Pomerium is not working in Docker, Windows 11

lurker · June 1, 2023, 6:39pm

What happened?

New Poemerium user, so I’m using the quickstart guide to try out the product. The guide is simple enough, but it is still not working after 2 days of trying. It always returns “DNS_PROBE_FINISHED_NXDOMAIN” when accessing https://verify.localhost.pomerium.io/.

What did you expect to happen?

Successfully access Pomerium to explore the product.

How’d it happen?

Following the quick start guide, no luck.

What’s your environment like?

Pomerium version (retrieve with pomerium --version): 0.22.2
Server Operating System/Architecture/Cloud: Windows 11 22631.1825

What’s your config.yaml?

# Paste your configs here
# Be sure to scrub any sensitive values

authenticate_service_url: https://authenticate.localhost.pomerium.io
autocert: true
idp_provider: google
idp_client_id: <censored>
idp_client_secret: <censored>
shared_secret: <random key>
cookie_secret: <random key>

routes:
  - from: https://verify.localhost.pomerium.io
    to: http://localhost:3000
    policy:
      - allow:
          or:
            - email:
                is: <censored>
    pass_identity_headers: true

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values

2023-06-01 11:18:15 proxy-verify-1    | {"level":"info","project-id":"*detect-project-id*","time":"2023-06-01T18:18:15Z","message":"connecting to firestore"}
2023-06-01 11:18:15 proxy-verify-1    | {"level":"error","error":"fetching creds: google: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information","time":"2023-06-01T18:18:15Z","message":"failed to create firestore client, falling back to in-memory storage"}
2023-06-01 11:18:15 proxy-verify-1    | {"level":"info","bind-addr":":8000","time":"2023-06-01T18:18:15Z","message":"starting http server"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","service":"all","config":"local","checksum":"fdf067a4e6ce0958","time":"2023-06-01T18:18:15Z","message":"config: updated config"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"envoy_version":"1.25.5+b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f","version":"0.22.2-1685134689+6efd1d6b","time":"2023-06-01T18:18:15Z","message":"cmd/pomerium"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","address":"127.0.0.1:36887","time":"2023-06-01T18:18:15Z","message":"grpc: dialing"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","outbound_port":"36887","databroker_urls":["http://127.0.0.1:5443"],"time":"2023-06-01T18:18:15Z","message":"config: starting databroker config source syncer"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"all","config":"databroker","checksum":"fdf067a4e6ce0958","time":"2023-06-01T18:18:15Z","message":"config: updated config"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","service":"autocert-manager","domain":"authenticate.localhost.pomerium.io","time":"2023-06-01T18:18:15Z","message":"obtaining certificate"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","logger":"maintenance","msg":"started background certificate maintenance","service":"autocert","cache":"0xc0003f0230"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","logger":"obtain","msg":"acquiring lock","service":"autocert","identifier":"authenticate.localhost.pomerium.io"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","logger":"obtain","msg":"lock acquired","service":"autocert","identifier":"authenticate.localhost.pomerium.io"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","logger":"obtain","msg":"obtaining certificate","service":"autocert","identifier":"authenticate.localhost.pomerium.io"}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","msg":"waiting on internal rate limiter","service":"autocert","identifiers":["authenticate.localhost.pomerium.io"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","msg":"done waiting on internal rate limiter","service":"autocert","identifiers":["authenticate.localhost.pomerium.io"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
2023-06-01 11:18:15 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:15Z","logger":"acme_client","msg":"trying to solve challenge","service":"autocert","identifier":"authenticate.localhost.pomerium.io","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-06-01 11:18:16 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:16Z","logger":"acme_client","msg":"challenge failed","service":"autocert","identifier":"authenticate.localhost.pomerium.io","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io","instance":"","subproblems":[]}}
2023-06-01 11:18:16 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:16Z","logger":"acme_client","msg":"validating authorization","service":"autocert","identifier":"authenticate.localhost.pomerium.io","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1138446257/185923513167","attempt":1,"max_attempts":3}
