Docker - Unable to create api key - buffer overflow
-
@dan Hi,
Yes i'm using docker from install guide (docker compose yml is from repo),
Operating sys. 22.04.1-Ubuntu , kernel: 6.2.0-1014-azure #14~,
yes it prevents api key from beaing created, .env file as i said is based on one in repo with minimum changes (***** are not real values):POSTGRES_USER=***** POSTGRES_PASSWORD=***** DATABASE_USERNAME=***** DATABASE_PASSWORD=***** ES_JAVA_OPTS="-Xms512m -Xmx512m" FUSIONAUTH_APP_MEMORY=1024M FUSIONAUTH_APP_HTTPS_ENABLED=true FUSIONAUTH_APP_HTTPS_PORT=9013 FUSIONAUTH_APP_HTTPS_CERTIFICATE_FILE=/usr/local/fusionauth/fullchain.crt FUSIONAUTH_APP_HTTPS_PRIVATE_KEY_FILE=/usr/local/fusionauth/key.key
-
@dan
Here is more info that could help.
Api key creation screen:
After clicking on save, end of url changes to "/admin/api-key/add" with ERR_EMPTY_RESPONSEHere is log from start of fisionauth to me trying to create api key:
fusionauth-fusionauth-1 | --------------------------------------------------------------------------------------------------------- fusionauth-fusionauth-1 | --------------------------------- Starting FusionAuth version [1.47.1] ---------------------------------- fusionauth-fusionauth-1 | --------------------------------------------------------------------------------------------------------- fusionauth-fusionauth-1 | fusionauth-fusionauth-1 | 2023-10-25 05:54:06.220 AM INFO io.fusionauth.api.plugin.guice.PluginModule - No plugins found fusionauth-fusionauth-1 | 2023-10-25 05:54:06.420 AM INFO io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] started. fusionauth-fusionauth-1 | 2023-10-25 05:54:06.928 AM INFO io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Loading FusionAuth configuration file [/usr/local/fusionauth/config/fusionauth.properties] fusionauth-fusionauth-1 | 2023-10-25 05:54:06.929 AM INFO io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Set property [fusionauth-app.url] set to [http://fusionauth:9011] using configured value. fusionauth-fusionauth-1 | 2023-10-25 05:54:06.930 AM INFO com.inversoft.configuration.BasePropertiesFileInversoftConfiguration - fusionauth-fusionauth-1 | - Overriding default value of property [database.mysql.enforce-utf8mb4] with value [true] fusionauth-fusionauth-1 | - Overriding default value of property [FUSIONAUTH_APP_RUNTIME_MODE] with value [development] fusionauth-fusionauth-1 | - Overriding default value of property [SEARCH_TYPE] with value [elasticsearch] fusionauth-fusionauth-1 | fusionauth-fusionauth-1 | 2023-10-25 05:54:06.932 AM INFO com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://db:5432/fusionauth] fusionauth-fusionauth-1 | 2023-10-25 05:54:06.933 AM WARN com.zaxxer.hikari.HikariConfig - HikariPool-1 - idleTimeout has been set but has no effect because the pool is operating as a fixed size pool. fusionauth-fusionauth-1 | 2023-10-25 05:54:06.935 AM INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting... fusionauth-fusionauth-1 | 2023-10-25 05:54:06.955 AM INFO com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@243bf087 fusionauth-fusionauth-1 | 2023-10-25 05:54:06.965 AM INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed. fusionauth-fusionauth-1 | 2023-10-25 05:54:08.234 AM INFO com.inversoft.scheduler.DefaultScheduler - Starting up scheduler fusionauth-fusionauth-1 | 2023-10-25 05:54:08.236 AM INFO com.inversoft.scheduler.DefaultScheduler - Scheduler is running fusionauth-fusionauth-1 | 2023-10-25 05:54:08.370 AM INFO com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://search:9200] fusionauth-fusionauth-1 | 2023-10-25 05:54:08.385 AM INFO io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] added with address [http://fusionauth:9011] fusionauth-fusionauth-1 | 2023-10-25 05:54:09.159 AM INFO io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] promoted to master at [2023-10-25T05:54:09.159586852Z], the previous master Node [76a0b959-f6fa-4085-b64f-7df990611db7] has been shutdown or removed fusionauth-fusionauth-1 | 2023-10-25 05:54:09.481 AM INFO io.fusionauth.app.primeframework.FusionHTTPContextAuthSetup - Initializing the FusionAuth HTTP Context. fusionauth-fusionauth-1 | 2023-10-25 05:54:09.553 AM INFO com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://search:9200] fusionauth-fusionauth-1 | 2023-10-25 05:54:09.646 AM INFO org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime fusionauth-fusionauth-1 | 2023-10-25 05:54:09.653 AM INFO org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime fusionauth-fusionauth-1 | 2023-10-25 05:54:09.653 AM INFO org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime fusionauth-fusionauth-1 | 2023-10-25 05:54:09.659 AM INFO io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up! fusionauth-fusionauth-1 | 2023-10-25 05:54:09.669 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9011] fusionauth-fusionauth-1 | 2023-10-25 05:54:09.670 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server started successfully fusionauth-fusionauth-1 | 2023-10-25 05:54:09.670 AM INFO io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up! fusionauth-fusionauth-1 | 2023-10-25 05:54:09.671 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9012] fusionauth-fusionauth-1 | 2023-10-25 05:54:09.671 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server started successfully fusionauth-fusionauth-1 | 2023-10-25 05:54:09.671 AM INFO io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up! fusionauth-fusionauth-1 | 2023-10-25 05:54:09.672 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9013] fusionauth-fusionauth-1 | 2023-10-25 05:54:09.672 AM INFO io.fusionauth.http.server.HTTPServer - HTTP server started successfully fusionauth-fusionauth-1 | 2023-10-25 05:55:15.340 AM INFO com.inversoft.search.ElasticSearchClient - Determine version of the search engine. fusionauth-fusionauth-1 | 2023-10-25 05:55:15.348 AM WARN org.elasticsearch.client.RestClient - request [GET http://search:9200/] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."] fusionauth-fusionauth-1 | 2023-10-25 05:55:15.350 AM INFO com.inversoft.search.ElasticSearchClient - Reported version [7.17.0] fusionauth-fusionauth-1 | 2023-10-25 05:55:15.353 AM INFO com.inversoft.search.ElasticSearchClient - Set major version to [7] fusionauth-fusionauth-1 | 2023-10-25 05:55:15.419 AM WARN org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."] fusionauth-fusionauth-1 | 2023-10-25 05:55:15.917 AM WARN org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."] fusionauth-fusionauth-1 | 2023-10-25 05:55:48.832 AM WARN org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."] fusionauth-fusionauth-1 | 2023-10-25 05:57:14.945 AM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing fusionauth-fusionauth-1 | java.lang.IllegalStateException: A buffer overflow is not expected during an unwrap operation. This occurs because the preamble or body buffers are too small. Increase their sizes to avoid this issue. fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPS11Processor.read(HTTPS11Processor.java:191) fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPServerThread.read(HTTPServerThread.java:298) fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPServerThread.run(HTTPServerThread.java:169) fusionauth-fusionauth-1 | 2023-10-25 05:57:45.456 AM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing fusionauth-fusionauth-1 | java.lang.IllegalStateException: A buffer overflow is not expected during an unwrap operation. This occurs because the preamble or body buffers are too small. Increase their sizes to avoid this issue. fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPS11Processor.read(HTTPS11Processor.java:191) fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPServerThread.read(HTTPServerThread.java:298) fusionauth-fusionauth-1 | at io.fusionauth.http.server.HTTPServerThread.run(HTTPServerThread.java:169)
Here are versions of nodejs and docker installed on my azure virtual where fusionauth docker is running:
nodejs --version v20.8.0 docker --version Docker version 24.0.6, build ed223bc
-
@j-smutek Hmmm. Can you try it without using your SSL certificates and see if the same issue occurs?
-
@dan
After disabling https, I was unable to login to webUI as i was redirected back to login screenUrl after redirect: /oauth2/authorize?client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&response_type=code&redirect_uri=%2Fadmin%2Flogin&scope=offline_access&code_challenge=aAjtN7cCeIcKGNy98zdKVJLQGiFAhjE90WA3NeOkvH0&code_challenge_method=S256&state=iCNptKF_HgM7P_H74jFphFI_9pHzJ0gIu77LYPxNr0o
with front end error:
Authorize.js?version=1.48.1:34 Uncaught ReferenceError: PublicKeyCredential is not defined at new FusionAuth.OAuth2.Authorize (Authorize.js?version=1.48.1:34:43) at authorize?client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&response_type=code&redirect_uri=%2Fadmin%2Flogin&scope=offline_access&code_challenge=_Y6KAh3_n1H6hJB0yrTtbmhB-AtWm_0VpQf4xF7tHEE&code_challenge_method=S256&state=iLC0KrVXMrQ9BH63SYOQX7Q7QazQa8CVWiUx-YK8ZH0:78:9 at HTMLDocument.value (PrimeDocument.js:377:9)
I will try after clean install.
-
@dan
After clean install (removed containers, volumes and images).
I can create api key.
Here is current docker usage, is it possible that https increases memory requirements?
What are actual system requirements? (512MB stated in doc is not enougth)CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 12f3678eddb5 fusionauth-fusionauth-1 0.17% 944.3MiB / 3.812GiB 24.19% 4.25MB / 1.78MB 63.7MB / 553kB 119 63fa5b302d5b fusionauth-db-1 0.00% 48.48MiB / 3.812GiB 1.24% 1.04MB / 3.92MB 15.5MB / 65.3MB 17 6206fdf53f93 fusionauth-search-1 0.94% 839.8MiB / 3.812GiB 21.51% 40.4MB / 254kB 27.3MB / 174MB 72
-
@j-smutek Hmm. 512 MB should be fine for typical usage.
Do you have a large number of applications or tenants or webhooks or keys or anything else? Or is this a pretty standard config?
I'm glad you were able to get the API key created. That is a weird error I've never seen before.
-
@dan Hi,
sorry about late reply.
No i have created 1 application, 1 tenant, 1 user and no webhooks, the rest is default. -
@j-smutek Thanks for the response.
The only thing I can think of that seems different is the certificates, but I can't see how that would affect the creating of an API key.
-
@dan Hi,
I don't think its certificate.
When i have time, i'll test it with and without certificates and see how i goes. -
-
-
Hi, after a long bit of working on this issue.
I am quite certain that it is caused by setting a valid certificate in the configuration.
It happens when you configure it directly in the fusionauth.properties file ssl. Everything appears to work, then you find out you cannot create or edit tenants, and other areas do not work randomly. I would just get at no response in the browser and then this buffer overflow in your logs.. I struggled for quite some time with this. Just writing here so if someone else comes to this point.. Just stop and install a reverse proxy problem solved.I also think honestly fusionauth's quick guide should include setup with caddy and/or nginx with ssl certs. Really I think it would be best to remove ssl setings and force users to setup a reverse proxy as it is simple to do. But I see that you maybe want flexibility here. I have done this now with Caddy and it works flawlessly.
Thanks again for a great product though and great community support.
Authfusion is by far the easiest alternative to Indentity Server for .net and probably the easiest auth server I found.