Panel: Daemon crashes on launch with TLS error message

Created on 19 Dec 2018 · 10Comments · Source: pterodactyl/panel

Background (please complete the following information):

Panel or Daemon: Daemon
Version of Panel/Daemon: 0.6.8
Server's OS: Debian 9.6
Your Computer's OS & Browser: Microsoft 10 Pro & Chrome

Describe the bug
When running the Pterodactyl daemon with the config.json file below, the program immediately exits with a TLS related error. Please note that I redacted my domain name from the config file for privacy reasons.

{
    "web": {
        "host": "0.0.0.0",
        "listen": 8080,
        "ssl": {
            "enabled": false,
            "certificate": "/etc/letsencrypt/live/redacted.domain.tld/fullchain.pem",
            "key": "/etc/letsencrypt/live/redacted.domain.tld/privkey.pem"
        }
    },
    "docker": {
        "container": {
            "user": null
        },
        "network": {
            "name": "pterodactyl_nw"
        },
        "socket": "/var/run/docker.sock",
        "autoupdate_images": true
    },
    "filesystem": {
        "server_logs": "/tmp/pterodactyl"
    },
    "internals": {
        "disk_use_seconds": 30,
        "set_permissions_on_boot": true,
        "throttle": {
            "enabled": true,
            "kill_at_count": 5,
            "decay": 10,
            "lines": 1000,
            "check_interval_ms": 100
        }
    },
    "sftp": {
        "path": "/srv/daemon-data",
        "ip": "0.0.0.0",
        "port": 2022,
        "keypair": {
            "bits": 2048,
            "e": 65537
        }
    },
    "logger": {
        "path": "logs/",
        "src": false,
        "level": "info",
        "period": "1d",
        "count": 3
    },
    "remote": {
        "base": "https://redacted.domain.tld"
    },
    "uploads": {
        "size_limit": 100
    },
    "keys": [
        "PYnGyJknfEV3tpF1iLeK6lvk4GW9xHECQLeX"
    ]
}

Output from the Daemon's log file:

daemon_1  | 19:27:47.562Z  INFO wings: + ------------------------------------ +
daemon_1  | 19:27:47.564Z  INFO wings: | Running Pterodactyl Daemon v0.6.8    |
daemon_1  | 19:27:47.564Z  INFO wings: |        https://pterodactyl.io        |
daemon_1  | 19:27:47.564Z  INFO wings: |  Copyright 2015 - 2018 Dane Everitt  |
daemon_1  | 19:27:47.564Z  INFO wings: + ------------------------------------ +
daemon_1  | 19:27:47.564Z  INFO wings: Loading modules, this could take a few seconds.
daemon_1  | 19:27:48.144Z  INFO wings: Modules loaded, starting Pterodactyl Daemon...
daemon_1  | 19:27:48.257Z  INFO wings: Configuring user pterodactyl (id: 500) as the owner of all server files.
daemon_1  | 19:27:48.264Z  INFO wings: Configuring timezone file location...
daemon_1  | 19:27:48.265Z  INFO wings: Checking container networking environment...
daemon_1  | 19:27:48.275Z  INFO wings: Found network interface for daemon: pterodactyl_nw
daemon_1  | 19:27:48.275Z  INFO wings: Ensuring correct network interface for containers...
daemon_1  | 19:27:48.288Z  INFO wings: Networking gateway detected as 172.18.0.1 for interface: pterodactyl0.
daemon_1  | 19:27:48.292Z  INFO wings: Contacting panel to retrieve a list of currrent Eggs available to the node.
daemon_1  | 19:27:48.326Z FATAL wings: A fatal error caused the daemon to abort the startup. (err.code=EPROTO)
daemon_1  |     Error: write EPROTO 140600910072712:error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve:../deps/openssl/openssl/ssl/t1_lib.c:1097:
daemon_1  |
daemon_1  |         at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)
daemon_1  |     --
daemon_1  |     additional: {
daemon_1  |       "errno": "EPROTO",
daemon_1  |       "code": "EPROTO",
daemon_1  |       "syscall": "write"
daemon_1  |     }
daemon_1  | 19:27:48.327Z ERROR wings: You should forcibly quit this process (CTRL+C) and attempt to fix the issue.

Output from uname -a:

4.9.0-8-amd64

Output from docker info:

Containers: 36
 Running: 35
 Paused: 0
 Stopped: 1
Images: 35
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-8-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.67GiB
Name: debian
ID: VLVB:EJHK:7ZTV:EN5A:HAD6:NONH:XTXS:OS2G:IJIQ:6T7Q:TYHA:RYW7
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

To Reproduce
Steps to reproduce the behavior:

Setup Pterodactyl behind a reverse proxy like NGINX or Caddy
Use an ECDSA certificate for the Pterodactyl/Daemon domain.
Log into Pterodactyl and create a new node.
Copy the node's configuration into the Daemon's config.json file.
Launch the Daemon.

Expected behavior
I expect the Daemon to start normally instead of crashing right after launching it.

The error message from the log file said something about a wrong curve. Based on that, my initial assumption is that the OpenSSL version that Pterodactyl uses doesn't support ECDSA certificates.

Source

whalehub

Most helpful comment

@parkervcp May I ask why the issue was immediately closed without giving me a chance to analyze and respond to the suggested cause of the issue? I don't believe that my certificate is "bad" because it's just a regular LetsEncrypt-issued SSL wildcard certificate. I don't see anything that suggests that something is wrong with the certificate itself. If it helps troubleshoot the issue, I can post the public portion of the certificate in question here.

Edit: Changing the base image from node:8-alpine to node:alpine in the Daemon's Dockerfile resolved the issue for me.

whalehub on 19 Dec 2018

👍3

All 10 comments

Your ssl cert is bad - https://github.com/nodejs/node/issues/16196

It appears to be a known issue per a google search.

parkervcp on 19 Dec 2018

Edit: Changing the base image from node:8-alpine to node:alpine in the Daemon's Dockerfile resolved the issue for me.

whalehub on 19 Dec 2018

👍3

Didn't realize this was using the daemon image we shipped, didn't see that mentioned anywhere previously. @parkervcp can you take a peek at some point and see if this is an issue with the image?

DaneEveritt on 20 Dec 2018

I experienced the same problem with Wildcard SSL certificate from Let's Encrypt. Ubuntu 18.04. I received it with certbot (https://gist.github.com/talyguryn/bd0f30ab3eb183afbe9521261adfbc60#separated-http-and-https-servers). And it is not Nginx config mod as it was said in discord support. My panel and other sites were perfectly fine.