2023-06-01 11:18:17 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:17Z","logger":"acme_client","msg":"trying to solve challenge","service":"autocert","identifier":"authenticate.localhost.pomerium.io","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:18Z","logger":"acme_client","msg":"challenge failed","service":"autocert","identifier":"authenticate.localhost.pomerium.io","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io","instance":"","subproblems":[]}}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:18Z","logger":"acme_client","msg":"validating authorization","service":"autocert","identifier":"authenticate.localhost.pomerium.io","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1138446257/185923516387","attempt":2,"max_attempts":3}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:18Z","logger":"obtain","msg":"could not get certificate from issuer","service":"autocert","identifier":"authenticate.localhost.pomerium.io","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","logger":"obtain","msg":"releasing lock","service":"autocert","identifier":"authenticate.localhost.pomerium.io"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","service":"autocert-manager","error":"[authenticate.localhost.pomerium.io] Obtain: [authenticate.localhost.pomerium.io] solving challenge: authenticate.localhost.pomerium.io: [authenticate.localhost.pomerium.io] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for authenticate.localhost.pomerium.io; no valid AAAA records found for authenticate.localhost.pomerium.io (ca=https://acme-v02.api.letsencrypt.org/directory)","time":"2023-06-01T18:18:18Z","message":"autocert failed to obtain client certificate"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","service":"autocert-manager","error":"obtain cert failed","time":"2023-06-01T18:18:18Z","message":"autocert: failed to obtain client certificate"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","service":"autocert-manager","domain":"verify.localhost.pomerium.io","time":"2023-06-01T18:18:18Z","message":"obtaining certificate"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","logger":"obtain","msg":"acquiring lock","service":"autocert","identifier":"verify.localhost.pomerium.io"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","logger":"obtain","msg":"lock acquired","service":"autocert","identifier":"verify.localhost.pomerium.io"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","logger":"obtain","msg":"obtaining certificate","service":"autocert","identifier":"verify.localhost.pomerium.io"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","msg":"waiting on internal rate limiter","service":"autocert","identifiers":["verify.localhost.pomerium.io"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","msg":"done waiting on internal rate limiter","service":"autocert","identifiers":["verify.localhost.pomerium.io"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:18Z","logger":"acme_client","msg":"trying to solve challenge","service":"autocert","identifier":"verify.localhost.pomerium.io","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:18Z","logger":"acme_client","msg":"challenge failed","service":"autocert","identifier":"verify.localhost.pomerium.io","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io","instance":"","subproblems":[]}}
2023-06-01 11:18:18 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:18Z","logger":"acme_client","msg":"validating authorization","service":"autocert","identifier":"verify.localhost.pomerium.io","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1138446257/185923518597","attempt":1,"max_attempts":3}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:20Z","logger":"acme_client","msg":"trying to solve challenge","service":"autocert","identifier":"verify.localhost.pomerium.io","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:20Z","logger":"acme_client","msg":"challenge failed","service":"autocert","identifier":"verify.localhost.pomerium.io","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io","instance":"","subproblems":[]}}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:20Z","logger":"acme_client","msg":"validating authorization","service":"autocert","identifier":"verify.localhost.pomerium.io","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1138446257/185923521697","attempt":2,"max_attempts":3}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"error","time":"2023-06-01T18:18:20Z","logger":"obtain","msg":"could not get certificate from issuer","service":"autocert","identifier":"verify.localhost.pomerium.io","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T18:18:20Z","logger":"obtain","msg":"releasing lock","service":"autocert","identifier":"verify.localhost.pomerium.io"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"error","service":"autocert-manager","error":"[verify.localhost.pomerium.io] Obtain: [verify.localhost.pomerium.io] solving challenge: verify.localhost.pomerium.io: [verify.localhost.pomerium.io] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for verify.localhost.pomerium.io; no valid AAAA records found for verify.localhost.pomerium.io (ca=https://acme-v02.api.letsencrypt.org/directory)","time":"2023-06-01T18:18:20Z","message":"autocert failed to obtain client certificate"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"error","service":"autocert-manager","error":"obtain cert failed","time":"2023-06-01T18:18:20Z","message":"autocert: failed to obtain client certificate"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"metrics_manager","time":"2023-06-01T18:18:20Z","message":"metrics: http server disabled"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"grpc-port":"43883","http-port":"45657","outbound-port":"36887","metrics-port":"37535","debug-port":"41391","acme-tls-alpn-port":"35345","time":"2023-06-01T18:18:20Z","message":"server started"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T18:18:20Z","message":"envoy: starting envoy process"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"path":"/tmp/pomerium-envoy3378197710/envoy","checksum":"b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f","time":"2023-06-01T18:18:20Z","message":"running envoy"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","pid":18,"time":"2023-06-01T18:18:20Z","message":"envoy: start monitoring subprocess"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T18:18:20Z","message":"enabled authenticate service"}
