Problem with my docker server installation

Hi,

day two in my atuin experience. :slight_smile: So far I really like it, but I have problems registering against my server.

I have a docker container with postgresql 16 running fine. Atuin server could create all the tables and as I didn’t toy around with user GRANTS I assume this indicates no problems from this side.

The docker container with the atuin server starts fine, the config is mounted as volume and the certs are also mounted as a volume.

My server.toml:

host = "0.0.0.0"
port = 8888
open_registration = true
db_uri="postgres://atuin:THE_ATUIN_PASSWORD@docker-host-01:5432/atuin"

[tls]
enabled = true
cert_path = "/config/certs/live/atuin.sub.example.cc/fullchain.pem"
pkey_path = "/config/certs/live/atuin.sub.example.cc/privkey.pem"

The server run command:

docker run -d \
  --name atuin-sync-server \
  --restart unless-stopped \
  -v nginx-certs:/config/certs \
  -v "/home/andi/docker-server-env/atuin-sync-server/config.toml:/config/server.toml" \
  -p 8888:8888 \
  --network internal-docker-net \
  ghcr.io/atuinsh/atuin:18.0.1 \
  server start

DNS is set up fine and I docker exec -it -u 1000 atuin-sync-server /bin/shed into the container and checked:

  • paths to /config/server.toml is fine
  • the path to the cert files are fine and the same as in the server.toml
  • the file permissions are fine and I can read everything when using UID 1000 like the server in the container
  • I can connect to my PgSQL container with an DB gui client and everything is set up fine, but no data in the user & session table
  • the cert files are created by Let’s Encrypt the same way I create them for my nginx reverse proxy, which worked fine for years.

But when I try to register, I get following error message:

atuin register
Registering for an Atuin Sync account
Please enter username: test
Please enter email: test
Please enter password:
Error: error sending request for url (https://atuin.sub.example.cc/user/test): error trying to connect: invalid peer certificate: NotValidForName

Caused by:
   0: error trying to connect: invalid peer certificate: NotValidForName
   1: invalid peer certificate: NotValidForName

Location:
    /private/tmp/atuin-20240212-5226-bu6me4/atuin-18.0.1/atuin-client/src/api_client.rs:49:16

What else might be strange, docker logs atuin-sync-server doesn’t return any logs. If I get error logs, when something goes wrong with the db. Just broke the db connection string to test it.

I really ran out of ideas what to check next.

Thanks for any input. :slight_smile:

hey!

Glad you like it!

The key here is in the error

Caused by:
   0: error trying to connect: invalid peer certificate: NotValidForName
   1: invalid peer certificate: NotValidForName

Are you using a self-signed certificate? Atuin isn’t able to connect to the server because there’s something up with the cert. I’d make sure it’s properly installed on the server + client and go from there

Hi Ellie,

thanks for chiming in!

It’s a Let’s Encrypt certificat. I forked this DNS challenge Certbot Docker and adopted it a bit.

It stores the certs in a docker volume, which I then mount to my nignx reverse proxy and now also to my atuin container. Worked like a charme for several years for nginx up to now.

I did nothing else than adding the full qualified host name to the config file of the certbot to create one more cert. Hence, I obviously was reluctant to believe it’s really the cert… :smiley:

Also I just deleted the certificate and create a new one:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in environment variables.
Plugins selected: Authenticator dns-route53, Installer None
Requesting a certificate for atuin.sub.example.cc

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/atuin.sub.example.cc/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/atuin.sub.example.cc/privkey.pem
This certificate expires on 2024-05-19.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

Wait! you wrote: “… + client …”?

If you’re already using nginx, I think it would be much easier to use nginx as a reverse proxy and terminate your SSL there

You’ll probably want to set the max body size to 100M though

Yeah I was considering the possibility of you using a self-signed cert, as there’s a certificate error going on here

What happens when you curl your atuin server? Do you get a certificate error with that as well?

Also, you can set env vars in your docker compose to get debug logging:

ATUIN_LOG: debug
RUST_LOG: debug

That could give you more information that you can then retrieve with docker logs, although since this is a cert error that is probably happening in your nginx proxy, I kinda doubt it’ll give you much more info in this particular case.

TL;DR; solved by terminating at Nginx

Just for overview. The nginx reverse proxy container is not involved in my atuin server setup. It’s just on the same host.

I added debug level logging to the server and tried with curl:

andi@docker-host-01:~$ curl https://atuin.sub.example.cc:8888
curl: (35) OpenSSL/3.0.11: error:0A00010B:SSL routines::wrong version number

andi@docker-host-01:~$ curl --version
curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.11 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13
Release-Date: 2023-02-20, security patched: 7.88.1-10+deb12u5
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
andi@docker-host-01:~$

In the atuin server logfiles nothing happens for request (port 8888). Just to be sure, I also looked into my nginx logs, but there also is nothing as expected (it’s listening on 80/443).

I am on atuin 18.0.1 and didn’t change anything at the docker container.
The VM where the docker container runs, is a Debian and i apt update && apt upgrade all the packages. curl is only 7.88 though.

On my work desk mac, curl is at 8.4.0. There I only get this message:

➜  ~ curl https://atuin.sub.example.cc:8888
curl: (35) Send failure: Broken pipe
➜  ~

This is my atuin server log, from the last restart to the curl request:

Shutting down gracefully...
2024-02-19T11:52:00.738263Z DEBUG sqlx::query: summary="SELECT current_database()" db.statement="" rows_affected=0 rows_returned=1 elapsed=1.101542ms
2024-02-19T11:52:00.739138Z DEBUG sqlx::query: summary="SELECT pg_advisory_lock($1)" db.statement="" rows_affected=1 rows_returned=1 elapsed=703.957µs
2024-02-19T11:52:00.739601Z  INFO sqlx::postgres::notice: relation "_sqlx_migrations" already exists, skipping
2024-02-19T11:52:00.739779Z DEBUG sqlx::query: summary="CREATE TABLE IF NOT …" db.statement="\n\nCREATE TABLE IF NOT EXISTS _sqlx_migrations (\n  version BIGINT PRIMARY KEY,\n  description TEXT NOT NULL,\n  installed_on TIMESTAMPTZ NOT NULL DEFAULT now(),\n  success BOOLEAN NOT NULL,\n  checksum BYTEA NOT NULL,\n  execution_time BIGINT NOT NULL\n);\n" rows_affected=0 rows_returned=0 elapsed=444.186µs
2024-02-19T11:52:00.741347Z DEBUG sqlx::query: summary="SELECT version FROM _sqlx_migrations …" db.statement="\n\nSELECT\n  version\nFROM\n  _sqlx_migrations\nWHERE\n  success = false\nORDER BY\n  version\nLIMIT\n  1\n" rows_affected=0 rows_returned=0 elapsed=1.464898ms
2024-02-19T11:52:00.742128Z DEBUG sqlx::query: summary="SELECT version, checksum FROM …" db.statement="\n\nSELECT\n  version,\n  checksum\nFROM\n  _sqlx_migrations\nORDER BY\n  version\n" rows_affected=16 rows_returned=16 elapsed=700.897µs
2024-02-19T11:52:00.742497Z DEBUG sqlx::query: summary="SELECT current_database()" db.statement="" rows_affected=0 rows_returned=1 elapsed=317.6µs
2024-02-19T11:52:00.743050Z DEBUG sqlx::query: summary="SELECT pg_advisory_unlock($1)" db.statement="" rows_affected=1 rows_returned=1 elapsed=526.266µs

to be honest I ran out of patience for now and terminate SSL now on nginx like suggested. This works like a charm.

And thanks for both of your help @ellie & @herbcso !

1 Like