https://netmaker.org logo
Join Discord
Powered by
Hey, what do i have to do with the MQ certs with a...
# netmaker
k
Hey, what do i have to do with the MQ certs with a NGINX setup to make them work? Followed the MQ troubleshooting but still getting 
OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
b
are you trying to proxy mqtt using nginx or is mqtt port 8883 open.
F
k
8883 is open
b
The mqtt troubleshooting gist is here
The instructions for deleting certs needs updating
The mqport in docker compose is 8883, right?
k
Correct
8883 is also reachable from the outside
And the broker.netmaker.domain.com points to my host
b
Can you connect from the client using mosquitto_pub
k
no, i cant.
Copy code
Client (null) sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.
ah sorry, this is from the server
Copy code
Client mosq-y6rN0lcwO8WG3V2V4v sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
this is the client
b
I think you need to regenerate your mq certs. I need to update the gist for the steps to reset the certs.
k
isnt it just deleting the certs volume?
b
no, certs are stored in database now, so the info in the volume will just get recreated from database on netmaker startup
k
damn
oh well, i can just delete all volumes for now. I dont have much
database is inside the 
sqldata
volume, correct?
b
correct
k
ill update in a few
still the same issue after deleting all volumes
b
try restart mq container --- 
docker-compose restart mq
k
done, connection seems stable now. No errors on client or server
Cant seem to find the client in the network tho
Its 10.11.12.1
dashboard shows its fine
b
Is that an ext client
k
yes
b
Where is your ingress gateway?
k
right there
b
can you ping 10.11.12. 254
k
no response
b
what does wg show display
Where is your netmaker server
Can you ping its public ip
k
ofc i can
otherwise i wouldnt be able to see the dashboard
my netmaker server is hosted on a dedicated server
b
Ping is sometimes blocked by firewalls
k
the netclient is on a homeserver in my local network
my ext client is a phone connected through cellular data
wg show on my server does nothing
Copy code
interface: wg0
  public key: t9mVcIcEh8iWaFCmUmCh3img55bDUcStxHz0kUEnqho=
  private key: (hidden)
  listening port: 51820

interface: nm-grpc-wg
  public key: A3Z20tQrdh6mp3nEHceXoHV4RpbEwLISHPNsO+Iro2Y=
  private key: (hidden)
  listening port: 50555

interface: nm-logic-beach
  public key: 25n+jrpghZlXyGmf+QkhzmceL2SnydH2vIOR3PSQtzY=
  private key: (hidden)
  listening port: 57747

peer: 5f0dnoKkoeUir2KgYrd49q9w4wabm4Ruu16QVlqdY24=
  endpoint: ip:51821
  allowed ips: 10.11.12.254/32, 10.11.12.2/32
  transfer: 0 B received, 11.13 KiB sent
  persistent keepalive: every 20 seconds
this is from the netclient
b
On your phone, in the wireguard app do you see data being transferred
k
nothing from rx (receive)
a few KiB in tx (transmit)
ah! Logs say that handshake didnt complete after 5 seconds
b
handshakes are not happening
k
the port in the peer configuration is 
51821
is that correct?
b
Did you turn on udp hole punching for the network
k
I did
b
51821 for the netmaker server is correct
k
oop
netclient not sending updates anymore
ah, probably because i killed the daemon
how do i run it in the background?
set up a linux service?
b
You can just run netclient install that will setup and start the service
k
[netclient] 2022-08-14 15:25:04 error installing daemon open /sbin/netclient: text file busy
b
./netclient install
k
-bash: ./netclient: No such file or directory
should i just reinstall
b
how did you install
k
netclient join -t <token>
wait, no
apt install netclient
b
systemctl enable netclient; systemctl start netclient
k
alright, running again
still got the handshake error on the ext client
b
Any errors; journalctl -u netclient
k
nope
just node update and checkins
mq on server also tells that it simply connects and disconnects
b
are you getting a handshake on the netclient
k
Copy code
Aug 14 15:34:25 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:34:25 checkin for logic-beach complete
Aug 14 15:33:25 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:33:25 checkin for logic-beach complete
Aug 14 15:32:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:32:24 checkin for logic-beach complete
Aug 14 15:31:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:31:24 checkin for logic-beach complete
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 sent a node update to server for node MYSTRASERVER ,  2bca5be8-8e10-41a2-8579-ca74745a471e
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 local port has changed from  58869  to  50220
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 received peer update for node MYSTRASERVER logic-beach
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 subscribed to peer updates for node MYSTRASERVER peers/logic-beach/2bca5be8-8e10-41a2-8579-ca74745a471e
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 subscribed to node updates for node MYSTRASERVER update/logic-beach/2bca5be8-8e10-41a2-8579-ca74745a471e
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 netclient daemon started for server:  broker.netmaker.domain.com
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 started daemon for server  broker.netmaker.domain.com
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 initializing network logic-beach
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 finished updates
Aug 14 15:30:24 MYSTRASERVER netclient[1003924]: [netclient] 2022-08-14 15:30:24 checking for netclient updates...
Aug 14 15:30:24 MYSTRASERVER systemd[1]: Started Netclient Daemon.
(log is reversed)
b
That looks good
k
yep
dashboard also shows that its healthy again
still no handshake on ext client
b
wg show on client shows handshake
delete and recreate the ext client
k
done, still no handshake
ports for wireguard are opened
b
Try lowering the mtu
Haveyou tried with your phone on wifi
k
lowered to 640 (half of initial value), still no handshake
b
Some cell networks only use ipv6
k
just did, no handshake
netserver node
b
canyou make the netclient machine the ingress gateaay
k
netclient node
no handshake either, still on wifi
b
Iphone or android
k
android
b
I am out of ideas, never had an issue with ext client on android
k
lol damn
@bored-island-21407shouldnt i see external client connections in the server logs?
b
Which logs
Ext client just creates the wg tunnel, no other connection/commuinication with other nodes
k
@bored-island-21407 it seems that the wireguard port isnt open
netstat -nul | grep -w 51821
returns nothing
b
On which machine
k
the netmaker server
@bored-island-21407 any idea why the port isnt open?
b
no idea; docker misconfigured maybe
k
Dont think so, i'm even exposing the port
b
you need to map the ports to host ports
k
like this?
b
don't need the expose
what is on port 50004?
k
the app itself
im mapping that to HTTPS in nginx
b
ok
k
sudo ufw status verbose
returns 
Status: inactive
so its not getting blocked
removing the expose fixed it, apparently
ext clients can connect fine now
thank you very much for your help and patience
PreviousNext
Powered by