2023-06-01 11:18:20 proxy-pomerium-1  | {"level":"info","Algorithm":"ES256","KeyID":"9cd53335ecac5505be7ebe84b2e9b37517a9414e64fe35bb0939e514b5a0054c","Public Key":{"use":"sig","kty":"EC","kid":"9cd53335ecac5505be7ebe84b2e9b37517a9414e64fe35bb0939e514b5a0054c","crv":"P-256","alg":"ES256","x":"iedFCcIvFQ-UNdXsEYihH4tY3T8PmPKK7BfEy9z_Dhc","y":"wpru_ZNXM2KnDUFoA4eAMXZmcwO4ckRu-onOc1Qpoig"},"time":"2023-06-01T18:18:20Z","message":"authorize: signing key"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","address":"127.0.0.1:36887","time":"2023-06-01T18:18:20Z","message":"grpc: dialing"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T18:18:21Z","message":"enabled authorize service"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","Algorithm":"ES256","KeyID":"e568ac4e9c080a94ef718b620ce96490b0df2378a8f3bcea21f074a46f100cc6","Public Key":{"use":"sig","kty":"EC","kid":"e568ac4e9c080a94ef718b620ce96490b0df2378a8f3bcea21f074a46f100cc6","crv":"P-256","alg":"ES256","x":"QHRc1MsnP7Wb3i30kQbKyYHA8gNmsJG_EyAaFcodhqc","y":"90qfG0bM5j96Et_dPJyaGOOgiWpb2ON6Tp_ufjRhP8M"},"time":"2023-06-01T18:18:21Z","message":"authorize: signing key"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"initializing epoch 0 (base id=172660520, hot restart version=11.104)"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"statically linked extensions:"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.http.stateful_header_formatters: envoy.http.stateful_header_formatters.preserve_case, preserve_case"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.clusters: envoy.cluster.eds, envoy.cluster.logical_dns, envoy.cluster.original_dst, envoy.cluster.static, envoy.cluster.strict_dns, envoy.clusters.aggregate, envoy.clusters.dynamic_forward_proxy, envoy.clusters.redis"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.rate_limit_descriptors: envoy.rate_limit_descriptors.expr"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.dubbo_proxy.protocols: dubbo"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.transport_sockets.upstream: envoy.transport_sockets.alts, envoy.transport_sockets.http_11_proxy, envoy.transport_sockets.internal_upstream, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.starttls, envoy.transport_sockets.tap, envoy.transport_sockets.tcp_stats, envoy.transport_sockets.tls, envoy.transport_sockets.upstream_proxy_protocol, raw_buffer, starttls, tls"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.retry_host_predicates: envoy.retry_host_predicates.omit_canary_hosts, envoy.retry_host_predicates.omit_host_metadata, envoy.retry_host_predicates.previous_hosts"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.thrift_proxy.filters: envoy.filters.thrift.header_to_metadata, envoy.filters.thrift.payload_to_metadata, envoy.filters.thrift.rate_limit, envoy.filters.thrift.router"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.access_loggers: envoy.access_loggers.file, envoy.access_loggers.http_grpc, envoy.access_loggers.open_telemetry, envoy.access_loggers.stderr, envoy.access_loggers.stdout, envoy.access_loggers.tcp_grpc, envoy.access_loggers.wasm, envoy.file_access_log, envoy.http_grpc_access_log, envoy.open_telemetry_access_log, envoy.stderr_access_log, envoy.stdout_access_log, envoy.tcp_grpc_access_log, envoy.wasm_access_log"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.matching.http.input: envoy.matching.inputs.destination_ip, envoy.matching.inputs.destination_port, envoy.matching.inputs.direct_source_ip, envoy.matching.inputs.dns_san, envoy.matching.inputs.request_headers, envoy.matching.inputs.request_trailers, envoy.matching.inputs.response_headers, envoy.matching.inputs.response_trailers, envoy.matching.inputs.server_name, envoy.matching.inputs.source_ip, envoy.matching.inputs.source_port, envoy.matching.inputs.source_type, envoy.matching.inputs.status_code_class_input, envoy.matching.inputs.status_code_input, envoy.matching.inputs.subject, envoy.matching.inputs.uri_san"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.udp_packet_writer: envoy.udp_packet_writer.default, envoy.udp_packet_writer.gso"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.connection_handler: envoy.connection_handler.default"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.http.header_validators: envoy.http.header_validators.envoy_default"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.filters.network: envoy.echo, envoy.ext_authz, envoy.filters.network.connection_limit, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.sni_dynamic_forward_proxy, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.wasm, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.thrift_proxy.transports: auto, framed, header, unframed"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  network.connection.client: default, envoy_internal"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.common.key_value: envoy.key_value.file_based"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.tls.cert_validator: envoy.tls.cert_validator.default, envoy.tls.cert_validator.spiffe"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.stats_sinks: