Roots Discourse

"External IP resolution failed" Problem

Hi,

When I try to provision a remote server I get an external IP resolution failed error. I set this aside for a while because adding ssh_client_ip_lookup: false to my …/all.main.yml file “fixes” it, but my coworkers do not need that addition. Why do I seem to need ssh_client_ip_lookup: false? Also, if I try api.ipify.org via curl, the response is fast, so it doesn’t seem to be an ipify.org timeout.

I see that this poster wondered if it was a Catalina related problem because it went away for him after changing macOS versions. It so happens that I am on Catalina and my coworkers are not.

Any insights are greatly appreciated!

Thanks,

Dan

Here’s a related issue: [SOLUTION] Failed to connect to api.ipify.org at port 443: [Errno 61] Connection refused · Issue #949 · roots/trellis · GitHub

My hunch: there’s some issue/difference with Python’s HTTP library making this request which is why it works fine with curl.

Can you provide the full output you get? There should be error output before our "“External IP resolution failed…” message?

The ipify_facts module also takes a validate_certs param. So one quick thing you can try is to set that to false on the task and see if it changes anything.

Hi Scott,

Thanks for the reply! First, adding a parameter to ipify_facts like

ipify_facts:
validate_certs: no

Does prevent the problem so it seems that validating the cert is an issue, but I do not know why.

Also, I am not running DNSCrypt. There is another error before the “External IP resolution failed”. The full text of both errors is below.

Any ideas on correcting the cert validation?

Thanks!

Dan

Error Output======================

No valid or no response from url https://api.ipify.org/ within 10 seconds

(timeout)

fatal: [xxx.xxx.xxx.xxx]: FAILED! => {“changed”: false}

TASK [common : Fail when unable to retrieve SSH client IP] *************************************************************

System info:

Ansible 2.9.10; Darwin

Trellis version (per changelog): “Fix #1277 - Disable PHP CLI memory limit”


External IP resolution failed. Check that your DNS servers are working. Try

to disable DNSCrypt if you are using it.

fatal: [xxx.xxx.xxx.xxx]: FAILED! => {“changed”: false}

That output makes sense. The task fails and outputs the error, then Trellis provides a (hopefully) more friendly error message.

I only have two suggestions/questions:

  1. do you have anything different about your networking setup? proxies, VPNs, firewalls, etc. Some of these things could cause that issue.
  2. what Python version? If you aren’t on a newer version like 3.9, maybe try that

Ultimately there’s only so much we can in Trellis itself. You can get around this problem permanently by setting ssh_client_ip_lookup: false and replace the last item in this list with your static IP: trellis/security.yml at 45d88096dc92c2b1eeb7e6b898a0c82e9180ffca · roots/trellis · GitHub

ip_whitelist:
  - 127.0.0.0/8
  - 1.2.3.4

Hi Scott,

Thanks again!

I have been wondering about network differences. I have previously turned off the firewall and I am not using a proxy or VPN. I do appreciate your comments on those. I thought they were promising as well.

My Python version is 3.9.5. It wasn’t always and it was something I updated during this process.

Interestingly, ssh_client_ip_lookup: false alone, without white-listing my IP avoids the errors. I had previously done both, but a recent test showed that my IP wasn’t necessary in whatever case I am experiencing.

I may upgrade my OS (because I should anyway) and if that doesn’t help I will discuss turning off cert validation or ssh_client_ip_lookup with my team. We are trying to have a consistent deployment routine for all.

Thanks for your help!

Dan

1 Like

I literally had the exact same problem, but it only occurred on the (wifi) network at my work, so it must be network/firewall related. We didn’t have any firewalls installed, but maybe something on the router was blocking it?

Anyway, we also fixed it by adding this line to my group_vars/all/main.yml:

ssh_client_ip_lookup: false

But now with new projects we don’t need that fix anymore, so it might have also be related to our MacOS or Pyhton version at that time, who knows!

Hi Twansparant,

Thanks for that information! I am on a wireless network as well. I have tried to see a solution in my router configuration, but no luck. The ssh_client_ip_lookup: false does work for me too, but perhaps like your experience, my coworkers don’t need it.

Dan