Cloudron with route53 private hosted zone

prusaman

I am leveraging the latest Cloudron AMI as of this posting. I have created a private hosted zone in route53 as a subdomain (hosted zone) of another domain (hosted zone) within route53. I am trying to install to sub.domain.tld. I created a user in IAM based on your suggested policy for my hosted zone (sub.domain.tld). I created a forward zone for unbound so I can resolve hosts within the private hosted zone.

/etc/unbound/unbound.conf.d/ec2.conf

forward-zone:
        name: "sub.domain.tld"
        forward-addr: 169.254.169.253

I am getting the correct records returned to me when I issue host -t NS sub.domain.tld.

sub.domain.tld name server ns-1024.awsdns-00.org.
sub.domain.tld name server ns-1536.awsdns-00.co.uk.
sub.domain.tld name server ns-0.awsdns-00.com.
sub.domain.tld name server ns-512.awsdns-00.net.

When I run through the "Domain Setup" portion of the installation, I am getting an error "Cannot read properties of undefined (reading 'NameServers')" and trouble trying to get around it. Both the domain and the zone name are set to sub.domain.tld. The IP configuration is set as static with its internal EC2 address specified.

I am attempting to set this up on an isolated network segment (VPC) that is only reachable via VPN.

Any help would be greatly appreciated.

girish

@prusaman said in Cloudron with route53 private hosted zone:

sub.domain.tld

Did I understand correctly that the subdomain is a zone of it's own? If so, when you click on advanced in the DNS Setup UI, you have to specific the zone name there as sub.domain.tld as well. It will then get the correct nameservers (by default, it will otherwise get the nameservers of domain.tld instead of sub.domain.tld)

prusaman

@girish Yes, it is a zone of its own. Both "Domain" and "Zone Name (Optional)" are set to sub.domain.tld and I am still receiving the same error.

girish

@prusaman said in Cloudron with route53 private hosted zone:

I am getting the correct records returned to me when I issue host -t NS sub.domain.tld.

This would be next to debug then. host -t NS sub.domain.tld 127.0.0.1 is what makes it go through unbound just to be sure. I don't know how private hosted zones work, but is one able to do host -t NS sub.domain.tld anywhere on the internet or will it only work from within the VPC?

girish

@prusaman ignore my previous note. I think the NS check is already passing. It seems the code is actually crashing.

Can you check /home/yellowtent/platformdata/logs/box.log ? It should have a stack trace.

Also, can you also let me know if DNS records are queryable from outside? The reason I ask is, how is Let's Encrypt supposed to work if DNS validation cannot be done?

girish

mm, indeed per https://github.com/cert-manager/cert-manager/issues/2690 , you can't get let's encrypt certs. Is that OK with you? If so, you have to select self signed certs in Advanced.

Ideally, you should work with proper certs. Mobile apps etc just don't work well with self signed certs (of course, you can also purchase a cert and upload it on Cloudron).

One idea is to keep the DNS public. It can have the private IP address in the DNS. This way it can get certs.

(BTW, for the VPN setup, we are working on this to be built into Cloudron).

prusaman

From /home/yellowtent/platformdata/logs/box.log

2022-11-07T21:32:51.832Z box:provision setup: Setting up Cloudron with domain sub.domain.tld and zone sub.domain.tld
2022-11-07T21:32:51.833Z box:reverseproxy generateFallbackCertificateSync: domain=sub.domain.tld cn=sub.domain.tld
Generating a RSA private key
.............................................................+++++
.....................................................................................................................................................................................................................................+++++
writing new private key to '/tmp/sub.domain.tld-1270629460.key'
-----
Generating RSA private key, 1024 bit long modulus (2 primes)
.................+++++
...............+++++
e is 65537 (0x010001)
writing RSA key
2022-11-07T21:32:52.709Z box:provision setup: error TypeError: Cannot read properties of undefined (reading 'NameServers')
    at Object.verifyDomainConfig (/home/yellowtent/box/src/dns/route53.js:247:39)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
HttpError: Cannot read properties of undefined (reading 'NameServers')
    at Function.BoxError.toHttpError (/home/yellowtent/box/src/boxerror.js:107:16)
    at setup (/home/yellowtent/box/src/routes/provision.js:74:37)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  status: 500,
  internalError: TypeError: Cannot read properties of undefined (reading 'NameServers')
      at Object.verifyDomainConfig (/home/yellowtent/box/src/dns/route53.js:247:39)
      at processTicksAndRejections (node:internal/process/task_queues:96:5),
  details: null
}
Box POST /api/v1/cloudron/setup 500 Internal Server Error Cannot read properties of undefined (reading 'NameServers') 884.644 ms - 115

Im getting this error with self-signed as the "Certificate Provider".

girish

@prusaman In /home/yellowtent/box/src/dns/route53.js , you will see code like this in line 247 or so:

    if (!_.isEqual(zone.DelegationSet.NameServers.sort(), nameservers.sort())) {
        debug('verifyDomainConfig: %j and %j do not match', nameservers, zone.DelegationSet.NameServers);
        throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Route53');
    }

Just comment out the above lines and check if that helps. After commenting out, you have to systemctl restart box and then try the dns setup. Maybe DelegationSet is not set for private hosted zones.

prusaman

@girish said in Cloudron with route53 private hosted zone:

/home/yellowtent/box/src/dns/route53.js

Done. That appears to have gotten past the NameServer error.

Now I am getting "ipv4 must be a string". Certificate Provider is still set as Self-signed. IP Configuration is Static IP Address. IP Address is simply a 1918 address.

/home/yellowtent/platformdata/logs/box.log

2022-11-07T22:49:36.870Z box:dns/route53 add: cloudrontestdns.sub.domain.tld for zone sub.domain.tld of type A with values ["127.0.0.1"]
2022-11-07T22:49:37.410Z box:dns/route53 verifyDomainConfig: Test A record added
2022-11-07T22:49:37.711Z box:dns/route53 verifyDomainConfig: Can list record sets
2022-11-07T22:49:38.192Z box:dns/route53 verifyDomainConfig: Test A record removed again
2022-11-07T22:49:38.200Z box:reverseproxy setFallbackCertificate: setting certs for domain sub.domain.tld
2022-11-07T22:49:38.200Z box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx
2022-11-07T22:49:38.223Z box:mail upsertDnsRecords: updating mail dns records of domain sub.domain.tld and mail fqdn my.sub.domain.tld
2022-11-07T22:49:38.224Z box:provision setup: error BoxError: ipv4 must be a string
    at Object.testIPv4Config (/home/yellowtent/box/src/sysinfo/fixed.js:31:49)
    at Object.testIPv4Config (/home/yellowtent/box/src/sysinfo.js:51:39)
    at Object.setSysinfoConfig (/home/yellowtent/box/src/settings.js:587:33)
    at Object.setup (/home/yellowtent/box/src/provision.js:116:24)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  reason: 'Bad Field',
  details: {}
}
Box POST /api/v1/cloudron/setup 400 Bad Request ipv4 must be a string 1906.732 ms - 67

Any ideas?

prusaman

So it seems the "ipv4 must be a string" issue has been fixed but I am still running into it with a static IP address in the latest AMI. The error points to box/src/sysinfo/fixed.js. Any patch I can apply to get around this?

Thanks

prusaman

Ive just stopped using the AMI. Additionally, I made the hosted zone public to get around things. Cheers

girish

@prusaman I have it on my list to test installation against a private zone. Let me get back once I make the changes.