envoy.dog_statsd, envoy.graphite_statsd, envoy.metrics_service, envoy.stat_sinks.dog_statsd, envoy.stat_sinks.graphite_statsd, envoy.stat_sinks.hystrix, envoy.stat_sinks.metrics_service, envoy.stat_sinks.statsd, envoy.stat_sinks.wasm, envoy.statsd"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.quic.server.crypto_stream: envoy.quic.crypto_stream.server.quiche"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.guarddog_actions: envoy.watchdog.abort_action, envoy.watchdog.profile_action"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.matching.network.custom_matchers: envoy.matching.custom_matchers.trie_matcher"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.matching.http.custom_matchers: envoy.matching.custom_matchers.trie_matcher"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.grpc_credentials: envoy.grpc_credentials.aws_iam, envoy.grpc_credentials.default, envoy.grpc_credentials.file_based_metadata"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.starttls, envoy.transport_sockets.tap, envoy.transport_sockets.tcp_stats, envoy.transport_sockets.tls, raw_buffer, starttls, tls"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.filters.http: envoy.bandwidth_limit, envoy.buffer, envoy.cors, envoy.csrf, envoy.ext_authz, envoy.ext_proc, envoy.fault, envoy.filters.http.adaptive_concurrency, envoy.filters.http.admission_control, envoy.filters.http.alternate_protocols_cache, envoy.filters.http.aws_lambda, envoy.filters.http.aws_request_signing, envoy.filters.http.bandwidth_limit, envoy.filters.http.buffer, envoy.filters.http.cache, envoy.filters.http.cdn_loop, envoy.filters.http.composite, envoy.filters.http.compressor, envoy.filters.http.cors, envoy.filters.http.csrf, envoy.filters.http.custom_response, envoy.filters.http.decompressor, envoy.filters.http.dynamic_forward_proxy, envoy.filters.http.ext_authz, envoy.filters.http.ext_proc, envoy.filters.http.fault, envoy.filters.http.file_system_buffer, envoy.filters.http.gcp_authn, envoy.filters.http.grpc_http1_bridge, envoy.filters.http.grpc_http1_reverse_bridge, envoy.filters.http.grpc_json_transcoder, envoy.filters.http.grpc_stats, envoy.filters.http.grpc_web, envoy.filters.http.header_to_metadata, envoy.filters.http.health_check, envoy.filters.http.ip_tagging, envoy.filters.http.jwt_authn, envoy.filters.http.local_ratelimit, envoy.filters.http.lua, envoy.filters.http.match_delegate, envoy.filters.http.oauth2, envoy.filters.http.on_demand, envoy.filters.http.original_src, envoy.filters.http.rate_limit_quota, envoy.filters.http.ratelimit, envoy.filters.http.rbac, envoy.filters.http.router, envoy.filters.http.set_metadata, envoy.filters.http.stateful_session, envoy.filters.http.tap, envoy.filters.http.wasm, envoy.grpc_http1_bridge, envoy.grpc_json_transcoder, envoy.grpc_web, envoy.health_check, envoy.ip_tagging, envoy.local_rate_limit, envoy.lua, envoy.rate_limit, envoy.router"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.http.early_header_mutation: envoy.http.early_header_mutation.header_mutation"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.matching.network.input: envoy.matching.inputs.application_protocol, envoy.matching.inputs.destination_ip, envoy.matching.inputs.destination_port, envoy.matching.inputs.direct_source_ip, envoy.matching.inputs.dns_san, envoy.matching.inputs.server_name, envoy.matching.inputs.source_ip, envoy.matching.inputs.source_port, envoy.matching.inputs.source_type, envoy.matching.inputs.subject, envoy.matching.inputs.transport_protocol, envoy.matching.inputs.uri_san"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.config.validators: envoy.config.validators.minimum_clusters, envoy.config.validators.minimum_clusters_validator"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.compression.compressor: envoy.compression.brotli.compressor, envoy.compression.gzip.compressor, envoy.compression.zstd.compressor"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  quic.http_server_connection: quic.http_server_connection.default"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.regex_engines: envoy.regex_engines.google_re2"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.route.early_data_policy: envoy.route.early_data_policy.default"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.rbac.matchers: envoy.rbac.matchers.upstream_ip_port"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.formatter: envoy.formatter.metadata, envoy.formatter.req_without_query"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.bootstrap: envoy.bootstrap.internal_listener, envoy.bootstrap.wasm, envoy.extensions.network.socket_interface.default_socket_interface"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.matching.action: envoy.matching.actions.format_string, filter-chain-name"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.path.rewrite: envoy.path.rewrite.uri_template.uri_template_rewriter"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.http.custom_response: envoy.extensions.http.custom_response.local_response_policy, envoy.extensions.http.custom_response.redirect_policy"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.access_loggers.extension_filters: envoy.access_loggers.extension_filters.cel"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.wasm.runtime: envoy.wasm.runtime.null, envoy.wasm.runtime.v8"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.network.dns_resolver: envoy.network.dns_resolver.cares, envoy.network.dns_resolver.getaddrinfo"}
2023-06-01 11:18:21 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T18:18:21Z","message":"  envoy.resolvers: envoy.ip"}

