Relay docker container error "TLS config is required for QUIC listener" when upgrading to 0.36.1 from 0.35.2 #1555

Closed
opened 2025-11-20 05:32:44 -05:00 by saavagebueno · 5 comments
Owner

Originally created by @Christopher87R on GitHub (Jan 17, 2025).

Describe the problem

The Docker container is continuously restarted. The corresponding log outputs:

2025-01-17T08:20:52Z INFO relay/cmd/root.go:124: running metrics server: :9090/metrics
2025-01-17T08:20:52Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.xxxxx.me:33080
2025-01-17T08:20:52Z FATL relay/cmd/root.go:152: failed to bind server: valid TLS config is required for QUIC listener
2025-01-17T08:20:52Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.xxxxx.me:33080

To Reproduce
Upgraded from 0.35.2 to 0.36.1 - everything else is working. With version 0.35.2 I have no issues.

Originally created by @Christopher87R on GitHub (Jan 17, 2025). **Describe the problem** The Docker container is continuously restarted. The corresponding log outputs: ``` 2025-01-17T08:20:52Z INFO relay/cmd/root.go:124: running metrics server: :9090/metrics 2025-01-17T08:20:52Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.xxxxx.me:33080 2025-01-17T08:20:52Z FATL relay/cmd/root.go:152: failed to bind server: valid TLS config is required for QUIC listener 2025-01-17T08:20:52Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.xxxxx.me:33080 ``` **To Reproduce** Upgraded from 0.35.2 to 0.36.1 - everything else is working. With version 0.35.2 I have no issues.
saavagebueno added the triage-needed label 2025-11-20 05:32:44 -05:00
Author
Owner

@HekSahiti commented on GitHub (Jan 17, 2025):

same problem here, upgraded to 0.36.0

UPDATE: Also tried 0.36.1, same issue

@HekSahiti commented on GitHub (Jan 17, 2025): same problem here, upgraded to 0.36.0 UPDATE: Also tried 0.36.1, same issue
Author
Owner

@coldwlan commented on GitHub (Jan 17, 2025):

deploy netbird server: relay component can't work, the container logs reported error info that failed to bind server: valid TLS config is required for QUIC listener

also tried 0.35.2, same issue

2025-01-17T08:25:00Z INFO relay/cmd/root.go:124: running metrics server: :9090/metrics
2025-01-17T08:25:00Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.selfhostdomain.xyz:33080
2025-01-17T08:25:00Z FATL relay/cmd/root.go:152: failed to bind server: valid TLS config is required for QUIC listener

Image

version: "3.4"
services:
  # Caddy reverse proxy
  # caddy:
  #   image: caddy
  #   restart: unless-stopped
  #   networks: [ netbird ]
  #   ports:
  #     - '443:443'
  #     - '443:443/udp'
  #     - '80:80'
  #     - '8080:8080'
  #   volumes:
  #     - netbird_caddy_data:/data
  #     - /home/docker-compose/netbird/Caddyfile:/etc/caddy/Caddyfile
  #   logging:
  #     driver: "json-file"
  #     options:
  #       max-size: "500m"
  #       max-file: "2"
  # UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    networks: [netbird]
    ports:
      - '8011:80'
    # env_file:
    #   - /home/docker-compose/netbird/dashboard.env
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.selfhostdomain.xyz
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.selfhostdomain.xyz
      # OIDC
      - AUTH_AUDIENCE=301373031794671620
      - AUTH_CLIENT_ID=301373031794671620
      - AUTH_AUTHORITY=https://netbird.selfhostdomain.xyz
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access
      - AUTH_REDIRECT_URI=/nb-auth
      - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=none
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    networks: [netbird]
    ports:
      - '10000:10000'
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    networks: [netbird]
    # env_file:
    #   - /home/docker-compose/netbird/relay.env
    ports:
      - '33080:33080'
    environment:
      - NB_LOG_LEVEL=info
      - NB_LISTEN_ADDRESS=:33080
      - NB_EXPOSED_ADDRESS=rel://netbird.selfhostdomain.xyz:33080
      - NB_AUTH_SECRET=J1JalNtzoPrvb5LKd1nSgzaFCM0TGGPboi6CcRc9Ad8
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    networks: [netbird]
    ports:
      - '8012:80'
    volumes:
      - netbird_management:/var/lib/netbird
      - /home/docker-compose/netbird/management.json:/etc/netbird/management.json
    command: [
      "--port", "80",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.selfhosted",
      "--dns-domain=netbird.selfhosted",
      "--idp-sign-key-refresh-enabled",
    ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Coturn, AKA relay server
  coturn:
    image: coturn/coturn
    restart: unless-stopped
    #domainname: netbird.relay.selfhosted
    volumes:
      - /home/docker-compose/netbird/turnserver.conf:/etc/turnserver.conf:ro
      # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
      # - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Zitadel - identity provider
  zitadel:
    restart: 'always'
    networks: [netbird]
    ports:
      - '8080:8080'
    image: 'ghcr.io/zitadel/zitadel:v2.64.1'
    command: 'start-from-init --masterkeyFromEnv --tlsMode external'
    # env_file:
    #   - /home/docker-compose/netbird/zitadel.env
    environment:
      - ZITADEL_LOG_LEVEL=debug
      - ZITADEL_MASTERKEY=+kNxvUYQ77V6cUIAumuPHnDAdLUkg5vU
      - ZITADEL_EXTERNALSECURE=true
      - ZITADEL_TLS_ENABLED="false"
      - ZITADEL_EXTERNALPORT=443
      - ZITADEL_EXTERNALDOMAIN=netbird.selfhostdomain.xyz
      - ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token
      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa
      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin
      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid
      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=2025-01-06T02:21:16Z
      - ZITADEL_DATABASE_POSTGRES_HOST=zdb
      - ZITADEL_DATABASE_POSTGRES_PORT=5432
      - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
      - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel
      - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=J5AFUdsbRhLdZgu82JnzSOx6UcH5dPztvFTI5PcKgYw@
      - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
      - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
      - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=UGP2EYA/gopBBGtAmzN7tkuI3kQqxXTidqz4713WS54@
      - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
    depends_on:
      zdb:
        condition: 'service_healthy'
    volumes:
      - /home/docker-compose/netbird/machinekey:/machinekey
      - netbird_zitadel_certs:/zdb-certs:ro
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Postgres for Zitadel
  zdb:
    restart: 'always'
    networks: [netbird]
    image: 'postgres:16-alpine'
    # env_file:
    #   - /home/docker-compose/netbird/zdb.env
    environment:
      - POSTGRES_USER=root
      - POSTGRES_PASSWORD=UGP2EYA/gopBBGtAmzN7tkuI3kQqxXTidqz4713WS54@
    volumes:
      - netbird_zdb_data:/var/lib/postgresql/data:rw
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
      interval: 5s
      timeout: 60s
      retries: 10
      start_period: 5s
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird_zdb_data:
  netbird_management:
  # netbird_caddy_data:
  netbird_zitadel_certs:

networks:
  netbird:

