Error looking up DNS TXT records for host 'localhost': queryTxt ENOTFOUND

[ash...@asheesh.org]

Hi Sandstorm folks,

Sorry to be asking a user support question here. I didn't see a non-dev email list. If we should close the thread, just let me know.

I just attempted to do a sandstorm install, in a semi-unusual configuration: I want to have sandstorm bound to localhost, but then use Apache ProxyPass in front to expose it to the world.

When I surf to http://sandstorm.openhatch.org/ I am greeted with:

"Error looking up DNS TXT records for host 'localhost': queryTxt ENOTFOUND"

I couldn't find any info in the log files that would help me get past this.

Links to text files with further detail:

http://linode.openhatch.org/~paulproteus/tmp/sandstorm/

Thanks,

Asheesh.

[Kenton Varda]

On Mon, Aug 4, 2014 at 9:08 PM, <ash...@asheesh.org> wrote:

Hi Sandstorm folks,

Sorry to be asking a user support question here. I didn't see a non-dev email list. If we should close the thread, just let me know.

Nope, this is fine.

 

I just attempted to do a sandstorm install, in a semi-unusual configuration: I want to have sandstorm bound to localhost, but then use Apache ProxyPass in front to expose it to the world. 

When I surf to http://sandstorm.openhatch.org/ I am greeted with:

"Error looking up DNS TXT records for host 'localhost': queryTxt ENOTFOUND"

I couldn't find any info in the log files that would help me get past this.

It looks like you set BASE_URL correctly. Make sure that Apache is actually proxying the Host header, rather than setting it to "localhost:6080". I know that nginx does not proxy the host header by default, so perhaps Apache doesn't either (even though this is clearly the wrong default).

-Kenton

[ash...@asheesh.org]

On Monday, August 4, 2014 9:21:41 PM UTC-7, Kenton Varda wrote:
> Nope, this is fine.

Great, thank you!

> It looks like you set BASE_URL correctly. Make sure that Apache is actually proxying the Host header, rather than setting it to "localhost:6080". I know that nginx does not proxy the host header by default, so perhaps Apache doesn't either (even though this is clearly the wrong default).

Ah hah. I needed:

ProxyPreserveHost On

An install remark: you ask me to change the oauth2callback URL on the Google end. Why? Can't Sandstorm support the default URLs, so that my life is easier?

Now that I have that, I am trying to install MediaGoblin. I run into Sandstorm trying to make a MediaGoblin frame on sandstorm-7000.openhatch.org. But it should be on sandstorm-7000.sandstorm.openhatch.org, based on my config entries:

SERVER_USER=sandstorm
PORT=6080
MONGO_PORT=6081
BIND_IP=127.0.0.1
BASE_URL=https://sandstorm.openhatch.org
WILDCARD_PARENT_URL=https://sandstorm.openhatch.org
MAIL_URL=smtp://localhost:25
UPDATE_CHANNEL=dev

At least, that's what I meant to configure with WILDCARD_PARENT_URL.

Should I have specified something else?

Also, a "lint" (sanity-check) tool in the Sandstorm dashboard would make a world of a difference with this.

Regardless, huge thanks for the software and for the unbelievable helpfulness!

-- Asheesh.

[Kenton Varda]

On Mon, Aug 4, 2014 at 9:40 PM, <ash...@asheesh.org> wrote:

An install remark: you ask me to change the oauth2callback URL on the Google end. Why? Can't Sandstorm support the default URLs, so that my life is easier?

Sorry, that's not me, that's Meteor -- we just use their (very good) auth implementation. But I imagine the reasoning for not using the default is that they support half a dozen identity providers with the same code and I bet those providers do not agree on what the default ought to be. Because no one agrees on anything when it comes to OAuth.

Honestly, forcing users to get their own API key is kind of questionable in itself, though I'm not sure if there is a good alternative.

 

Now that I have that, I am trying to install MediaGoblin. I run into Sandstorm trying to make a MediaGoblin frame on sandstorm-7000.openhatch.org. But it should be on sandstorm-7000.sandstorm.openhatch.org, based on my config entries:

Sorry, this part is in flux. WILDCARD_PARENT_URL was introduced fairly recently, and there's a PR in-flight to switch over to having apps use it. The old method was to add "-7xxx" to the first component of the domain name.

