netbird up with setup-key does not work, always getting strange error message when connecting to api.netbird.io #1910

Closed
opened 2025-11-20 06:09:04 -05:00 by saavagebueno · 4 comments
Owner

Originally created by @seehma on GitHub (May 21, 2025).

Netbird client was working well for a few months, it even survived an update to newest Ubuntu LTS on our VHoster. Suddenly yesterday the connection (it was monitored) was gone and when i tried to reconnect it did not work.

To Reproduce

Steps to reproduce the behavior:

  1. First i tried to do netbird status but got the error
    Error: status failed: failed while getting Management Service public key: failed while getting Management Service public key
  2. Next i stopped service via sudo systemctl stop netbird and moved config.json file to config.json.old and restarted service.
  3. now when i do netbird status -d i get
Daemon status: NeedsLogin

Run UP command to log in with SSO (interactive login):

 netbird up

If you are running a self-hosted version and no SSO provider has been configured in your Management Server,
you can use a setup-key:

 netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>

More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys
  1. when i want to establish the connection via netbird up --setup-key it always says
    2025-05-21T19:10:12Z WARN client/cmd/root.go:260: retrying Login to the Management service in 1.357225517s due to error rpc error: code = Unknown desc = failed while getting Management Service public key
    about 6 times and then finally i get the message
    Error: login backoff cycle failed: rpc error: code = Unknown desc = failed while getting Management Service public key

  2. i tried to connect via curl to api.netbird.io and i get the following error

curl -v https://api.netbird.io
* Host api.netbird.io:443 was resolved.
* IPv6: 2600:1901:0:adb3::
* IPv4: 35.186.199.111
*   Trying [2600:1901:0:adb3::]:443...
* Connected to api.netbird.io (2600:1901:0:adb3::) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=api.netbird.io
*  start date: May  5 19:20:39 2025 GMT
*  expire date: Aug  3 19:20:38 2025 GMT
*  subjectAltName: host "api.netbird.io" matched cert's "api.netbird.io"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://api.netbird.io/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: api.netbird.io]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: api.netbird.io
> User-Agent: curl/8.5.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 403
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 295
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/</code> from this server.</h2>
<h2></h2>
</body></html>
* Connection #0 to host api.netbird.io left intact

Iam using netbird cloud and i tried 0.43.3 and also 0.45.0
There is no any other vpn installed.
netbird status -dA always says LoginFailed but all other clients are working well.

Daemon status: LoginFailed

Run UP command to log in with SSO (interactive login):

 netbird up

If you are running a self-hosted version and no SSO provider has been configured in your Management Server,
you can use a setup-key:

 netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>

More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys

Have you tried these troubleshooting steps?

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings and did not change it for some months or so
Originally created by @seehma on GitHub (May 21, 2025). Netbird client was working well for a few months, it even survived an update to newest Ubuntu LTS on our VHoster. Suddenly yesterday the connection (it was monitored) was gone and when i tried to reconnect it did not work. **To Reproduce** Steps to reproduce the behavior: 1. First i tried to do netbird status but got the error Error: status failed: failed while getting Management Service public key: failed while getting Management Service public key 2. Next i stopped service via sudo systemctl stop netbird and moved config.json file to config.json.old and restarted service. 3. now when i do netbird status -d i get ``` Daemon status: NeedsLogin Run UP command to log in with SSO (interactive login): netbird up If you are running a self-hosted version and no SSO provider has been configured in your Management Server, you can use a setup-key: netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY> More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys ``` 4. when i want to establish the connection via netbird up --setup-key <myfreshkey> it always says 2025-05-21T19:10:12Z WARN client/cmd/root.go:260: retrying Login to the Management service in 1.357225517s due to error rpc error: code = Unknown desc = failed while getting Management Service public key about 6 times and then finally i get the message Error: login backoff cycle failed: rpc error: code = Unknown desc = failed while getting Management Service public key 6. i tried to connect via curl to api.netbird.io and i get the following error ``` curl -v https://api.netbird.io * Host api.netbird.io:443 was resolved. * IPv6: 2600:1901:0:adb3:: * IPv4: 35.186.199.111 * Trying [2600:1901:0:adb3::]:443... * Connected to api.netbird.io (2600:1901:0:adb3::) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS * ALPN: server accepted h2 * Server certificate: * subject: CN=api.netbird.io * start date: May 5 19:20:39 2025 GMT * expire date: Aug 3 19:20:38 2025 GMT * subjectAltName: host "api.netbird.io" matched cert's "api.netbird.io" * issuer: C=US; O=Let's Encrypt; CN=R10 * SSL certificate verify ok. * Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://api.netbird.io/ * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: api.netbird.io] * [HTTP/2] [1] [:path: /] * [HTTP/2] [1] [user-agent: curl/8.5.0] * [HTTP/2] [1] [accept: */*] > GET / HTTP/2 > Host: api.netbird.io > User-Agent: curl/8.5.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 403 < content-type: text/html; charset=UTF-8 < referrer-policy: no-referrer < content-length: 295 < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 < <html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>403 Forbidden</title> </head> <body text=#000000 bgcolor=#ffffff> <h1>Error: Forbidden</h1> <h2>Your client does not have permission to get URL <code>/</code> from this server.</h2> <h2></h2> </body></html> * Connection #0 to host api.netbird.io left intact ``` Iam using netbird cloud and i tried 0.43.3 and also 0.45.0 There is no any other vpn installed. netbird status -dA always says LoginFailed but all other clients are working well. ``` Daemon status: LoginFailed Run UP command to log in with SSO (interactive login): netbird up If you are running a self-hosted version and no SSO provider has been configured in your Management Server, you can use a setup-key: netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY> More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys ``` **Have you tried these troubleshooting steps?** - [x] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable) - [x] Checked for newer NetBird versions - [x] Searched for similar issues on GitHub (including closed ones) - [x] Restarted the NetBird client - [x] Disabled other VPN software - [x] Checked firewall settings and did not change it for some months or so
saavagebueno added the waiting-feedbacktriage-needed labels 2025-11-20 06:09:04 -05:00
Author
Owner

@nazarewk commented on GitHub (Jun 5, 2025):

@seehma is this still an issue for you?

If it's still the case, could you upload the debug bundle and submit the resulting key here?

@nazarewk commented on GitHub (Jun 5, 2025): @seehma is this still an issue for you? If it's still the case, could you [upload the debug bundle](https://docs.netbird.io/how-to/troubleshooting-client#debug-bundle-uploads) and submit the resulting key here?
Author
Owner

@seehma commented on GitHub (Jun 5, 2025):

Hi, could not fix it, had to change my server to a different hoster. Someone on Slack said that google might have blocked the IP of my previous server and this was the reason for this strange behavior.
Regards

@seehma commented on GitHub (Jun 5, 2025): Hi, could not fix it, had to change my server to a different hoster. Someone on Slack said that google might have blocked the IP of my previous server and this was the reason for this strange behavior. Regards
Author
Owner

@SuperKali commented on GitHub (Nov 19, 2025):

@nazarewk Hi, actually i have the same issue in a VPS:

Upload file key:
f79e391890ab27fb37c88b3b4be7011e22aa2e5ca6f38ffa9c4481884941f726/f3a731db-ff41-43dd-a529-c89ae3c8da85

@SuperKali commented on GitHub (Nov 19, 2025): @nazarewk Hi, actually i have the same issue in a VPS: Upload file key: f79e391890ab27fb37c88b3b4be7011e22aa2e5ca6f38ffa9c4481884941f726/f3a731db-ff41-43dd-a529-c89ae3c8da85
Author
Owner

@SuperKali commented on GitHub (Nov 19, 2025):

nevermind, ipv6 issue, asked to provider to check

@SuperKali commented on GitHub (Nov 19, 2025): nevermind, ipv6 issue, asked to provider to check
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1910