Image

@coldwlan commented on GitHub (Jan 17, 2025): deploy netbird server: relay component can't work, the container logs reported error info that failed to bind server: valid TLS config is required for QUIC listener also tried 0.35.2, same issue ``` 2025-01-17T08:25:00Z INFO relay/cmd/root.go:124: running metrics server: :9090/metrics 2025-01-17T08:25:00Z INFO relay/cmd/root.go:149: server will be available on: rel://netbird.selfhostdomain.xyz:33080 2025-01-17T08:25:00Z FATL relay/cmd/root.go:152: failed to bind server: valid TLS config is required for QUIC listener ``` ![Image](https://github.com/user-attachments/assets/9a517648-b4bd-454e-9fda-f9a5d896e3e6) ``` version: "3.4" services: # Caddy reverse proxy # caddy: # image: caddy # restart: unless-stopped # networks: [ netbird ] # ports: # - '443:443' # - '443:443/udp' # - '80:80' # - '8080:8080' # volumes: # - netbird_caddy_data:/data # - /home/docker-compose/netbird/Caddyfile:/etc/caddy/Caddyfile # logging: # driver: "json-file" # options: # max-size: "500m" # max-file: "2" # UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped networks: [netbird] ports: - '8011:80' # env_file: # - /home/docker-compose/netbird/dashboard.env environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.selfhostdomain.xyz - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.selfhostdomain.xyz # OIDC - AUTH_AUDIENCE=301373031794671620 - AUTH_CLIENT_ID=301373031794671620 - AUTH_AUTHORITY=https://netbird.selfhostdomain.xyz - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access - AUTH_REDIRECT_URI=/nb-auth - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN=none logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped networks: [netbird] ports: - '10000:10000' logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped networks: [netbird] # env_file: # - /home/docker-compose/netbird/relay.env ports: - '33080:33080' environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=rel://netbird.selfhostdomain.xyz:33080 - NB_AUTH_SECRET=J1JalNtzoPrvb5LKd1nSgzaFCM0TGGPboi6CcRc9Ad8 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped networks: [netbird] ports: - '8012:80' volumes: - netbird_management:/var/lib/netbird - /home/docker-compose/netbird/management.json:/etc/netbird/management.json command: [ "--port", "80", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.selfhosted", "--dns-domain=netbird.selfhosted", "--idp-sign-key-refresh-enabled", ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Coturn, AKA relay server coturn: image: coturn/coturn restart: unless-stopped #domainname: netbird.relay.selfhosted volumes: - /home/docker-compose/netbird/turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Zitadel - identity provider zitadel: restart: 'always' networks: [netbird] ports: - '8080:8080' image: 'ghcr.io/zitadel/zitadel:v2.64.1' command: 'start-from-init --masterkeyFromEnv --tlsMode external' # env_file: # - /home/docker-compose/netbird/zitadel.env environment: - ZITADEL_LOG_LEVEL=debug - ZITADEL_MASTERKEY=+kNxvUYQ77V6cUIAumuPHnDAdLUkg5vU - ZITADEL_EXTERNALSECURE=true - ZITADEL_TLS_ENABLED="false" - ZITADEL_EXTERNALPORT=443 - ZITADEL_EXTERNALDOMAIN=netbird.selfhostdomain.xyz - ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=2025-01-06T02:21:16Z - ZITADEL_DATABASE_POSTGRES_HOST=zdb - ZITADEL_DATABASE_POSTGRES_PORT=5432 - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=J5AFUdsbRhLdZgu82JnzSOx6UcH5dPztvFTI5PcKgYw@ - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=UGP2EYA/gopBBGtAmzN7tkuI3kQqxXTidqz4713WS54@ - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable depends_on: zdb: condition: 'service_healthy' volumes: - /home/docker-compose/netbird/machinekey:/machinekey - netbird_zitadel_certs:/zdb-certs:ro logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Postgres for Zitadel zdb: restart: 'always' networks: [netbird] image: 'postgres:16-alpine' # env_file: # - /home/docker-compose/netbird/zdb.env environment: - POSTGRES_USER=root - POSTGRES_PASSWORD=UGP2EYA/gopBBGtAmzN7tkuI3kQqxXTidqz4713WS54@ volumes: - netbird_zdb_data:/var/lib/postgresql/data:rw healthcheck: test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"] interval: 5s timeout: 60s retries: 10 start_period: 5s logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird_zdb_data: netbird_management: # netbird_caddy_data: netbird_zitadel_certs: networks: netbird: ``` ![Image](https://github.com/user-attachments/assets/152816f7-812a-41ac-988c-46272b90e7b1)
Author
Owner

@lixmal commented on GitHub (Jan 17, 2025):

Fixed via https://github.com/netbirdio/netbird/pull/3202

@lixmal commented on GitHub (Jan 17, 2025): Fixed via https://github.com/netbirdio/netbird/pull/3202
Author
Owner

@samroweemployinc commented on GitHub (Jan 17, 2025):

@mlsmaycon Is there a plan to document how to enable certificates for QUIC?

@samroweemployinc commented on GitHub (Jan 17, 2025): @mlsmaycon Is there a plan to document how to enable certificates for QUIC?
Author
Owner

@samroweemployinc commented on GitHub (Feb 18, 2025):

Sorry my previous comment was meant for @lixmal

@samroweemployinc commented on GitHub (Feb 18, 2025): Sorry my previous comment was meant for @lixmal
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1555