transfersite failure: dns: failed to decode string

kgourlay · April 7, 2025, 10:27pm

Attempting to transfer a site to a fresh ApisCP install fails on service dns: “failed to decode string”

Description

I want to move a site to a new server. I’ve configured the new server to use the same dns provider as the old (Cloudflare) and I’ve verified that both the old and new are working independently with the Cloudflare API. The transfersite script fails rather quickly when it tries to AddDomain on the new server. It looks like the script is trying to copy the Cloudflare API token from the old server to the new server. Even though both are using the same token, my guess is that they are encoded differently with keyring, so the same keyring reference is not available on both servers. I would expect that the script would instead use the default dns settings on the new server.

Steps to Reproduce

installed ApisCP on a new server
configured default dns to use a valid Cloudflare API token
apnscp_php /usr/local/apnscp/bin/scripts/transfersite.php -s newserver.mydomain.com site11

Expected Behavior

Site transfers successfully.

Actual Behavior

# apnscp_php /usr/local/apnscp/bin/scripts/transfersite.php -s newserver.mydomain.com site11
beginning migration: redacted.com (stage 0)
creating site on newserver.mydomain.com
  + unsetting ssh port index
WARN: /usr/local/sbin/AddDomain --'output'='json' --'fd'='10' -c 'aliases,aliases'='[]' -c 'aliases,enabled'='0' -c 'aliases,max'='None' -c 'aliases,version'='3.2' -c 'apache,enabled'='1' -c 'apache,jail'='1' -c 'apache,subnum'='None' -c 'apache,version'='3.2' -c 'apache,webserver'='www.redacted.com' -c 'apache,webuser'='apache' -c 'auth,cpasswd'='None' -c 'auth,enabled'='1' -c 'auth,iprestrict'='50' -c 'auth,passwd'='None' -c 'auth,tpasswd'='None' -c 'auth,version'='3.2' -c 'bandwidth,enabled'='1' -c 'bandwidth,threshold'='50' -c 'bandwidth,units'='GB' -c 'bandwidth,version'='3.2' -c 'billing,addons'='None' -c 'billing,ctime'='1727353223' -c 'billing,enabled'='1' -c 'billing,invoice'='apnscp-KCYDJNQZ' -c 'billing,parent_invoice'='None' -c 'billing,version'='3.2' -c 'cgroup,cpu'='10000' -c 'cgroup,cpupin'='None' -c 'cgroup,cpuweight'='100' -c 'cgroup,delegator'='None' -c 'cgroup,enabled'='1' -c 'cgroup,io'='None' -c 'cgroup,ioweight'='100' -c 'cgroup,memory'='512' -c 'cgroup,proclimit'='100' -c 'cgroup,readbw'='100' -c 'cgroup,readiops'='None' -c 'cgroup,version'='3.2' -c 'cgroup,writebw'='100' -c 'cgroup,writeiops'='None' -c 'crontab,enabled'='0' -c 'crontab,permit'='0' -c 'crontab,version'='3.2' -c 'diskquota,amnesty'='None' -c 'diskquota,enabled'='1' -c 'diskquota,fquota'='None' -c 'diskquota,group'='None' -c 'diskquota,quota'='4000' -c 'diskquota,units'='MB' -c 'diskquota,version'='3.2' -c 'dns,enabled'='1' -c 'dns,key'='keyring:encodedstring' -c 'dns,provider'='cloudflare' -c 'dns,version'='3.2' -c 'files,enabled'='1' -c 'files,fsopt'='None' -c 'files,mounts'='[]' -c 'files,version'='3.2' -c 'ftp,enabled'='0' -c 'ftp,ftpserver'='None' -c 'ftp,version'='3.2' -c 'ipinfo,enabled'='1' -c 'ipinfo,ipaddrs'='[]' -c 'ipinfo,namebased'='1' -c 'ipinfo,version'='3.2' -c 'ipinfo6,enabled'='0' -c 'ipinfo6,ipaddrs'='[]' -c 'ipinfo6,namebased'='1' -c 'ipinfo6,version'='3.2' -c 'logrotate,enabled'='1' -c 'logrotate,version'='3.2' -c 'logs,enabled'='1' -c 'logs,version'='3.2' -c 'mail,catchallfwd'='None' -c 'mail,enabled'='1' -c 'mail,extfwd'='None' -c 'mail,key'='None' -c 'mail,mailserver'='mail.redacted.com' -c 'mail,preference'='10' -c 'mail,provider'='builtin' -c 'mail,smtpserver'='mail.redacted.com' -c 'mail,version'='3.2' -c 'mail,webmail'='[]' -c 'metrics,enabled'='1' -c 'metrics,version'='3.2' -c 'mlist,enabled'='1' -c 'mlist,max'='None' -c 'mlist,provider'='majordomo' -c 'mlist,version'='3.2' -c 'mysql,dbaseadmin'='sitename' -c 'mysql,dbasenum'='None' -c 'mysql,dbaseprefix'='cjrl_' -c 'mysql,enabled'='1' -c 'mysql,passwd'='None' -c 'mysql,version'='3.2' -c 'pgsql,dbaseadmin'='None' -c 'pgsql,dbasenum'='None' -c 'pgsql,dbaseprefix'='None' -c 'pgsql,enabled'='0' -c 'pgsql,passwd'='None' -c 'pgsql,tablespace'='None' -c 'pgsql,version'='3.2' -c 'rampart,enabled'='1' -c 'rampart,max'='0' -c 'rampart,version'='3.2' -c 'rampart,whitelist'='[]' -c 'reseller,enabled'='1' -c 'reseller,id'='0' -c 