Additional context

Looking at the autocert and google_cred error message, I think it has something to do with DNS configs. Any tips to troubleshoot this is appreciated!

sveta · June 1, 2023, 8:46pm

Thank you for your message. Upon reviewing your configuration, we have noticed a couple of areas that may need your attention.

Firstly, it appears that Autocert is unable to generate certificates for localhost.pomerium.io, as it only supports certificate generation for publicly accessible domains.
Secondly, your current setup doesn’t seem to match our Quickstart configuration. Can I ask you to run Pomerium with the Quickstart guide ( Run Pomerium Core With Docker | Pomerium ) is an excellent starting point and we highly recommend it, as it uses a hosted authentication model which could simplify your setup process.

Finally, if you are using Docker Compose, your route to: should be http://verify:8000 as described in our Quickstart guide.

lurker · June 1, 2023, 9:29pm

Thank you for your quick response. Based on your feedback, I reverted to the original settings and it is still the same.

#config.yaml

# See detailed configuration settings: https://www.pomerium.com/docs/reference/

#####################################################################
# If self-hosting, use the localhost authenticate service URL below #
# and remove the hosted URL.                                        #
#####################################################################
authenticate_service_url: https://authenticate.localhost.pomerium.io

# In case it helps, I know this SSO operates fine 
# because I'm using that in another application testing environment too.
idp_provider: "google"
idp_client_id: <censored>
idp_client_secret: <censored>


####################################################################################
# If self-hosting, you must configure an identity provider.                        #
# See identity provider settings: https://www.pomerium.com/docs/identity-providers/#
####################################################################################

# https://pomerium.com/reference/#routes
routes:
  - from: https://verify.localhost.pomerium.io
    to: http://verify:8000
    policy:
      - allow:
          or:
            - email:
                is: <censored>
    pass_identity_headers: true

#docker-compose.yml
version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      ## Mount your config file: https://www.pomerium.com/docs/reference/
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443
  ## https://verify.localhost.pomerium.io --> Pomerium --> http://verify
  verify:
    image: pomerium/verify:latest
    expose:
      - 8000

# docker log
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"warn","time":"2023-06-01T21:21:09Z","message":"neither `autocert`, `insecure_server` or manually provided certificates were provided, server will be using a self-signed certificate"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","service":"all","config":"local","checksum":"2e93b3e178c38cc3","time":"2023-06-01T21:21:09Z","message":"config: updated config"}
2023-06-01 14:21:09 proxy-verify-1    | {"level":"info","project-id":"*detect-project-id*","time":"2023-06-01T21:21:09Z","message":"connecting to firestore"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"envoy_version":"1.25.5+b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f","version":"0.22.2-1685134689+6efd1d6b","time":"2023-06-01T21:21:09Z","message":"cmd/pomerium"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","address":"127.0.0.1:40359","time":"2023-06-01T21:21:09Z","message":"grpc: dialing"}
2023-06-01 14:21:09 proxy-verify-1    | {"level":"error","error":"fetching creds: google: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information","time":"2023-06-01T21:21:09Z","message":"failed to create firestore client, falling back to in-memory storage"}
2023-06-01 14:21:09 proxy-verify-1    | {"level":"info","bind-addr":":8000","time":"2023-06-01T21:21:09Z","message":"starting http server"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","outbound_port":"40359","databroker_urls":["http://127.0.0.1:5443"],"time":"2023-06-01T21:21:09Z","message":"config: starting databroker config source syncer"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"all","config":"databroker","checksum":"2e93b3e178c38cc3","time":"2023-06-01T21:21:09Z","message":"config: updated config"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","time":"2023-06-01T21:21:09Z","logger":"maintenance","msg":"started background certificate maintenance","service":"autocert","cache":"0xc0004760e0"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"service":"metrics_manager","time":"2023-06-01T21:21:09Z","message":"metrics: http server disabled"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"grpc-port":"39143","http-port":"41047","outbound-port":"40359","metrics-port":"43769","debug-port":"45545","acme-tls-alpn-port":"35157","time":"2023-06-01T21:21:09Z","message":"server started"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T21:21:09Z","message":"envoy: starting envoy process"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"path":"/tmp/pomerium-envoy2695801432/envoy","checksum":"b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f","time":"2023-06-01T21:21:09Z","message":"running envoy"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","pid":20,"time":"2023-06-01T21:21:09Z","message":"envoy: start monitoring subprocess"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T21:21:09Z","message":"enabled authenticate service"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","Algorithm":"ES256","KeyID":"a55a2b6dc5f0725d6560405ba63b46de581d151c984c97314aa9cf3ada2cb09f","Public Key":{"use":"sig","kty":"EC","kid":"a55a2b6dc5f0725d6560405ba63b46de581d151c984c97314aa9cf3ada2cb09f","crv":"P-256","alg":"ES256","x":"ccAfwopViBmjIKeIhKL2haYR-G8-0Wn6L_c9k6aAJKc","y":"4xxHcxiyVIY4gHMDdMGR7G4TxpuVxZmtmqbT6qkGTjQ"},"time":"2023-06-01T21:21:09Z","message":"authorize: signing key"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","address":"127.0.0.1:40359","time":"2023-06-01T21:21:09Z","message":"grpc: dialing"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2023-06-01T21:21:09Z","message":"enabled authorize service"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","Algorithm":"ES256","KeyID":"01e0b1ca3c96c39af2afed862526d0c2923c7b474584f21108b07058cb1bc7c1","Public Key":{"use":"sig","kty":"EC","kid":"01e0b1ca3c96c39af2afed862526d0c2923c7b474584f21108b07058cb1bc7c1","crv":"P-256","alg":"ES256","x":"yGGnHLW6DtdR35xMRBc2QDnjMkJI2qw-CInLYt8pOzA","y":"KSxwH-HP3-a287Cp97tiQ9NCy0a3MECH4xApf7etFv8"},"time":"2023-06-01T21:21:09Z","message":"authorize: signing key"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"initializing epoch 0 (base id=94620098, hot restart version=11.104)"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"statically linked extensions:"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.upstreams: envoy.filters.connection_pools.tcp.generic"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.path.rewrite: envoy.path.rewrite.uri_template.uri_template_rewriter"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.starttls, envoy.transport_sockets.tap, envoy.transport_sockets.tcp_stats, envoy.transport_sockets.tls, raw_buffer, starttls, tls"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.internal_redirect_predicates: envoy.internal_redirect_predicates.allow_listed_routes, envoy.internal_redirect_predicates.previous_routes, envoy.internal_redirect_predicates.safe_cross_scheme"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.http.original_ip_detection: envoy.http.original_ip_detection.custom_header, envoy.http.original_ip_detection.xff"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.matching.input_matchers: envoy.matching.matchers.consistent_hashing, envoy.matching.matchers.ip"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.request_id: envoy.request_id.uuid"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.wasm.runtime: envoy.wasm.runtime.null, envoy.wasm.runtime.v8"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.http.cache: envoy.extensions.http.cache.file_system_http_cache, envoy.extensions.http.cache.simple"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.thrift_proxy.transports: auto, framed, header, unframed"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.http.stateful_header_formatters: envoy.http.stateful_header_formatters.preserve_case, preserve_case"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.common.key_value: envoy.key_value.file_based"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.quic.connection_id_generator: envoy.quic.deterministic_connection_id_generator"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.matching.network.input: envoy.matching.inputs.application_protocol, envoy.matching.inputs.destination_ip, envoy.matching.inputs.destination_port, envoy.matching.inputs.direct_source_ip, envoy.matching.inputs.dns_san, envoy.matching.inputs.server_name, envoy.matching.inputs.source_ip, envoy.matching.inputs.source_port, envoy.matching.inputs.source_type, envoy.matching.inputs.subject, envoy.matching.inputs.transport_protocol, envoy.matching.inputs.uri_san"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.rbac.matchers: envoy.rbac.matchers.upstream_ip_port"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.bootstrap: envoy.bootstrap.internal_listener, envoy.bootstrap.wasm, envoy.extensions.network.socket_interface.default_socket_interface"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.matching.action: envoy.matching.actions.format_string, filter-chain-name"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.health_checkers: envoy.health_checkers.redis, envoy.health_checkers.thrift"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.matching.common_inputs: envoy.matching.common_inputs.environment_variable"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.guarddog_actions: envoy.watchdog.abort_action, envoy.watchdog.profile_action"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.quic.proof_source: envoy.quic.proof_source.filter_chain"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.filters.network: envoy.echo, envoy.ext_authz, envoy.filters.network.connection_limit, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.sni_dynamic_forward_proxy, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.wasm, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.listener_manager_impl: envoy.listener_manager_impl.default"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector"}
2023-06-01 14:21:09 proxy-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2023-06-01T21:21:09Z","message":"  envoy.access_loggers.extension_filters: envoy.access_loggers.extension_filters.cel"}

denis · June 2, 2023, 1:54am

DNS_PROBE_FINISHED_NXDOMAIN means the hostname (verify.localhost.pomerium.io) cannot be resolved.

Both your browser and pomerium seem to have that same problem.

You may open command shell and try ping or nslookup to see what is going on with your DNS.

Given it is Windows, it is also possible some kind of security software on your machine does not like the fact that *.localhost.pomerium.com resolves to 127.0.0.1 as it may think it’s suspicious and reject such DNS queries.

Try obtaining your local machine IP address with ifconfig (or maybe it’s called ipconfig on Windows), and make a DNS entry with it instead.

lurker · June 2, 2023, 4:29pm

It seems my (long) responses keep being marked as spam for some reason, so cannot post the detailed config up here. I did try with the original config on the quickstart but it is still the same.

I cannot ping, tracert or nslookup does not return any informative result. I’m using pfSense with segmented VLAN, and also could not trace anything in there, so I suppose this has something to do with my Windows device only.

nslookup

Server:  UnKnown
Address:  <censored>

*** UnKnown can't find verify.localhost.pomerium.com: Non-existent domain

Topic		Replies	Views
Pomerium / nginx with google Support	11	364	December 20, 2021
Pomerium Demo 0.25.1 via Docker refusing connection Support docker	3	106	March 25, 2024
OIDC behind pomerium route Support docker , idp	4	604	August 2, 2023
Pomerium Verify Identity Verification Failed Support	2	254	October 17, 2022
Failed to verify id token signature Support	6	450	January 21, 2022