Connect client to repository server

Hey everyone,

actually i’m going my first steps with Kopia at all and trying to figure out what i’m doing wrong when connecting my first client to the repository server.

My way to go was:

  1. install the repository server with the linux debian way:
    docs/installation/#linux-installation-using-apt-debian-ubuntu

  2. starting the server the first time:

/usr/bin/kopia server start --tls-generate-cert --tls-cert-file /etc/ssl/certs/kopia.cert --tls-key-file /etc/ssl/certs/kopia.key --address 0.0.0.0:51515 --server-username=kopia --server-password='my_secret_$assword' --enable-actions
  1. stopping and starting with my prepared systemd.service:
[Unit]
Description=Kopia Repository Backup Server
After=syslog.target
After=network.target

[Service]
User=root
Type=simple
ExecStart=/usr/bin/kopia server start --tls-cert-file /etc/ssl/certs/kopia.cert --tls-key-file /etc/ssl/certs/kopia.key --address 0.0.0.0:51515 --server-username=kopia --server-password='my_secret_$assword' --enable-actions
ExecStop=/usr/bin/kopia server shutdown
RemainAfterExit=true
StandardOutput=journal
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
  1. creating a nginx reverse proxy for https://kopia.domain.tldhttps://my.kopia.srv.ip:51515 with Let’s Encrypt certificate

  2. creating a repository: (the path is a mounted storage pool)

kopia repository create filesystem --path=/opt/kopia/repository
  1. checking the UI with the user from the start command:
    works

  2. creating new user for the client:

kopia server user add root@testclient --user-password='my_super_secret_client_$assword'
  1. trying to connect the user to the repository server:
kopia repository connect server --url=https://kopia.domain.tld

Connecting to server 'https://kopia.domain.tld' as 'root@testclient'...
Enter password to open repository: 

ERROR failed to open repository: unable to establish session for purpose=: error establishing session: Session(): failed to exit idle mode: dns resolver: missing port after port-separator colon
ERROR error connecting to API server: unable to establish session for purpose=: error establishing session: Session(): failed to exit idle mode: dns resolver: missing port after port-separator colon

(thats not nice - why using a port when using a reverse proxy?)

  1. trying again to connect the client with a port:
kopia repository connect server --url=https://kopia.domain.tld:443

Connecting to server 'https://kopia.domain.tld:443' as 'root@testclient'...
Enter password to open repository:

ERROR failed to open repository: unable to establish session for purpose=: error establishing session: unable to initialize session: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR: EOF
ERROR error connecting to API server: unable to establish session for purpose=: error establishing session: unable to initialize session: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR: EOF

It’s loading for a long time (about 1-2 minutes?) and then the error comes up. Further it’s not that nice that i need to input the password interactive, cause we would like to automate this with ansible as soon as we have a working way.

Is there someone who would like to give me a hint about what i’m facing here?

Best regards

So i tested now to give the self signed certificate for grpc the kopia.domain.tld name while generating it and checked it with openssl x509 -noout -text -in /etc/ssl/certs/kopia.cert and the name was correct added, then i tried to connect again but unfortunately i’m now facing failed to verify certificate: x509: certificate signed by unknown authority

Welcome :waving_hand:

Some general notes from me:

Running your service as root is a really bad habit. There is no need for it when using an unprivileged port.

This command won’t do anything as it requires authentication. You can add authentication by using environment variables in your systemd service:

Environment="KOPIA_PASSWORD=repositoryPASSWORD"
Environment="KOPIA_SERVER_ADDRESS=https://[::]:51515"
Environment="KOPIA_SERVER_CERT_FINGERPRINT=yourCERTfingerprint"
Environment="KOPIA_SERVER_CONTROL_PASSWORD=adminPASSWORD"
Environment="KOPIA_SERVER_CONTROL_USER=admin"
Environment="KOPIA_SERVER_PASSWORD=adminPASSWORD"
Environment="KOPIA_SERVER_USERNAME=admin"
ExecStart=kopia server start --address :51515 --tls-cert-file /etc/ssl/certs/kopia.cert --tls-key-file /etc/ssl/certs/kopia.key
ExecReload=kopia server refresh
ExecStop=kopia server shutdown

So the kopia server is working. Great!

