Configurator - Policy Not Fulfilled

matthewjgordon · January 19, 2018, 3:08am

Hello,

I apologize if this has been answered else where. I did search, so please feel free to link me if that is the case. Also, full disclosure, I’m a bit of a n00b. Or at least I feel like one because I’m stuck on step 2 of the beginner friendly guide.

I’ve installed the add-on “Configurator”. I “open web ui”, enter my credentials, and get the error “Policy Not Fulfilled”. I believe that I have things properly setup, but would appreciate a second opinion.

Here are how my options are setup

    {
   "username": "admin",
   "password": "password",
   "certfile": "fullchain.pem",
   "keyfile": "privkey.pem",
   "ssl": false,
   "allowed_networks": [
     "10.0.1.57"
   ],
   "banned_ips": [
     "8.8.8.8"
   ],
   "banlimit": 0,
   "ignore_pattern": [
     "__pycache__"
   ],
   "dirsfirst": false
 }

DavidFW1960 · January 19, 2018, 3:09am

try 10.0.1.57/24

matthewjgordon · January 19, 2018, 3:17am

Thank you for the quick response. Unfortunately, that did not work.

DavidFW1960 · January 19, 2018, 3:19am

crap. I meant 10.0.1.0/24 doh!

matthewjgordon · January 19, 2018, 3:33am

Still no dice.

{
  "username": "admin",
  "password": "password",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "ssl": false,
  "allowed_networks": [
    "10.0.1.0/24"
  ],
  "banned_ips": [
    "8.8.8.8"
  ],
  "banlimit": 0,
  "ignore_pattern": [
    "__pycache__"
  ],
  "dirsfirst": false
}

anon43302295 · January 19, 2018, 3:53am

Just a guess as I don’t use it, but you have two false in there without quotes round them. Presuming this is JSON it isn’t valid without quotes round the keypairs iirc.

matthewjgordon · January 19, 2018, 4:07am

It won’t let me save changes if I try to put them in quotes. FWIW, that’s how the file comes out of the box.

DavidFW1960 · January 19, 2018, 4:12am

I’m assuming you are restarting the addon after you edit the options?

Also the home assistant instance is on the 10.0.1.0 subnet (along with your PC)?

Also can try allowed as 0.0.0.0/0 but don’t leave it like that as anyone can connect. Only use that setting for testing.

anon43302295 · January 19, 2018, 4:18am

OK.

I would delete all the optional lines, get it running and then add the ones you need back in one at a time to identify what’s wrong…

{
  "username": "admin",
  "password": "secret",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

… If I’ve read the docs right.

DavidFW1960 · January 19, 2018, 4:21am

NVM - I was thinking something else…

matthewjgordon · January 20, 2018, 9:14pm

Here is some additional trouble shooting info:

Connecting on a MacBook. IP address is 10.0.1.57
RaspberryPi running HASSIO is at IP address 10.0.1.104
Tried setting “allowed_networks” to 0.0.0.0/0 and it worked. this is the only thing that I’ve gotten to work.

Does anyone have any thoughts as to why it won’t work

DavidFW1960 · January 20, 2018, 10:38pm

well 10.0.1.0/24 should work as well.

I might try playing with mine - but if you set the banlimit it’s not like it’s going to be easy to crack and of course use a strong password and non-obvious username.

DavidFW1960 · January 20, 2018, 10:42pm

ok that doesn’t work and I know why. Helps when you read the logs eh!

It’s trying to connect from my external IP address (same one that duckdns is pointing to) So it’s useless trying to specify local network if you’re connecting via ssl

DavidFW1960 · January 20, 2018, 10:51pm

tried changing allowed IP to duckdns and I get a message saying duckdns didn’t send any data.

If you want to use a specific IP address (and you’re not using SSL) you will find that 10.0.1.57/32 will work and you will only connect from that one IP address.

matthewjgordon · January 20, 2018, 11:00pm

10.0.1.57/32 doesn’t work either.

{
  "username": "admin",
  "password": "password",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "ssl": false,
  "allowed_networks": [
    "10.0.1.57/32"
  ],
  "banned_ips": [
    "8.8.8.8"
  ],
  "banlimit": 0,
  "ignore_pattern": [
    "__pycache__"
  ],
  "dirsfirst": false
}

Also, here are my logs, if that is helpful.

starting version 3.2.4
INFO:2018-01-20 16:56:36,532:__main__:Starting server
INFO:2018-01-20 16:56:36,534:__main__:Listening on: http://0.0.0.0:3218
INFO:2018-01-20 16:56:37,537:__main__:Requesting authorization
INFO:2018-01-20 16:56:37,539:__main__:172.30.32.1 - "GET / HTTP/1.1" 401 -
INFO:2018-01-20 16:56:40,680:__main__:172.30.32.1 - "GET / HTTP/1.1" 420 -
INFO:2018-01-20 16:56:40,737:__main__:Requesting authorization
INFO:2018-01-20 16:56:40,738:__main__:172.30.32.1 - "GET /favicon.ico HTTP/1.1" 401 -
INFO:2018-01-20 16:56:40,758:__main__:Requesting authorization
INFO:2018-01-20 16:56:40,759:__main__:172.30.32.1 - "GET /favicon.ico HTTP/1.1" 401 -
INFO:2018-01-20 16:57:05,418:__main__:Requesting authorization
INFO:2018-01-20 16:57:05,419:__main__:172.30.32.1 - "GET / HTTP/1.1" 401 -
INFO:2018-01-20 16:57:08,127:__main__:172.30.32.1 - "GET / HTTP/1.1" 420 -
INFO:2018-01-20 16:57:08,374:__main__:172.30.32.1 - "GET /favicon.ico HTTP/1.1" 420 -

DavidFW1960 · January 20, 2018, 11:10pm

That is helpful - Like I said, it is trying to connect from 172.30.32.1 which (like me) is your duckdns address. If you try 172.30.32.1/32 it will work. So if you’re using SSL you’re screwed and must use 0.0.0.0/0

AND SET A BAN LIMIT AND USE A DIFFERENT STRONG USERNAME AND PASSWORD!!!

matthewjgordon · January 21, 2018, 6:37am

This worked. Thank you so much!

DavidFW1960 · January 21, 2018, 8:34am

Glad we got there.

scooterMac · January 31, 2018, 2:19pm

I am in the same situation. So did this fix you?

So the 0.0.0.0/0, strong username and password was the fix?

matthewjgordon · February 4, 2018, 8:47pm

Hi, scooter.

For me it was this…

Whitelisting “172.30.32.1/32” did the trick.

Also, make sure you save the changes to the options, then restart the Configurator, and then try to open the web UI. Cheers!