Cloudron with route53 private hosted zone
-
I am leveraging the latest Cloudron AMI as of this posting. I have created a private hosted zone in route53 as a subdomain (hosted zone) of another domain (hosted zone) within route53. I am trying to install to sub.domain.tld. I created a user in IAM based on your suggested policy for my hosted zone (sub.domain.tld). I created a forward zone for unbound so I can resolve hosts within the private hosted zone.
/etc/unbound/unbound.conf.d/ec2.conf forward-zone: name: "sub.domain.tld" forward-addr: 169.254.169.253I am getting the correct records returned to me when I issue host -t NS sub.domain.tld.
sub.domain.tld name server ns-1024.awsdns-00.org. sub.domain.tld name server ns-1536.awsdns-00.co.uk. sub.domain.tld name server ns-0.awsdns-00.com. sub.domain.tld name server ns-512.awsdns-00.net.When I run through the "Domain Setup" portion of the installation, I am getting an error "Cannot read properties of undefined (reading 'NameServers')" and trouble trying to get around it. Both the domain and the zone name are set to sub.domain.tld. The IP configuration is set as static with its internal EC2 address specified.
I am attempting to set this up on an isolated network segment (VPC) that is only reachable via VPN.
Any help would be greatly appreciated.
-
@prusaman said in Cloudron with route53 private hosted zone:
sub.domain.tld
Did I understand correctly that the subdomain is a zone of it's own? If so, when you click on advanced in the DNS Setup UI, you have to specific the zone name there as
sub.domain.tldas well. It will then get the correct nameservers (by default, it will otherwise get the nameservers of domain.tld instead of sub.domain.tld) -
-
@prusaman said in Cloudron with route53 private hosted zone:
I am getting the correct records returned to me when I issue host -t NS sub.domain.tld.
This would be next to debug then.
host -t NS sub.domain.tld 127.0.0.1is what makes it go through unbound just to be sure. I don't know how private hosted zones work, but is one able to dohost -t NS sub.domain.tldanywhere on the internet or will it only work from within the VPC? -
@prusaman ignore my previous note. I think the NS check is already passing. It seems the code is actually crashing.
Can you check
/home/yellowtent/platformdata/logs/box.log? It should have a stack trace.Also, can you also let me know if DNS records are queryable from outside? The reason I ask is, how is Let's Encrypt supposed to work if DNS validation cannot be done?
-
mm, indeed per https://github.com/cert-manager/cert-manager/issues/2690 , you can't get let's encrypt certs. Is that OK with you? If so, you have to select self signed certs in Advanced.
Ideally, you should work with proper certs. Mobile apps etc just don't work well with self signed certs (of course, you can also purchase a cert and upload it on Cloudron).
One idea is to keep the DNS public. It can have the private IP address in the DNS. This way it can get certs.
(BTW, for the VPN setup, we are working on this to be built into Cloudron).
-
From
/home/yellowtent/platformdata/logs/box.log2022-11-07T21:32:51.832Z box:provision setup: Setting up Cloudron with domain sub.domain.tld and zone sub.domain.tld 2022-11-07T21:32:51.833Z box:reverseproxy generateFallbackCertificateSync: domain=sub.domain.tld cn=sub.domain.tld Generating a RSA private key .............................................................+++++ .....................................................................................................................................................................................................................................+++++ writing new private key to '/tmp/sub.domain.tld-1270629460.key' ----- Generating RSA private key, 1024 bit long modulus (2 primes) .................+++++ ...............+++++ e is 65537 (0x010001) writing RSA key 2022-11-07T21:32:52.709Z box:provision setup: error TypeError: Cannot read properties of undefined (reading 'NameServers') at Object.verifyDomainConfig (/home/yellowtent/box/src/dns/route53.js:247:39) at processTicksAndRejections (node:internal/process/task_queues:96:5) HttpError: Cannot read properties of undefined (reading 'NameServers') at Function.BoxError.toHttpError (/home/yellowtent/box/src/boxerror.js:107:16) at setup (/home/yellowtent/box/src/routes/provision.js:74:37) at processTicksAndRejections (node:internal/process/task_queues:96:5) { status: 500, internalError: TypeError: Cannot read properties of undefined (reading 'NameServers') at Object.verifyDomainConfig (/home/yellowtent/box/src/dns/route53.js:247:39) at processTicksAndRejections (node:internal/process/task_queues:96:5), details: null } Box POST /api/v1/cloudron/setup 500 Internal Server Error Cannot read properties of undefined (reading 'NameServers') 884.644 ms - 115Im getting this error with self-signed as the "Certificate Provider".
-
@prusaman In
/home/yellowtent/box/src/dns/route53.js, you will see code like this in line 247 or so:if (!_.isEqual(zone.DelegationSet.NameServers.sort(), nameservers.sort())) { debug('verifyDomainConfig: %j and %j do not match', nameservers, zone.DelegationSet.NameServers); throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Route53'); }Just comment out the above lines and check if that helps. After commenting out, you have to
systemctl restart boxand then try the dns setup. MaybeDelegationSetis not set for private hosted zones. -
@girish said in Cloudron with route53 private hosted zone:
/home/yellowtent/box/src/dns/route53.js
Done. That appears to have gotten past the NameServer error.
Now I am getting "ipv4 must be a string". Certificate Provider is still set as Self-signed. IP Configuration is Static IP Address. IP Address is simply a 1918 address.
/home/yellowtent/platformdata/logs/box.log2022-11-07T22:49:36.870Z box:dns/route53 add: cloudrontestdns.sub.domain.tld for zone sub.domain.tld of type A with values ["127.0.0.1"] 2022-11-07T22:49:37.410Z box:dns/route53 verifyDomainConfig: Test A record added 2022-11-07T22:49:37.711Z box:dns/route53 verifyDomainConfig: Can list record sets 2022-11-07T22:49:38.192Z box:dns/route53 verifyDomainConfig: Test A record removed again 2022-11-07T22:49:38.200Z box:reverseproxy setFallbackCertificate: setting certs for domain sub.domain.tld 2022-11-07T22:49:38.200Z box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx 2022-11-07T22:49:38.223Z box:mail upsertDnsRecords: updating mail dns records of domain sub.domain.tld and mail fqdn my.sub.domain.tld 2022-11-07T22:49:38.224Z box:provision setup: error BoxError: ipv4 must be a string at Object.testIPv4Config (/home/yellowtent/box/src/sysinfo/fixed.js:31:49) at Object.testIPv4Config (/home/yellowtent/box/src/sysinfo.js:51:39) at Object.setSysinfoConfig (/home/yellowtent/box/src/settings.js:587:33) at Object.setup (/home/yellowtent/box/src/provision.js:116:24) at processTicksAndRejections (node:internal/process/task_queues:96:5) { reason: 'Bad Field', details: {} } Box POST /api/v1/cloudron/setup 400 Bad Request ipv4 must be a string 1906.732 ms - 67Any ideas?
-
So it seems the "ipv4 must be a string" issue has been fixed but I am still running into it with a static IP address in the latest AMI. The error points to
box/src/sysinfo/fixed.js. Any patch I can apply to get around this?Thanks
-
