Première connnexion root

enjoliveur · Septembre 23, 2022, 1:02

J’ai réinitialisé le mot de passe avec reset-passwordjs car le mdp indiqué dans le peertube.log ne fonctionnait pas.
La mise à jour semble avoir fonctionné mais je n’arrive toujours pas à me connecter.
Invalid client: client is invalid
et une trace dans peertube.log:
{« err »:{« statusCode »:400,« status »:400,« code »:400,« message »:« Invalid client: client is invalid »,« name »:« invalid_client »,« stack »:« invalid_client: Invalid client: client is invalid\n at new InvalidClientError (/var/www/peertube/versions/peertube-v4.3.0/node_modules/@node-oauth/oauth2-server/lib/errors/invalid-client-error.js:25:14)\n at /var/www/peertube/versions/peertube-v4.3.0/dist/server/lib/auth/oauth.js:32:19\n at Generator.next ()\n at fulfilled (/var/www/peertube/versions/peertube-v4.3.0/node_modules/tslib/tslib.js:115:62)\n at runMicrotasks ()\n at processTicksAndRejections (node:internal/process/task_queues:96:5) »},« level »:« warn »,« message »:« Login error »,« label »:« int.peertube.lala.com:443 »,« timestamp »:« 2022-09-23T12:47:32.674Z »}
Dans la base de données , j’ai un actor root avec id 1
Dansla table oAuthClient j’ai root avec id 2
peertubeDB=> select id, « preferredUsername » from actor;
id | preferredUsername
----±------------------
2 | root
1 | peertube
3 | root_channel
(3 rows)
Est-ce possible que l’erreur vienne de là?

Merci

Chocobozzz · Septembre 23, 2022, 1:40

Bonjour,

Non je pense que c’est un soucis de configuration de l’instance.

Pouvez-vous afficher la configuration de la clé webserver?PeerTube/production.yaml.example at develop · Chocobozzz/PeerTube · GitHub

enjoliveur · Septembre 23, 2022, 2:07

J’ai ceci:

webserver:
  https: true
  hostname: int.peertube.css.com
  port: 443

Chocobozzz · Septembre 23, 2022, 2:19

Et la configuration nginx de votre instance peertube ?

JohnLivingston · Septembre 23, 2022, 4:43

Ce domaine vous appartient-il ? Le DNS est-il correctement configuré ?

Dans les premiers logs, ça parle de int.peertube.lala.com. Dans votre conf on a un autre domaine : int.peertube.css.com.
Avez-vous changé le domaine après le premier démarrage ?

Le domaine doit être choisi avant le premier démarrage, et ne doit pas être changé (voir la doc). De plus, il faut que sa configuration DNS soit correcte.

enjoliveur · Septembre 26, 2022, 7:24

Merci pour vos aides
Le domain est interne et je l’avais filtré initialement filtré puis j’ai réinstallé le tout
Le fichier /etc/apache2/sites-available/peertube:

# Minimum Nginx version required:  1.13.0 (released Apr 25, 2017)
# Please check your Nginx installation features the following modules via 'nginx -V':
# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
# THIRD PARTY MODULES:   None.

server {
  listen 80;
  listen [::]:80;
  server_name int.peertube.css.com;

  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/certbot;
  }
  location / { return 301 https://$host$request_uri; }
}

upstream backend {
  server 127.0.0.1:9000;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name int.peertube.css.com;

  access_log /var/log/apache2/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
  error_log  /var/log/apache2/peertube.error.log;

  ##
  # Certificates
  # you need a certificate to run in production. see https://letsencrypt.org/
  ##
  ssl_certificate     /etc/letsencrypt/live/int.peertube.css.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/int.peertube.css.com/privkey.pem;

  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/certbot;
  }

  ##
  # Security hardening (as of Nov 15, 2020)
  # based on Mozilla Guideline v5.6
  ##

  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
  ssl_session_timeout       1d; # defaults to 5m
  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
  ssl_session_tickets       off;
  ssl_stapling              on;
  ssl_stapling_verify       on;
  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

  ##
  # Application
  ##

  location @api {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host            $host;
    proxy_set_header X-Real-IP       $remote_addr;

    client_max_body_size  100k; # default is 1M

    proxy_connect_timeout 10m;
    proxy_send_timeout    10m;
    proxy_read_timeout    10m;
    send_timeout          10m;

    proxy_pass http://backend;
  }

  location / {
    try_files /dev/null @api;
  }

  location = /api/v1/videos/upload-resumable {
    client_max_body_size    0;
    proxy_request_buffering off;

    try_files /dev/null @api;
  }

  location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
    limit_except POST HEAD { deny all; }

    # This is the maximum upload size, which roughly matches the maximum size of a video file.
    # Note that temporary space is needed equal to the total size of all concurrent uploads.
    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
    # on a dedicated filesystem.
    client_max_body_size                      12G; # default is 1M
    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)

    try_files /dev/null @api;
  }

  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
    client_max_body_size                      6M; # default is 1M
    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)

    try_files /dev/null @api;
  }

  ##
  # Websocket
  ##

  location @api_websocket {
    proxy_http_version 1.1;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   Host            $host;
    proxy_set_header   X-Real-IP       $remote_addr;
    proxy_set_header   Upgrade         $http_upgrade;
    proxy_set_header   Connection      "upgrade";

    proxy_pass http://backend;
  }

  location /socket.io {
    try_files /dev/null @api_websocket;
  }

  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before then
    proxy_read_timeout 15m; # default is 60s

    try_files /dev/null @api_websocket;
  }

  ##
  # Performance optimizations
  # For extra performance please refer to https://github.com/denji/nginx-tuning
  ##

  root /var/www/peertube/storage;

  # Enable compression for JS/CSS/HTML, for improved client load times.
  # It might be nice to compress JSON/XML as returned by the API, but
  # leaving that out to protect against potential BREACH attack.
  gzip              on;
  gzip_vary         on;
  gzip_types        # text/html is always compressed by HttpGzipModule
                    text/css
                    application/javascript
                    font/truetype
                    font/opentype
                    application/vnd.ms-fontobject
                    image/svg+xml;
  gzip_min_length   1000; # default is 20 bytes
  gzip_buffers      16 8k;
  gzip_comp_level   2; # default is 1

  client_body_timeout       30s; # default is 60
  client_header_timeout     10s; # default is 60
  send_timeout              10s; # default is 60
  keepalive_timeout         10s; # default is 75
  resolver_timeout          10s; # default is 30
  reset_timedout_connection on;
  proxy_ignore_client_abort on;

  tcp_nopush                on; # send headers in one piece
  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time

  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
  #client_body_temp_path /var/www/peertube/storage/nginx/;

  # Bypass PeerTube for performance reasons. Optional.
  # Should be consistent with client-overrides assets list in /server/controllers/client.ts
  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year

    root /var/www/peertube;

    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
  }

  # Bypass PeerTube for performance reasons. Optional.
  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year

    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }

  # Bypass PeerTube for performance reasons. Optional.
  location ~ ^/static/(thumbnails|avatars)/ {
    if ($request_method = 'OPTIONS') {
      add_header Access-Control-Allow-Origin  '*';
      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
      add_header Content-Type                 'text/plain charset=UTF-8';
      add_header Content-Length               0;
      return 204;
    }

    add_header Access-Control-Allow-Origin    '*';
    add_header Access-Control-Allow-Methods   'GET, OPTIONS';
    add_header Access-Control-Allow-Headers   'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    add_header Cache-Control                  "public, max-age=7200"; # Cache response 2 hours

    rewrite ^/static/(.*)$ /$1 break;

    try_files $uri @api;
  }

  # Bypass PeerTube for performance reasons. Optional.
  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
    limit_rate_after            5M;

