Issue with fresh docker install (invalid client)

audricd · Janvier 4, 2025, 9:38

Hello,

I am following this guide step by step:

I have made on my host the peertube directory (and ./docker-volume/nginx/peertube)

download yaml and .env file, and tweak them to my needs:

docker-compose.yaml:

services:

  # You can comment this webserver section if you want to use another webserver/proxy or test PeerTube in local
  webserver:
    image: chocobozzz/peertube-webserver:latest
    # If you don't want to use the official image and build one from sources:
    # build:
    #   context: .
    #   dockerfile: ./support/docker/production/Dockerfile.nginx
    env_file:
      - .env
    ports:
     - "82:80"
     - "444:443"
    volumes:
      - type: bind
        # Switch sources if you downloaded the whole repository
        #source: ../../nginx/peertube
        source: ./docker-volume/nginx/peertube
        target: /etc/nginx/conf.d/peertube.template
      - assets:/var/www/peertube/peertube-latest/client/dist:ro
      - ./docker-volume/data:/var/www/peertube/storage
      - certbot-www:/var/www/certbot
      - ./docker-volume/certbot/conf:/etc/letsencrypt
    depends_on:
      - peertube
    restart: "always"

  # You can comment this certbot section if you want to use another webserver/proxy or test PeerTube in local
  # certbot:
  #   container_name: certbot
  #   image: certbot/certbot
  #   volumes:
  #     - ./docker-volume/certbot/conf:/etc/letsencrypt
  #     - certbot-www:/var/www/certbot
  #   restart: unless-stopped
  #   entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait ${!}; done;"
  #   depends_on:
  #     - webserver

  peertube:
    # If you don't want to use the official image and build one from sources:
    # build:
    #   context: .
    #   dockerfile: ./support/docker/production/Dockerfile.bookworm
    image: chocobozzz/peertube:production-bookworm
    # Use a static IP for this container because nginx does not handle proxy host change without reload
    # This container could be restarted on crash or until the postgresql database is ready for connection
    networks:
      default:
        ipv4_address: 172.22.0.42
        ipv6_address: fdab:e4b3:21a2:ef1b::42
    env_file:
      - .env

    ports:
     - "1935:1935" # Comment if you don't want to use the live feature
     - "9000:9000" # Uncomment if you use another webserver/proxy or test PeerTube in local, otherwise not suitable for production
    volumes:
      # Remove the following line if you want to use another webserver/proxy or test PeerTube in local
      #- assets:/app/client/dist
      - ./docker-volume/data:/data
      - ./docker-volume/config:/config
    depends_on:
      - postgres
      - redis
      - postfix
    restart: "always"

  postgres:
    image: postgres:13-alpine
    env_file:
      - .env
    volumes:
      - ./docker-volume/db:/var/lib/postgresql/data
    restart: "always"

  redis:
    image: redis:6-alpine
    volumes:
      - ./docker-volume/redis:/data
    restart: "always"

  postfix:
    image: mwader/postfix-relay
    env_file:
      - .env
    volumes:
      - ./docker-volume/opendkim/keys:/etc/opendkim/keys
    restart: "always"

networks:
  default:
    enable_ipv6: true
    ipam:
      driver: default
      config:
      - subnet: 172.22.0.0/16
      - subnet: fdab:e4b3:21a2:ef1b::/64

volumes:
  assets:
  certbot-www:

what did I change from the default one?

network changed to 17.22.0. because 17.18.0 taken by other networks
for webserver, host port changed from 82 because 80 taken
same for 444 from 443 because already taken
commented out certbot, because I will handle certs with nginx proxy manager / lets encrypt

.env:

# Database / Postgres service configuration
POSTGRES_USER=someusername
POSTGRES_PASSWORD=somepassword
# Postgres database name "peertube"
POSTGRES_DB=peertube
# The database name used by PeerTube will be PEERTUBE_DB_NAME (only if set) *OR* 'peertube'+PEERTUBE_DB_SUFFIX
#PEERTUBE_DB_NAME=<MY POSTGRES DB NAME>
#PEERTUBE_DB_SUFFIX=_prod
# Database username and password used by PeerTube must match Postgres', so they are copied:
PEERTUBE_DB_USERNAME=$POSTGRES_USER
PEERTUBE_DB_PASSWORD=$POSTGRES_PASSWORD
PEERTUBE_DB_SSL=false
# Default to Postgres service name "postgres" in docker-compose.yml
PEERTUBE_DB_HOSTNAME=postgres

# PeerTube server configuration
# If you test PeerTube in local: use "peertube.localhost" and add this domain to your host file resolving on 127.0.0.1
PEERTUBE_WEBSERVER_HOSTNAME=mydomain
# If you just want to test PeerTube on local
PEERTUBE_WEBSERVER_PORT=9000
PEERTUBE_WEBSERVER_HTTPS=true
# If you need more than one IP as trust_proxy
# pass them as a comma separated array:
PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback", "172.22.0.0/16"]

# Generate one using `openssl rand -hex 32`
PEERTUBE_SECRET=mysecret

# E-mail configuration
# If you use a Custom SMTP server
#PEERTUBE_SMTP_USERNAME=
#PEERTUBE_SMTP_PASSWORD=
# Default to Postfix service name "postfix" in docker-compose.yml
# May be the hostname of your Custom SMTP server
PEERTUBE_SMTP_HOSTNAME=postfix
PEERTUBE_SMTP_PORT=25
PEERTUBE_SMTP_FROM=noreply@mydomain
PEERTUBE_SMTP_TLS=false
PEERTUBE_SMTP_DISABLE_STARTTLS=false
PEERTUBE_ADMIN_EMAIL=admin@mydomain

# Postfix service configuration
POSTFIX_myhostname=mydomain
# If you need to generate a list of sub/DOMAIN keys
# pass them as a whitespace separated string <DOMAIN>=<selector>
OPENDKIM_DOMAINS=mydomain=peertube
# see https://github.com/wader/postfix-relay/pull/18
OPENDKIM_RequireSafeKeys=no

PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC="public-read"
PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE="private"


#PEERTUBE_LOG_LEVEL=info

# /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
#PEERTUBE_SIGNUP_ENABLED=true
#PEERTUBE_TRANSCODING_ENABLED=true
#PEERTUBE_CONTACT_FORM_ENABLED=true

then, I run docker compose up, go to ip:9000 (same happens with mydomain after I add a proxy host to ip:9000), try to login with root account (which password I got from running

docker compose exec -u peertube peertube npm run reset-password – -u root

But I get the error:

peertube-1   | [mydomain:9000] 2025-01-04 21:17:59.148 error: Client log: Backend returned code 400, errorMessage is: Invalid client: client is invalid {
peertube-1   |   "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
peertube-1   |   "meta": "{\"url\":\"http://ip:9000/api/v1/users/token\"}",
peertube-1   |   "url": "http://ip:9000/login"
peertube-1   | }

I also get this other error btw:

peertube-1 | [mydomain:9000] 2025-01-04 21:14:17.715 error: Client log: Error: Cannot retrieve OAuth Client credentials: Getting client tokens for host myip:9000 is forbidden.
peertube-1 | Ensure you have correctly configured PeerTube (config/ directory), in particular the « webserver » section. {
peertube-1 | « userAgent »: « Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 »,
peertube-1 | « url »: « http://myip:9000/login »
peertube-1 | }

but my config directory is empty! there isnt the production etc yaml files. At which point are they supposed to be generated in this process?

The rest of the file structure, seems? to be correct?

Also, I would like to know if there is any way to pre configure, at deployment time, s3 storage. I have been trying to follow this:

github.com

Chocobozzz/PeerTube/blob/develop/config/production.yaml.example

listen:
  hostname: '127.0.0.1'
  port: 9000

# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
webserver:
  https: true
  hostname: 'example.com'
  port: 443

# Secrets you need to generate the first time you run PeerTube
secrets:
  # Generate one using `openssl rand -hex 32`
  peertube: ''

rates_limit:
  api:
    # 50 attempts in 10 seconds
    window: 10 seconds
    max: 50

This file has been truncated. show original

And add the storage block to the docker compose, but I get the error those values are not accepted for the peertube service.

Thank you very much!

Chocobozzz · Janvier 6, 2025, 7:48

If you use ip:9000 to access your server, you must use ip as value for PEERTUBE_WEBSERVER_HOSTNAME

audricd · Janvier 6, 2025, 7:32

Hi, thank you for answering!
Unfortunately, that did not change any of the behaviour. Still invalid client, and unable to get client tokens. and config yaml files not generated.

And I just noticed, which I suppose isnt right:
both in the config and the logs, I see it is listening on https://wanip:9000
however, if I set my nginx proxy manager to https, I get E502

And I dont see anything about that on the logs.

Chocobozzz · Janvier 7, 2025, 6:04

May be related to Trouble logging in - #21 par Chocobozzz

audricd · Janvier 7, 2025, 11:31

Not sure if patches are applied to docker installation?
I have followed these steps:

Tried with PEERTUBE_WEBSERVER_HOSTNAME=IP and domain
http / https on nginx proxy manager.

Same results as before. Invalid client, the error « Cannot retrieve OAuth Client credentials: Getting client tokens for host feditubo.yt is forbidden. Ensure you have correctly configured PeerTube (config/ directory), in particular the « webserver » section. », and e502 if https on nginx proxy manager.