Main thing that is holding up the PR is that I have to obtain proper certificates for *.demo.sandstorm.io and *.alpha.sandstorm.io before I can push a release with the change... and I probably won't have time for that until Thursday as I have a talk to give on Wednesday that I haven't even started writing yet! :/

-Kenton

[Asheesh Laroia]

On Mon, Aug 4, 2014 at 10:22 PM, Kenton Varda <ken...@sandstorm.io> wrote:

On Mon, Aug 4, 2014 at 9:40 PM, <ash...@asheesh.org> wrote:

An install remark: you ask me to change the oauth2callback URL on the Google end. Why? Can't Sandstorm support the default URLs, so that my life is easier?

Sorry, that's not me, that's Meteor -- we just use their (very good) auth implementation. But I imagine the reasoning for not using the default is that they support half a dozen identity providers with the same code and I bet those providers do not agree on what the default ought to be. Because no one agrees on anything when it comes to OAuth.

I see. Maybe I can file a bug in the corresponding Meteor package, in the fullness of time.

 

Honestly, forcing users to get their own API key is kind of questionable in itself, though I'm not sure if there is a good alternative.

 

Yeah, I think it's about the best you can do. You could temporarily take their Google account password and set this up as part of the Sandstorm app... a little crazy, but hey. git-annex does a similar trick where it asks you for an SSH password to SSH to a remote site, and then sets up limited key auth for itself afterward, and intentionally forgets the password.

 

Now that I have that, I am trying to install MediaGoblin. I run into Sandstorm trying to make a MediaGoblin frame on sandstorm-7000.openhatch.org. But it should be on sandstorm-7000.sandstorm.openhatch.org, based on my config entries:

Sorry, this part is in flux. WILDCARD_PARENT_URL was introduced fairly recently, and there's a PR in-flight to switch over to having apps use it. The old method was to add "-7xxx" to the first component of the domain name.

Interesting, okay! Good to know. Always 7000-7999? I could just set up that list to be 1000 CNAME records!

 

Main thing that is holding up the PR is that I have to obtain proper certificates for *.demo.sandstorm.io and *.alpha.sandstorm.io before I can push a release with the change... and I probably won't have time for that until Thursday as I have a talk to give on Wednesday that I haven't even started writing yet! :/

Are you sure you *need* the proper wildcard certs? I just have CloudFlare terminate my HTTPS, which it then sends on to me. It does insist on sending the request on me over HTTPS, not HTTP.

When the request arrives at my server, CloudFlare finds my server's self-signed HTTPS lulz. CloudFlare doesn't seem to mind.

"Ta da, a properly set up wildcard cert."

Again, thanks for the quick and very informative reply!

-- Asheesh. 

[Kenton Varda]

On Mon, Aug 4, 2014 at 11:19 PM, Asheesh Laroia <ash...@asheesh.org> wrote:

Interesting, okay! Good to know. Always 7000-7999? I could just set up that list to be 1000 CNAME records!

Yes, in fact, it will only use as many ports as there are apps open at one time. So if you never use more than 10 app instances at once, it will only use 7000-7009.

You actually need to set up your reverse-proxy to map these hostnames to localhost ports. See the nginx example in github.

This will all get a lot easier once we get WILDCARD_PARENT_URL working. (It won't use ports.)

 

Are you sure you *need* the proper wildcard certs? I just have CloudFlare terminate my HTTPS, which it then sends on to me. It does insist on sending the request on me over HTTPS, not HTTP.

When the request arrives at my server, CloudFlare finds my server's self-signed HTTPS lulz. CloudFlare doesn't seem to mind.

"Ta da, a properly set up wildcard cert."

Doesn't quite work, for two reasons:

- CloudFlare refuses to proxy wildcards. They'll set up wildcard DNS entries but won't let you enable CDN on them.

- CloudFlare can't proxy WebSockets. A lot of our apps use WebSockets, so can't run behind CDN. Sandstorm's frontend also uses a WebSocket, though if you are tricky you can serve the socket off a different hostname from the code and assets, and still CDN the latter.

-Kenton