I’ve had a Cloudflare tunnel running for many months with one service running on my local machine. ButI have recently been working on setting up some additional services using the named tunnel routing rules. Of course, I decided to create an additional tunnel to experiment with this.
I’m using docker and docker-compose. I have two tunnels created on the server. The original tunnel appears to still be working. The new tunnel, well, I can’t get it to start when I run “docker-compose up”. The error I get says
Recreating ArgoTunnel ... done
Attaching to tunnel
tunnel | 2022-02-02T18:20:14Z ERR Cannot find a valid certificate for your origin at the path:
tunnel |
tunnel | /home/xxxxxx/.cloudflared/cert.pem
tunnel |
tunnel | If the path above is wrong, specify the path with the -origincert option.
tunnel | If you don't have a certificate signed by Cloudflare, run the command:
tunnel |
tunnel | cloudflared login
tunnel | originCertPath=/home/xxxxxx/.cloudflared/cert.pem
tunnel | error parsing tunnel ID: Error locating origin cert: cannot find a valid certificate at the path /home/xxxxxx/.cloudflared/cert.pem
If I copy the path from this error message, I can nano the cert file and view it. It’s clearly there. And I can create and delete tunnels which suggests to me that I have the power granted by the cert. But for some reason I can’t raise this docker container.
Any suggestions?
Are the permissions set to 644 in a readable directory? Mine’s actually 600, but my cloudflared runs as root and can read it.
You might try moving that file to a more public directory and run cloudflared like this: --credentials-file value, --cred-file value Filepath at which to read/write the tunnel credentials [$TUNNEL_CRED_FILE]
note that “mytunnel” is the name for the tunnel that I created from the command line. I saw examples for this kind of yml online that don’t add the tunnel name at the end of the “tunnel run” line but I got a message asking me to include it when I first tried to run docker-compose up so I added the tunnel name and it stopped complaining about that particular issue.
The idea here is that the argo network will be used by other containers that I manage separately with their own docker-compose files.
As far as permissions go, the cert.pem file is indeed 600. That’s how cloudflared login created it. I tried changing it to 644 but still get the same error.
And here’s myconfig.yml that is stored in /home/xxxxxx/.cloudflared
tunnel: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
credentials-file: /home/xxxxxx/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json
ingress:
# Rules map traffic from a hostname to a local service:
- hostname: cloud.example.com
service: http://localhost:8080
- service: hello_world
Doh! I found my problem. Such a simple mistake.
In the “command” line I was referencing a folder on the host for the config file. This needs to be connected to the host file system with a volumes reference.
This is a more better way to set it up:
tunnel: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
credentials-file: /etc/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json
ingress:
# Rules map traffic from a hostname to a local service:
- hostname: cloud.example.com
service: http://localhost:8080 # <-- This does not work.
- service: hello_world
This all said, I can’t seem to get cloudflared to work correctly from a docker container anyway. My intention was to route traffic via the ingress rules in the cloudflared config file but I can’t seem to get it to route to another container via IP addresses or hostnames. Running cloudflared directly on the host works easy peasy but has a few drawbacks compared to running it in a container.