gluetun: Bug: PIA `/getSignature` `x509: certificate signed by unknown authority`

Is this urgent?

Host OS

docker synology

CPU arch

No response

VPN service provider

Private Internet Access

What are you using to run the container

Portainer

What is the version of Gluetun

latest

What’s the problem 🤔

after a watchtower update i can’t seem to port forward. I have tried a number of different PIA servers. Log shows

2022-04-21T19:09:56-04:00 ERROR [port forwarding] cannot refresh port forward data: cannot fetch port forwarding data: cannot obtain signature payload: Get “https://10.15.110.1:19999/getSignature?token=[TOKEN]”: x509: certificate signed by unknown authority 2022-04-21T19:10:29-04:00 INFO [port forwarding] retrying in 5s

which continouously loops.

Share your logs

|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:7f00:1/104
|               ├── ::ffff:a00:0/104
|               ├── ::ffff:a9fe:0/112
|               ├── ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   └── VPN wait durations:
|       ├── Initial duration: 5s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: America/New_York
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2022-04-21T19:07:47-04:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1 and assigned IP 172.27.0.2
2022-04-21T19:07:47-04:00 INFO [routing] adding route for 0.0.0.0/0
2022-04-21T19:07:47-04:00 INFO [firewall] setting allowed subnets...
2022-04-21T19:07:47-04:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1 and assigned IP 172.27.0.2
2022-04-21T19:07:47-04:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022-04-21T19:07:47-04:00 INFO [pprof] http server listening on [::]:6060
2022-04-21T19:07:47-04:00 INFO [http server] http server listening on [::]:8000
2022-04-21T19:07:47-04:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2022-04-21T19:07:47-04:00 INFO [healthcheck] listening on 127.0.0.1:9999
2022-04-21T19:07:47-04:00 INFO [firewall] allowing VPN connection...
2022-04-21T19:07:47-04:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 24 2022
2022-04-21T19:07:47-04:00 INFO [openvpn] library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-04-21T19:07:47-04:00 INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2022-04-21T19:07:47-04:00 INFO [openvpn] MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2022-04-21T19:07:47-04:00 INFO [openvpn] -----END X509 CRL-----
2022-04-21T19:07:47-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]91.90.124.17:1197
2022-04-21T19:07:47-04:00 INFO [openvpn] UDP link local: (not bound)
2022-04-21T19:07:47-04:00 INFO [openvpn] UDP link remote: [AF_INET]91.90.124.17:1197
2022-04-21T19:07:47-04:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1554'
2022-04-21T19:07:47-04:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2022-04-21T19:07:47-04:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-04-21T19:07:47-04:00 INFO [openvpn] [douglas403] Peer Connection Initiated with [AF_INET]91.90.124.17:1197
2022-04-21T19:07:47-04:00 INFO [openvpn] TUN/TAP device tun0 opened
2022-04-21T19:07:47-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-04-21T19:07:47-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2022-04-21T19:07:47-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.15.110.9/24
2022-04-21T19:07:47-04:00 INFO [openvpn] UID set to nonrootuser
2022-04-21T19:07:47-04:00 INFO [openvpn] Initialization Sequence Completed
2022-04-21T19:07:47-04:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2022-04-21T19:07:48-04:00 INFO [healthcheck] healthy!
2022-04-21T19:07:49-04:00 INFO [dns over tls] downloading hostnames and IP block lists
2022-04-21T19:07:56-04:00 INFO [healthcheck] unhealthy: cannot dial: dial tcp4: i/o timeout
2022-04-21T19:07:57-04:00 INFO [dns over tls] init module 0: validator
2022-04-21T19:07:57-04:00 INFO [dns over tls] init module 1: iterator
2022-04-21T19:07:57-04:00 INFO [dns over tls] start of service (unbound 1.13.2).
2022-04-21T19:07:57-04:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-04-21T19:07:58-04:00 INFO [dns over tls] ready
2022-04-21T19:07:58-04:00 INFO [healthcheck] healthy!
2022-04-21T19:07:59-04:00 INFO [vpn] You are running on the bleeding edge of latest!
2022-04-21T19:07:59-04:00 INFO [vpn] VPN gateway IP address: 10.15.110.1
2022-04-21T19:08:00-04:00 ERROR [port forwarding] cannot refresh port forward data: cannot fetch port forwarding data: cannot obtain signature payload: Get "https://10.15.110.1:19999/getSignature?token=xxxxxx": x509: certificate signed by unknown authority
2022-04-21T19:08:00-04:00 INFO [port forwarding] retrying in 5s
2022-04-21T19:08:00-04:00 INFO [ip getter] Public IP address is 91.90.124.17 (Isle of Man, Douglas, Douglas)
2022-04-21T19:08:06-04:00 ERROR [port forwarding] cannot refresh port forward data: cannot fetch port forwarding data: cannot obtain signature payload: Get "https://10.15.110.1:19999/getSignature?token=xxxxxx": x509: certificate signed by unknown authority
2022-04-21T19:08:06-04:00 INFO [port forwarding] retrying in 5s

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=[USER]
      - OPENVPN_PASSWORD=[PASSWORD]
      - SERVER_REGIONS=Isle of Man
      - TZ=America/New_York
      - PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING=on
      - PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE=/forwarded_port


    restart: unless-stopped

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 22 (10 by maintainers)

Most upvoted comments

It is working on my end too. Just launched everything, no problem.

@qdm12 Thank you very much! Also to @tonytamps for supporting!

peterpiglet on Apr 25, 2022

Appears to be working for me. I switched the Unraid container back to :latest, updated and successfully launched. Assuming that’s all good, I’ve changed my credentials. Happy to change back again if necessary.

Thanks @qdm12 - hopefully someone else can confirm it’s working for them too.

tonytamps on Apr 25, 2022

db91625de45c90935de1bac3897b3dfcfcccad19 should fix it (I tried on one server only), please let me know the outcome. It appears now the PIA server names can now be validated using the OS certificates and not with their custom certificate (unlike before where it was the opposite) - although I still have no clue how it works on v3.28.2.

I also fixed the port forwarding ‘run loop’ not exiting properly on container shutdown in 2537cd5271a205122e28d77567c61034ac0cb8af

Thanks @tonytamps that expedited resolution quite a bit 😄 ~You can change your credentials now 👍~ Maybe let’s wait for this issue to be closed if that’s ok with you.

Again please let me know if it works and I’ll do a v3.29.0 release, this is the last blocking issue 😉

qdm12 on Apr 25, 2022