezone_data:
  postgres_data:

networks:
  db_backend:
    name: firezoneDBNetwork
    driver: bridge
  frontend:
    external: true

docker-compose.yaml traefik

version: '3.8'

services:
  traefik:
    image: traefik:v2.9.5
    container_name: reverse-proxy
    restart: always
    environment:
      - TZ=Europe/Berlin
    extra_hosts:
    - "host.docker.internal:host-gateway"
    networks:
      exposedServices:
        ipv4_address: traefik-container-ip
        ipv6_address: traefik-container-ip
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/docker/config/traefik:/etc/traefik
      - /root/docker/data/traefik/logs:/logs
      - /root/docker/data/traefik/certificates:/certificates
    labels:
      # Basic access configuration
      - traefik.enable=true
      - traefik.docker.network=exposedServices
      - traefik.http.routers.traefik.entrypoints=web_tcp
      - traefik.http.routers.traefik.rule=Host(`mydomain.xyz`)
      # Traefik api configuration
      - traefik.http.routers.traefik.service=api@internal

networks:
  exposedServices:
    name: exposedServices
    driver: bridge
    enable_ipv6: true
    ipam:
      config:
        - subnet: subnet/16
        - subnet: subnet::/64

With this i can reach the firezone webui without a problem but if i now try to login with admin@mydomain.xyz and default @ https://vpn.mydomain.xyz i get the error 'Error signing in: invalid_credentials '.

I also tried setting different types of passwords as default admin pw inside the environment variables and recreating the containers (& volumes) but no luck.
I have also looked at the file /var/lib/docker/containers/container-id/config.v2.json and it does indeed include the corret e-mail and password combination.
Using the command create-or-reset-admin inside the firezone container seems to do nothing too but i also don’t know which parameters to execute with the command as i don’t seem to find any information / documentation about it anywhere.

Is there anything i can do to achieve setting a recognized default admin password besides using the default reverse-proxy?

I would be really glad about any help!

Kind regards
RedPanda

RedPanda · December 4, 2022, 12:18pm

So, i did a little bit mroe testing:

For testing i used the provided install.sh script from github to setup a default firezone deployment, waited for the database to be created and then terminate the deployment. After that i copied the values of the created .env file to my environment variables in my custom docker-compose.yaml, hooked up the created volume (postgresql db) and spinned up the containers. Now i can log in sucessfully.

So i think there might be a problem either with my default configuration of the firezone docker container via the environment variables or how the postgresql database is created based on the environment variables i set for firezone.

As my solution above seems to be really hacky i still would be really glad about any further help and / or insight from other people about this problem .

Lawes · December 5, 2022, 2:26am

if I not getting wrong message, you try to provide admin_password in .yaml file for initalize.

but from doc the environment file should read from host ${installDir:-}/.env file instead inside container, rather than input into docker environment.

I have modify my script for testing, and it should work if:

declare ${admin_password} variable in global env
declare password before docker.io/firezone/firezone:latest bin/gen-env > "$installDir/.env
and add a line to update .env file after gen-env line, like this:
sed -i.bak “s/DEFAULT_ADMIN_PASSWORD=.*/DEFAULT_ADMIN_PASSWORD=${admin_password}/” “$installDir/.env”

note that the password complexity not clear , if input simply password like “123456”, it won’t allow to login even deploy success. for test case you may try the default generate password as the variable value, eg.

set password as static value: DEFAULT_ADMIN_PASSWORD=SCIfagAA+qyyZyRT

give it a try

now once the container firezone up, it should call the correct variable in .env file.

nice to hear you working in traefik which I have no sense on this, I just using nginx as proxy, please keep share traefik setting for further evaluation.

cheers,
Lawes