'reseller,parent_id'='None' -c 'reseller,version'='3.2' -c 'siteinfo,admin'='admin11' -c 'siteinfo,admin_user'='sitename' -c 'siteinfo,domain'='redacted.com' -c 'siteinfo,email'='myemail@myemail.com' -c 'siteinfo,enabled'='1' -c 'siteinfo,notes'='[]' -c 'siteinfo,plan'='basic' -c 'siteinfo,version'='3.2' -c 'spamfilter,enabled'='1' -c 'spamfilter,provider'='rspamd' -c 'spamfilter,version'='3.2' -c 'ssh,enabled'='1' -c 'ssh,jail'='1' -c 'ssh,version'='3.2' -c 'ssl,enabled'='1' -c 'ssl,version'='3.2' -c 'tomcat,enabled'='0' -c 'tomcat,permit'='0' -c 'tomcat,version'='3.2' -c 'users,enabled'='1' -c 'users,max'='5' -c 'users,version'='3.2' -c 'vacation,enabled'='0' -c 'vacation,version'='3.2': NON-ZERO RETURN: 255
output:
[{"message":"Opcenter\\Account\\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode stri...
stderr:
ERROR  : Opcenter\Account\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode string
   ...
ERROR  : CLI_Transfer::process(): Opcenter\Account\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode string
         0. Error_Reporter::merge_buffer([[message:"Opcenter\Account\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode string", severity:16, caller:"Opcenter\Account\Create::installServices", bt:"         0. Error_Reporter::add_error("Failed to decode string", )            [/usr/local/apnscp/lib/log_wrapper.php:72]         1. error("Failed to decode string")            [/usr/local/apnscp/lib/log_wrapper.php:81]         2. nerror("Failed to decode string")            [/usr/local/apnscp/lib/Opcenter/Crypto/Keyring.php:90]         3. Opcenter\Crypto\Keyring::decode(null)            [/usr/local/apnscp/lib/Opcenter/Crypto/KeyringTrait.php:31]         4. Opcenter\Service\Validators\Dns\Key->readKeyringValue("keyring:encodedstring")            [/usr/local/apnscp/lib/Opcenter/Service/Validators/Dns/Key.php:44]         5. Opcenter\Service\Validators\Dns\Key->valid(null)            [/usr/local/apnscp/lib/Opcenter/Service/ConfigurationContext.php:568]         6. Opcenter\Service\ConfigurationContext->check("key", "keyring:encodedstring")            [/usr/local/apnscp/lib/Opcenter/Service/ConfigurationContext.php:165]         7. Opcenter\Service\ConfigurationContext->preflight()            [/usr/local/apnscp/lib/Opcenter/SiteConfiguration.php:736]         8. Opcenter\SiteConfiguration->verify("dns", Opcenter\Service\ConfigurationContext)            [/usr/local/apnscp/lib/Opcenter/SiteConfiguration.php:655]         9. Opcenter\SiteConfiguration->verifyAll()            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:183]        10. Opcenter\Account\Create->installServices("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Cardinal.php:143]        11. Event\Contracts\Subscriber@anonymous/usr/local/apnscp/lib/Event/Cardinal.php:132$9e->update("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Manager.php:187]        12. Event\Manager->fire("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Cardinal.php:172]        13. Event\Cardinal::fire(["FILESYSTEM", "created"], Opcenter\Filesystem)            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:79]        14. Opcenter\Filesystem->populate()            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:47]        15. Opcenter\Filesystem::create("site2", null)            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:154]        16. Opcenter\Account\Create->exec()            [/usr/local/apnscp/bin/AddDomain:36]"], [[message:"fatal(): failed to create account", severity:64, caller:"Opcenter\Filesystem::populate", bt:"         0. Error_Reporter::trigger_fatal("failed to create account", )            [/usr/local/apnscp/lib/log_wrapper.php:50]         1. fatal("failed to create account")            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:80]         2. Opcenter\Filesystem->populate()            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:47]         3. Opcenter\Filesystem::create("site2", null)            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:154]         4. Opcenter\Account\Create->exec()            [/usr/local/apnscp/bin/AddDomain:36]"]]])
            [/usr/local/apnscp/lib/CLI/Transfer.php:397]
         1. CLI_Transfer->_create_site()
            [/usr/local/apnscp/lib/CLI/Transfer.php:142]
