Help with Argo Tunnel Cloudflared Service Setup

Hey all.

So I have the latest version of the cloudflared installed on my machine (running Ubuntu 18.04 LTS). I have configured two tunnels to run. Both of which I have had no problem running using “cloudflared tunnel run <insert_service_name>”.

I’m now working on having each tunnel run as part of a cloudflared service using adapted code I found here Run multiple instances of the same systemd unit • Steven Rombauts.

The problem I’m running into, is when I start the cloudflared service, it immediately fails. When I check the systemctl status for it it just tells me it failed with Code 1. When I check the logs it just says that it started the tunnel, and not much else. Finally when I check syslog is tells me that it can’t find the credentials file for that tunnel “that it doesn’t exist or is not a file”. Which explains why the tunnel is failing.

I have seen in other posts where the credentials file was missing from /etc/cloudflared/. I currently have them symlinked over from ~/.cloudflared. But I’m confused. Why it is telling me it can’t find the file when it is clearly there?

Ideas?

Thanks in advance,
Nathan

Hello @nathan22 ,

Your config.yaml should have a property named “credentials-file” that points to the path where the Tunnel credentials is. This file was created when you created your tunnel. E.g.:

$ cloudflared tunnel create example
Tunnel credentials written to /some/path/UUID.json…

Remember that you should edit the config that’s installed to /etc/ (assuming you already did cloudflared service --config config.yaml install) since that’s the one the systemd unit file is pointing/looking at.

More details at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service

1 Like

Yes, I have that in both of my tunnel config files, both of which are pointing to the proper credentials file at the proper location. And have installed both to /etc/cloudflared.

This is the exact error I get whenever I try to run one of the tunnels as a service.

        ● cloudflared.sites.service - Argo Tunnel (Sites)
       Loaded: loaded (/etc/systemd/system/cloudflared.sites.service; disabled; vendor preset: enabled)
       Active: inactive (dead)

    Apr 15 12:04:55 systemd[1]: cloudflared.sites.service: Service hold-off time over, scheduling restart.
    Apr 15 12:04:55  systemd[1]: cloudflared.sites.service: Scheduled restart job, restart counter is at 480.
    Apr 15 12:04:55  systemd[1]: Stopped Argo Tunnel (Sites).
    Apr 15 12:04:55  systemd[1]: Starting Argo Tunnel (Sites)...
    Apr 15 12:04:55  cloudflared[17748]: 2021-04-15T18:04:55Z INF Starting tunnel tunnelID=<tunnel_id>
    Apr 15 12:04:55  cloudflared[17748]: Tunnel credentials file '<tunnel_id>.json' doesn't exist or is not a file
    Apr 15 12:04:5  systemd[1]: cloudflared.sites.service: Main process exited, code=exited, status=1/FAILURE
    Apr 15 12:04:55  systemd[1]: cloudflared.sites.service: Failed with result 'exit-code'.
    Apr 15 12:04:55  systemd[1]: Failed to start Argo Tunnel (Sites).
    Apr 15 12:05:00  systemd[1]: Stopped Argo Tunnel (Sites).

Can you show the contents of /etc/systemd/system/cloudflared.sites.service ?
It’s also going to refer to a config YAML file, so you can also show the contents of that.

This is my unit file for cloudflared.sites.service:

[Unit]
Description=Argo Tunnel (Sites)
PartOf=cloudflared.target
After=network.target

[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/sites.yml --no-autoupdate tunnel run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

This is the unit file for cloudflared.target:

[Unit]
Description=Cloudflared
Requires=cloudflared.minecraft.service cloudflared.sites.service

[Install]
WantedBy=multi-user.target

Below is the following config file that I have created for the sites tunnel:

version: 1.0.5

autoupdate-freq: 24h
origincert: cert.pem

## 
# Websites
##

tunnel: <tunnel_id<
credentials-file: <tunnel_id>.json

loglevel: info
logfile: /var/log/cloudflared/sites-access.log 

ingress:
    - hostname: <service_1>.<hostname>.com
      service: https://localhost:443
    - hostname: <service_2>.<hostname>.com
      service: https://localhost:443
    - hostname: <service_3>.<hostname>.com
      service: https://localhost:443
    - hostname: <service_4>.<hostname>.com
      service: https://localhost:443
    - hostname: <service_5>.<hostname>.com
      service: https://localhost:443
    - hostname: <service_6>.<hostname>.com
      service: https://localhost:443
    - service: http_status:404

I have also tried putting both tunnel configs in the same file, but it would only run one tunnel and not the other.

Is the real value a full/absolute path to the json file? (it should be)

Redacted for privacy purposes. It has the unique id that you get when you run: cloudflared tunnel create.

I’ve also tried to both ways. Way 1: where it just gets the file from the local directory it is in. Way 2: where the full file path is given.

In both instances, it still says that it cannot find the requested file, even though it is there.

Just to be clear, the credentials-file must have the value of the full path to the JSON file, including it.
So if that file is in /home/user/UUID.json, then that’s the value you should have in that property.