Conntection from AMP-Target to AMP-Controller Error: Unable to validate controller

  • 112 Views
  • Last Post 10 March 2021
Pedi posted this 06 March 2021

OS Name/Version: Debian 10 64-bit(amd64) fresh install (05.03.2021) with all updates and upgrades

Product Name/Version: AMP Network Standard

Problem Description:

  • We want on the first LXC a AMP-Controller-instance.
  • We want on the second LXC a AMP-Target-instance.

Steps to reproduce:

  1. Install two fresh LXC with debian-10-standard10.5-1amd64
  2. As root or with sudo-user and sudo update your system apt update && apt full-upgrade
  3. Set with dpkg-reconfigure locales && locale-gen
    • de_DE.UTF-8 UTF-8 -> OK
    • de_DE.UTF-8 -> OK
  4. Install with Quick install AMP
  5. Answer everything with yes
  6. Domain: amp.test.io and E-Mail: ampmail@test.email
  7. Follow Browsersetup 1x AMP-Controller and 1x AMP-Target
  8. AMP-Controller setup successfully completed.
  9. AMP-Target Error Step 3 (Name, AMP-Controller-User-information, domain) picture

AMP-Controller-Instance: picture

Actions taken to resolve so far:

  • Reinstall AMP Controller-Instance and AMP Target-Instance many times
  • Reinstall both LXC with fresh debian-10 System many times
  • Change inside AMP-Controller-instance every setting with domain.tld to amp.test.io
  • Change Auth-Server URL (AMP-Controller settings) between https;//amp.test.io , http://amp.test.io:8080/ , http://localhost:8080
  • Add new Superuser for some tries
  • Searched every logs i found on both systems for informations, but i found nothing

Info:

  1. SSL/TLS Inside Browser Green/OK
  2. https://amp.test.io working
  3. http://amp.test.io:8080 working
  4. https://amp.test.io:8080 Not working

Thank you for your help and stay healthy

Order By: Standard | Newest | Votes
Mike posted this 06 March 2021

Check the logs for the target just after trying to add it to the controller.

Pedi posted this 07 March 2021

Hi, thank you very much for your fast answer.

Inside ALL uploaded logs, i changed only

  • AMP Instance ID .....
  • Generated new keypair with fingerprint .....
  • Using keypair with fingerprint .....

for upload, nothing else.

Logpath: /home/amp/.ampdata/instances/ADS01/AMP_Logs

AMP-Controller:

AMP-Target:

During CLI: "[....]Go to browser with https://target-amp.test.io [....]" I pressed ctrl+c [after "Unable to validate controller" (Browsersetup)] and went for the logfiles

Time difference between Target-Log1 and Target-Log2 only two seconds.

Thank you :-)

Mike posted this 07 March 2021

What certificate provider are you using for the controller domain? Also is 2FA enabled?

Pedi posted this 08 March 2021

Hi,

i tried with and without. Uploaded logfiles are without 2FA enabled. USER: The first admin-account( admin )

Main Domain: test.io -> no certificate at the moment

For Subdomain-AMP-Controller(amp.test.io) and Subdomain-AMP-Target (target-amp.test.io) with the webbrowser

  • I pressed yes within the AMP-installation script for HTTPS/Let's encrypt. It workes, no SSL/TLS error Qualys SSL-Checker on both.

My domains redirect directly with A-records to the server ( picture )

Thank you

Mike posted this 08 March 2021

Is test.io the actual domain you own or are you using that as an example?

Pedi posted this 09 March 2021

Hi,

it was an example.

Here, fresh-install:

Thank you

Mike posted this 09 March 2021

Edit the AMPConfig.conf files for both targets so that Monitoring.LogLevel=0 - this will enable debug logging.

Start them up again using su -l amp -c "ampinstmgr startall" and they'll start running through the setup process again.

Immediately before using the option to register the target with the controller, delete the log files so that the new log files only have the section where it's trying to register itself, then (attempt to) perform the registration.

Pedi posted this 09 March 2021

Hi,

AMP-Controller: No Logfile

AMP-Target: Only one line

  • [13:00:20] [ADS:admin Debug] : Testing ADS login details against https://ampt.dontfuckmybusiness.com

Controller Details - picture

Mike posted this 09 March 2021

My assessment then is that the target is failing to communicate with the controller at all as there is no authentication attempt logged. Can you wget the controller URL from the target?

Pedi posted this 09 March 2021

Hi,

sorry, my output is in german.

Use DeepL to translate, if needed.

Link-wget

Mike posted this 09 March 2021

Ah well that'd be why it's not working then - the certificate is wrong/isn't trusted and doesn't match the hostname, so AMP is rejecting it.

Pedi posted this 10 March 2021

Hi,

Example:

  • Server-Domain: system1.domain.tld
  • LXC-Hostname: ampcontroller.system1.domain.tld
  • AMP-SubDomain: ampcontroller.domain.tld

ampcontroller.domain.tld -> CNAME: ampcontroller.system1.domain.tld -> A: LXC-IP

or

ampcontroller.domain.tld -> A: LXC-IP

Inside the installation script, part "Let's Encrypt Domain": ampcontroller.domain.tld to get an certificate from Let's Encrypt.

Question: To be sure, is this not valid for AMP?

Close