         2. CLI_Transfer->process()
            [/usr/local/apnscp/bin/scripts/transfersite.php:233]
FATAL  : fatal(): failed to create account
         0. Error_Reporter::merge_buffer([[message:"Opcenter\Account\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode string", severity:16, caller:"Opcenter\Account\Create::installServices", bt:"         0. Error_Reporter::add_error("Failed to decode string", )            [/usr/local/apnscp/lib/log_wrapper.php:72]         1. error("Failed to decode string")            [/usr/local/apnscp/lib/log_wrapper.php:81]         2. nerror("Failed to decode string")            [/usr/local/apnscp/lib/Opcenter/Crypto/Keyring.php:90]         3. Opcenter\Crypto\Keyring::decode(null)            [/usr/local/apnscp/lib/Opcenter/Crypto/KeyringTrait.php:31]         4. Opcenter\Service\Validators\Dns\Key->readKeyringValue("keyring:encodedstring")            [/usr/local/apnscp/lib/Opcenter/Service/Validators/Dns/Key.php:44]         5. Opcenter\Service\Validators\Dns\Key->valid(null)            [/usr/local/apnscp/lib/Opcenter/Service/ConfigurationContext.php:568]         6. Opcenter\Service\ConfigurationContext->check("key", "keyring:encodedstring")            [/usr/local/apnscp/lib/Opcenter/Service/ConfigurationContext.php:165]         7. Opcenter\Service\ConfigurationContext->preflight()            [/usr/local/apnscp/lib/Opcenter/SiteConfiguration.php:736]         8. Opcenter\SiteConfiguration->verify("dns", Opcenter\Service\ConfigurationContext)            [/usr/local/apnscp/lib/Opcenter/SiteConfiguration.php:655]         9. Opcenter\SiteConfiguration->verifyAll()            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:183]        10. Opcenter\Account\Create->installServices("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Cardinal.php:143]        11. Event\Contracts\Subscriber@anonymous/usr/local/apnscp/lib/Event/Cardinal.php:132$9e->update("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Manager.php:187]        12. Event\Manager->fire("FILESYSTEM.created", Opcenter\Filesystem)            [/usr/local/apnscp/lib/Event/Cardinal.php:172]        13. Event\Cardinal::fire(["FILESYSTEM", "created"], Opcenter\Filesystem)            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:79]        14. Opcenter\Filesystem->populate()            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:47]        15. Opcenter\Filesystem::create("site2", null)            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:154]        16. Opcenter\Account\Create->exec()            [/usr/local/apnscp/bin/AddDomain:36]"], [[message:"fatal(): failed to create account", severity:64, caller:"Opcenter\Filesystem::populate", bt:"         0. Error_Reporter::trigger_fatal("failed to create account", )            [/usr/local/apnscp/lib/log_wrapper.php:50]         1. fatal("failed to create account")            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:80]         2. Opcenter\Filesystem->populate()            [/usr/local/apnscp/lib/Opcenter/Filesystem.php:47]         3. Opcenter\Filesystem::create("site2", null)            [/usr/local/apnscp/lib/Opcenter/Account/Create.php:154]         4. Opcenter\Account\Create->exec()            [/usr/local/apnscp/bin/AddDomain:36]"]]])
            [/usr/local/apnscp/lib/CLI/Transfer.php:397]
         1. CLI_Transfer->_create_site()
            [/usr/local/apnscp/lib/CLI/Transfer.php:142]
         2. CLI_Transfer->process()
            [/usr/local/apnscp/bin/scripts/transfersite.php:233]
ERROR  : CLI_Transfer::_create_site(): unable to add site, aborting!
         0. Error_Reporter::add_error("unable to add site, aborting!", )
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("unable to add site, aborting!")
            [/usr/local/apnscp/lib/CLI/Transfer.php:403]
         2. CLI_Transfer->_create_site()
            [/usr/local/apnscp/lib/CLI/Transfer.php:142]
         3. CLI_Transfer->process()
            [/usr/local/apnscp/bin/scripts/transfersite.php:233]
CLI_Transfer::process(): Opcenter\Account\Create::installServices(): failed verification on service `dns': nerror(): Failed to decode string
fatal(): failed to create account
CLI_Transfer::_create_site(): unable to add site, aborting!
FATAL: fatal(): failed to create account