    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
    set $peertube_limit_rate    800k;

    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
    if ($request_uri ~ -fragmented.mp4$) {
      set $peertube_limit_rate  5M;
    }

    # Use this line with nginx >= 1.17.0
    #limit_rate $peertube_limit_rate;
    # Or this line if your nginx < 1.17.0
    set $limit_rate $peertube_limit_rate;

    if ($request_method = 'OPTIONS') {
      add_header Access-Control-Allow-Origin  '*';
      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
      add_header Content-Type                 'text/plain charset=UTF-8';
      add_header Content-Length               0;
      return 204;
    }

    if ($request_method = 'GET') {
      add_header Access-Control-Allow-Origin  '*';
      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      # Don't spam access log file with byte range requests
      access_log off;
    }

    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
    # and enables direct copying data from one file descriptor to another.
    sendfile on;
    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
    aio threads;

    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
    rewrite ^/static/(.*)$         /$1        break;

    try_files $uri @api;
  }
}

enjoliveur · Septembre 26, 2022, 7:40

Petit update:
Ce matin à la première heure j’ai une « Erreur du serveur inconnue »

{"level":"debug","message":"Checking POST - /api/v1/server/logs/client parameters","label":"int.peertube.css.com:443","body":{"message":"Backend returned code 0, errorMessage is: Erreur du serveur inconnue","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","url":"https://int.peertube.css.com/login","level":"error"},"params":{},"query":{},"tags":[],"timestamp":"2022-09-26T07:30:17.203Z"}
{"tags":["client"],"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","url":"https://int.peertube.css.com/login","level":"error","message":"Client log: Backend returned code 0, errorMessage is: Erreur du serveur inconnue","label":"int.peertube.css.com:443","timestamp":"2022-09-26T07:30:17.203Z"}

ensuite ça repart en « Invalid client: client is invalid »

JohnLivingston · Septembre 26, 2022, 9:02

apache2 ?? Ce n’est pas plutôt /etc/nginx/sites-available/peertube ?

Comme indiqué ici:

Le plus simple, s’il n’y a rien sur l’instance, ce serait de supprimer et recréer la base de donnée (et idem pour redis).
Sinon, suivre la documentation ci-dessus et utiliser le script update-hostjs.

JohnLivingston · Septembre 26, 2022, 9:13

Je me permet d’ajouter une remarque: Peertube est une technologie fédérée. Ce n’est pas adapté à l’usage en intranet (sur des domaines non accessibles publiquement).

Il y a aura des fonctionnalités qui ne marcherons pas, ou qui ne marcherons que partiellement.
Et vous risquez également de générer des messages d’erreur sur des serveurs distant, pouvant pousser des admins à perdre du temps à comprendre pourquoi il y a des logs qui parlent de serveurs indisponibles (d’autant plus si vous utilisez des noms de domaines qui semblent plausibles, plutôt que de respecter par ex la RFC 2606.

enjoliveur · Septembre 26, 2022, 9:34

Dear John,

Je ne suis pas sûr comment expliquer mon infra
J’ai installé apache2 comme webserver sur mon serveur, la redirection du port 443 sur 9000 est gérée dans le reverse proxy.
Peertube est bien accessible depuis l’internet.
Mais en effet il va peut être falloir se pencher sur comment faire fonctionner les fonctionnalités fédérées avec le reverse proxy

JohnLivingston · Septembre 26, 2022, 10:22

Le fichier copié est un fichier de configuration nginx. S’il est dans le dossier de configuration d’Apache, ça risque de poser problème un jour.

Via quel domaine ?

Dans tous les cas, l’erreur sur le client_id invalide ressemble aux symptômes en cas de changement ou d’incohérence sur le nom de domaine. Donc: vérifier que toutes les urls sont correctes, et appliquer l’une des 2 solutions que je préconise plus haut.