Docker Helper for 4.x - Configuration Issues

I am trying to run docker instance locally using docker helper, but am getting the following bad getway error. Any ideas how to solve this? @mrjones

Hi @iesmail

This looks like you can’t reach the public Amazon docker image repository.
Can you please try pulling the image manually and share the result?

docker pull public.ecr.aws/s5s3h4s7/cht-upgrade-service:latest

Hi @diana,

I am getting the same error.

Hi @iesmail

This is strange. I’m able to access AWS ECR without issue. Can you maybe try with a different connection, or later in the day, to see if the issue was resolved?
According to https://health.aws.amazon.com/health/status, the service should be up and running.

What happens if you try to CURL the ECR url? curl https://public.ecr.aws/v2/

I tried with a different connection but got the same response.

The curl command returns

errors":[{“code”:“DENIED”,“message”:“Not Authorized”}]}

Yes, I had this same Not Authorized response with the curl command, but my docker pull command works as expected.

Are you able to pull the latest hello-world image from doker.io?

docker pull docker.io/library/hello-world:latest

Running the docker command gives me:

Error response from daemon: Get “https://registry-1.docker.io/v2/”: Bad Gateway

Interesting! This looks like something is wrong locally on your computer if two totally different image repositories have the same error and different network connections also give an error.

Can you try restarting your computer to see if that solves it?

@mrjones , I had to re-install docker to resolve this particular error. So I have managed to run it but the nginx container is stuck somehow in Restarting status. Hence, the certificates are not updated and I can’t access the local instance.

Hi @iesmail

Can you please check the logs of the nginx container and share the error that is triggering the restart?

docker logs mpya_nginx_1

Thanks!

@diana

Thanks for sharing @iesmail

It looks like docker-helper finished successfully (the “Success! mypa is set up!” got logged) and overwrote the original certificate that was generated by nginx with the local-ip ones, but those were corrupted or malformed somehow.

Leaving it up to @mrjones to support further.

Thanks @diana !

Yes - I agree that the TLS certs look corrupt. Can you try re-adding them? You can first try using the automated script. However, this may suffer the same issues as docker helper and also your nginx container keeps rebooting, which will make it hard to run the script on. If that fails, here’s the manual steps I’d recommend. These specifically include steps to validate the certs before loading them:

  1. On your workstation where you’re running docker, download the 3 cert files and concatenate the two public pem files:
    curl -s -o server.pem http://local-ip.co/cert/server.pem
    curl -s -o chain.pem http://local-ip.co/cert/chain.pem
    cat server.pem chain.pem > cert.pem
    curl -s -o key.pem http://local-ip.co/cert/server.key
    rm server.pem chain.pem
    
  2. inspect the key.pem and cert.pem files to make sure they have matching BEGIN and END sections (1 in key, 3 in cert), lines are 65 chars long and their hashes match when you check them with openssl and md5:
    $ openssl rsa -modulus -in key.pem -noout | openssl md5 
    (stdin)= 95cf269bb846f0c58e3adb9fd4fee8d5
    
    $ openssl x509 -modulus -in cert.pem -noout | openssl md5  
    (stdin)= 95cf269bb846f0c58e3adb9fd4fee8d5
    
  3. Follow the “Adding TLS certificates in CHT 4.x” using the two files from above

@mrjones, the manual steps worked. Thanks!

@iesmail - awesome! I’m glad that worked.