Environment

ApisCP version: both running 3.2.46
Operating System: old 4.18.0-553.46.1.el8_10.x86_64; new 4.18.0-553.45.1.el8_10.x86_64

anatoli · April 8, 2025, 12:20am

Learn more about Encoding:

msaladna · April 8, 2025, 3:04am

To add, keyring values are sensitive parameters unique to the server. Unless the keyring secret is the same, this will fail. The protection is intentional as future expansion could allow a user to indiscriminately leak a sensitive value, e.g. user requesting backup, which copies a decoded keyring value.

Migrations are 1:1. It will copy all values, all files, and all permissions - including extended attributes. If you don’t have access to the keyring secret on the new server, the value may be overrode by adding -c dns,key=None to your transfersite.php command.

kgourlay · April 8, 2025, 2:26pm

Thank you for the information. It sounds like in my case, it is probably best to set the auth secret the same on the new server as the old, so that it can “re-use” the same encoded data. The other option you suggest–overriding the dns,key parameter to force it to use the default on the new server–sounds more useful in general, if for some reason I don’t want to use the same auth secret or if I’m using a different Cloudflare token.

This makes a lot of sense in hindsight, but I wonder if it would be helpful to mention the Authentication documentation that @anatoli suggested on the Server transfers documentation page. I read through both before posting this support request, and the relationship between them didn’t click for me.

msaladna · April 8, 2025, 5:03pm

Updated docs