Can you connect to the server directly without reverse proxy?

kopia repository connect server --url=https://my.kopia.srv.ip:51515 

You can use the KOPIA_PASSWORD environment variable.

Unfortunately I’ve never used Kopia with a reverse proxy so can’t help you with that. But this issue indicates that it is possible:

thanks for that, helped alot to get the start/stop command smaller and working

yep, that worked after i used the fingerprint, before it reported that it is a unknown authority

As we discussed intern, we will stay on that, cause we will use the reverse proxy just for access from our roadwarrior vpn clients to access the ui - we will use the internal address (my.kopia.srv.ip:51515) for the clients to connect so we dont need to trust on a working dns

So actually i had successful run creating a snapshot from the client with:

kopia repository connect server --url=https://my.kopia.srv.ip:51515 --server-cert-fingerprint MYWONDERFULFINGERPRINT

Glad you got it working! :slightly_smiling_face:

Unfortunately i didnt… So i thought i got it so i started to test my first playbook (yeah, its dirty, first version is just to get the right steps in the right order).

---
- name: Install Kopia and configure server
  hosts: all
  become: true
  tasks:

    - name: Add Kopia GPG key
      ansible.builtin.shell: |
        curl -s https://kopia.io/signing-key | sudo gpg --batch --yes --dearmor -o /etc/apt/keyrings/kopia-keyring.gpg

    - name: Füge Kopia Sources hinzu
      ansible.builtin.template:
        src: kopia.sources.j2
        dest: /etc/apt/sources.list.d/kopia.list
        mode: '0644'
      tags:
        - kopia

    - name: Update apt package list
      ansible.builtin.apt:
        update_cache: yes
        cache_valid_time: 10
      tags:
        - kopia

    - name: Install Kopia
      ansible.builtin.apt:
        name: kopia
        state: present
      tags:
        - kopia

    - name: Get client hostname
      ansible.builtin.set_fact:
        client_hostname: "{{ ansible_hostname }}"

    - name: Delegate to the Kopia server to add user
      delegate_to: "{{ kopia_server }}"
      ansible.builtin.command:
        cmd: "kopia server user add root@{{ client_hostname }} --user-password='lalala123'"
      tags:
        - kopia


    - name: Refresh users
      delegate_to: "{{ kopia_server }}"
      ansible.builtin.shell: |
        kopia server refresh --address=https://kopia.domain.lan:51515 --server-cert-fingerprint 8997392FAE6A276F1169D920178D23BD3F6CB38D54BDE313B5FF5C9A23C4ED65 --server-control-username=kopia --server-control-password='lalala123'


    - name: Connect to Kopia repository
      ansible.builtin.shell: |
        export KOPIA_PASSWORD='lalala123'
        kopia repository connect server --url=https://kopia.domain.lan:51515 --server-cert-fingerprint MYWONDERFULFINGERPRINT
      tags:
        - kopia

The connection of the client fails with:

ERROR failed to open repository: unable to establish session for purpose=: 
error establishing session: unable to initialize session: 
rpc error: code = PermissionDenied desc = access denied for root@dev: EOF

ERROR error connecting to API server: unable to establish session for purpose=: 
error establishing session: unable to initialize session: 
rpc error: code = PermissionDenied desc = access denied for root@dev: EOF

Do you can see any issue in the order of the commands?

and yeah…i will change it to other user soon^^ …

Can’t spot any obvious mistakes but you should make sure you are using the same user on the server and the client. Replace root@{{ client_hostname }} with a static value and use the same value on the host. You can use --override-username=root --override-hostname=dev to override settings when connecting to the client.

Edit: Make sure to lowercase username@hostname and remove and domain parts.

So in the actual case i’m creating a new user for that new client on the repository server which results in this case in root@dev (yeah, lowercase, no tld part) - i’ve checked that user existence. Then i refresh the server so the users get loaded up cause i have read anywhere, that otherwise this can take up to 5 minutes. After that i’m trying to connect to the repository from the client where the access denied issue appears.

I’ve tested again this morning after this user now exists nearly 16 hours. Still the same…

//edit…seems like it was a typo in the password…

Happens to the best. I’ve already wasted days or weeks of my lifetime because of typos and oversights! :joy: