lorawan-stack: Console - Forbidden token exchange refused

Summary

After install, the first login fails with “Forbidden token exchange refused” error.

Steps to Reproduce

  1. Install the stack following the installation guide
  2. Run the container:
$ sudo docker-compose up
  1. Open the console
http://localhost:1885
  1. Login with admin
  2. “Forbidden token exchange refused” error

What do you see now?

A web page wiht “Forbidden token exchange refused” error.

http://localhost:1885/console/oauth/callback?code=MF2XI.I7FYJJHQNR5R6P3YHXVFZ6XCF2B2HRVJGHD2DIA.YYHMRDIFHZAGGNGE3TRLNTAJTFS6X33SPSNVITZFRUS3HBKLM76A&state=i_srwhL8tFJkb-j2

What do you want to see instead?

The console web page.

Environment

Ubuntu 19.10

$ sudo docker --version
Docker version 19.03.8, build afacb8b7f0
$ sudo docker-compose --version
docker-compose version 1.21.0, build unknown

URL: localhost certificates: self-signed

docker-compose.yml 
version: '3.6'
services:

  # If using CockroachDB:
  cockroach:
    image: cockroachdb/cockroach
    command: start --http-port 26256 --insecure
    restart: unless-stopped
    volumes:
      - ${DEV_DATA_DIR:-.env/data}/cockroach:/cockroach/cockroach-data
    ports:
      - "127.0.0.1:26257:26257" # Cockroach
      - "127.0.0.1:26256:26256" # WebUI

  # If using PostgreSQL:
  # postgres:
  #   image: postgres
  #   restart: unless-stopped
  #   environment:
  #     - POSTGRES_PASSWORD=root
  #     - POSTGRES_USER=root
  #     - POSTGRES_DB=ttn_lorawan
  #   volumes:
  #     - ${DEV_DATA_DIR:-.env/data}/postgres:/var/lib/postgresql/data
  #   ports:
  #     - "127.0.0.1:5432:5432"

  redis:
    image: redis
    command: redis-server --appendonly yes
    restart: unless-stopped
    volumes:
      - ${DEV_DATA_DIR:-.env/data}/redis:/data
    ports:
      - "127.0.0.1:6379:6379"

  stack:
    image: thethingsnetwork/lorawan-stack
    entrypoint: ttn-lw-stack -c /config/ttn-lw-stack.yml
    command: start
    restart: unless-stopped
    depends_on:
      - redis
      # If using CockroachDB:
      - cockroach
      # If using PostgreSQL:
      # - postgres
    volumes:
      - ./blob:/srv/ttn-lorawan/public/blob
      - ./config/stack:/config:ro
      # If using Let's Encrypt:
      # - ./acme:/var/lib/acme
    environment:
      TTN_LW_BLOB_LOCAL_DIRECTORY: /srv/ttn-lorawan/public/blob
      TTN_LW_REDIS_ADDRESS: redis:6379
      # If using CockroachDB:
      TTN_LW_IS_DATABASE_URI: postgres://root@cockroach:26257/ttn_lorawan?sslmode=disable
      # # If using PostgreSQL:
      # TTN_LW_IS_DATABASE_URI: postgres://root:root@postgres:5432/ttn_lorawan?sslmode=disable

    ports:
      # If deploying on a public server:
      # - "80:1885"
      # - "443:8885"
      - "1881:1881"
      - "8881:8881"
      - "1882:1882"
      - "8882:8882"
      - "1883:1883"
      - "8883:8883"
      - "1884:1884"
      - "8884:8884"
      - "1885:1885"
      - "8885:8885"
      - "1887:1887"
      - "8887:8887"
      - "1700:1700/udp"

    # If using (self) signed certificates:
    secrets:
      - cert.pem
      - key.pem

# If using (self) signed certificates:
secrets:
  cert.pem:
    file: ./acme/cert.pem
  key.pem:
    file: ./acme/key.pem
ttn-lw-stack.yml 
version: '3.6'
services:

  # If using CockroachDB:
  cockroach:
    image: cockroachdb/cockroach
    command: start --http-port 26256 --insecure
    restart: unless-stopped
    volumes:
      - ${DEV_DATA_DIR:-.env/data}/cockroach:/cockroach/cockroach-data
    ports:
      - "127.0.0.1:26257:26257" # Cockroach
      - "127.0.0.1:26256:26256" # WebUI

  # If using PostgreSQL:
  # postgres:
  #   image: postgres
  #   restart: unless-stopped
  #   environment:
  #     - POSTGRES_PASSWORD=root
  #     - POSTGRES_USER=root
  #     - POSTGRES_DB=ttn_lorawan
  #   volumes:
  #     - ${DEV_DATA_DIR:-.env/data}/postgres:/var/lib/postgresql/data
  #   ports:
  #     - "127.0.0.1:5432:5432"

  redis:
    image: redis
    command: redis-server --appendonly yes
    restart: unless-stopped
    volumes:
      - ${DEV_DATA_DIR:-.env/data}/redis:/data
    ports:
      - "127.0.0.1:6379:6379"

  stack:
    image: thethingsnetwork/lorawan-stack
    entrypoint: ttn-lw-stack -c /config/ttn-lw-stack.yml
    command: start
    restart: unless-stopped
    depends_on:
      - redis
      # If using CockroachDB:
      - cockroach
      # If using PostgreSQL:
      # - postgres
    volumes:
      - ./blob:/srv/ttn-lorawan/public/blob
      - ./config/stack:/config:ro
      # If using Let's Encrypt:
      # - ./acme:/var/lib/acme
    environment:
      TTN_LW_BLOB_LOCAL_DIRECTORY: /srv/ttn-lorawan/public/blob
      TTN_LW_REDIS_ADDRESS: redis:6379
      # If using CockroachDB:
      TTN_LW_IS_DATABASE_URI: postgres://root@cockroach:26257/ttn_lorawan?sslmode=disable
      # # If using PostgreSQL:
      # TTN_LW_IS_DATABASE_URI: postgres://root:root@postgres:5432/ttn_lorawan?sslmode=disable

    ports:
      # If deploying on a public server:
      # - "80:1885"
      # - "443:8885"
      - "1881:1881"
      - "8881:8881"
      - "1882:1882"
      - "8882:8882"
      - "1883:1883"
      - "8883:8883"
      - "1884:1884"
      - "8884:8884"
      - "1885:1885"
      - "8885:8885"
      - "1887:1887"
      - "8887:8887"
      - "1700:1700/udp"

    # If using (self) signed certificates:
    secrets:
      - cert.pem
      - key.pem

# If using (self) signed certificates:
secrets:
  cert.pem:
    file: ./acme/cert.pem
  key.pem:
    file: ./acme/key.pem

How do you propose to implement this?

No idea.

Can you do this yourself and submit a Pull Request?

I don’t think so. 😦

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (4 by maintainers)

Most upvoted comments

More info

Related issues

Issue #2353 Not the same situation, because I’m not using CA certificates.

Issue #1818 Some certificates problem but related to CLI.

Tests done

Accessing the container as root user:

$ sudo docker exec -it --user root tts_stack_1 ash

Running commands inside the container:

/ # whoami
root

/ # curl -v http://localhost:1885
*   Trying 127.0.0.1:1885...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1885 (#0)
> GET / HTTP/1.1
> Host: localhost:1885
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Location: /console
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Request-Id: 01E84V9SB5KJF1MRXKKES8SBXK
< X-Xss-Protection: 1; mode=block
< Date: Tue, 12 May 2020 16:25:49 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

/ # curl -v https://localhost:1885
*   Trying 127.0.0.1:1885...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1885 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

It seems that HTTP to localhost:1885 is ok, but HTTPS gives this error:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Also tried to update the certificates

/ # update-ca-certificates 
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

This warning seems to be a known issue and a minor warning in Docker-Alpine as stated here. The warning is shown after updating the certificates.

+1
pablorq on May 13, 2020
Read more comments on GitHub
← lorawan-stack: Class C messages intermittently fail to schedule with invalid absolute time
lorawan-stack: Data views slow down and freeze after receiving many events →