TBH, I'd like to separate the URL out from the connection key - because it can change - the original join token (containing the URL) should (imo) be ephemeral, and only relevant to bootstrapping the initial connection.

but you're right, we should managed to default that value all the time - but if there's a proxy setup, that default needs to be an editable setting. (I want to see it in the eng cfg screen for debug reasons, and to be able to edit it for IP change reasons)

Also note the duplicate: #4683

Identical issue and also would like to see this implemented...

Any tips for doing this in the meantime? Seems simple, but after decode, reencode I still get a lot of 2022/04/19 20:19:09 [ERROR] [internal,edge,poll] [message: an error occured during short poll] [error: short poll request failed] errors.

Currently, to make this work, a user would need to:

 Create their Edge Agent in Portainer Server using the Portainer URL but not deploy it
 Decode the base64 encoded join token:
 https://portainer.yourdomain.com|portainer.yourdomain.com:8000|aa:bb:cc:dd:ee:ff:00:00:00:01:00:00:00:00:00:00|3
 Modify the second value to the correct URL:
 https://portainer.yourdomain.com|https://edge.yourdomain.com|aa:bb:cc:dd:ee:ff:00:00:00:01:00:00:00:00:00:00|3
 Re-encode the modified token to URL-friendly base64
 Deploy the Edge Agent with the new join token in place of the one provided

Nevermind. I forgot to allow the request past Authelia :) Working now!

I too would like to see the explicit naming of the edge tunnel URL to be made possible; as I have also never got the edge agent to work using the method of base64 Decode/Encode when attempting to communicate with my
{{subdomain}}.{{domain}}.co.uk domain aka 4 level domain.

I've tried installing the edge agent on amd64, arm64, and arm32 architectures.

with url-safe encoding
2022/05/30 18:47:32 [INFO] [edge,registry] [message: Starting registry credential server]
2022/05/30 18:47:32 [INFO] [http] [server_addr: 172.17.0.2] [server_port: 9001] [secured: false] [api_version: 2.13.1] [message: Starting Agent API server]
2022/05/30 18:47:37 [ERROR] [edge] [message: an error occured during short poll] [error: short poll request failed]
2022/05/30 18:47:42 [ERROR] [edge] [message: an error occured during short poll] [error: short poll request failed]

without url-safe encoding
[ERROR] [main] [message: Unable to associate Edge key] [error: illegal base64 data at input byte 151

The edge key contains the following info encoded as base64:
portainer_instance_url|tunnel_server_addr|tunnel_server_fingerprint|endpoint_ID
e.g. https://portainer.yourdomain.co.uk|portainer.yourdomain.co.uk:8000|52:3f:78:a3:dd:67:4a:b3:9e:34:1a:87:6b:28:2b:dc|2
So I would expect that to work.

I thought so too. However, swapping
https://portainer.yourdomain.co.uk|portainer.yourdomain.co.uk:8000|52:3f:78:a3:dd:67:4a:b3:9e:34:1a:87:6b:28:2b:dc|2
with
https://portainer.yourdomain.co.uk|https://edge.yourdomain.co.uk|52:3f:78:a3:dd:67:4a:b3:9e:34:1a:87:6b:28:2b:dc|2

I always get the behaviour that I explaned above. Could it be because I use a cloudflared tunnel (aka argo tunnel) with this domain? I wouldn't expect this to be the cause of the issue. But maybe a factor?

I always get the behaviour that I explaned above. Could it be because I use a cloudflared tunnel (aka argo tunnel) with this domain? I wouldn't expect this to be the cause of the issue. But maybe a factor?

I have the exact same issue as you described, with the same setup ( portainer.example.com and edge.example.com) only difference is mine is behind a Traefik proxy (which makes zero difference to the other apps/services behind it). Same error message as well “short poll”.

I spent countless hours troubleshooting but could never get it working, same as you.

Hi @dafinga, I am using a Traefik proxy too.

Cool, @simonlock - well maybe that has something to do with it. Troubleshooting this further is above my pay grade. I have since torn down the entire setup regardless (although I would love a solution to this issue to surface as it would be the way I want to utilise the edge agent). Will continue to monitor this thread, and live in hope!

Hope to see this addressed. Having to manually decode, edit and encode edge agent ID's for every new edge environment is incredibly inconvenient for an application that otherwise makes everything incredibly convenient.

This is also not documented very well and took me days of searching through threads and troubleshooting to figure out how to get edge agents behind a proxy to work.

Why not just fix this for god's sake? Zero mention in the docs about having two different addresses in the key, no field to set edge address. If not for the solution suggested here on the issue post about decoding, correcting encoding, I wouldn't have found a solution. I've literally been looking for it for 2 and a half hours straight.

Why not just fix this for god's sake? Zero mention in the docs about having two different addresses in the key, no field to set edge address. If not for the solution suggested here on the issue post about decoding, correcting encoding, I wouldn't have found a solution. I've literally been looking for it for 2 and a half hours straight.

I feel you on this one. Took me and a colleague hours to figure out how to fix this.

You can give it a try by using the image portainerci/portainer-ee:pr1882.
Please let us know how that's working for you.
Note that this is a development build and should not be used in a production environment.

@huib-portainer
I tried this on my dev box,
I have two rules with hosts, both with tls via letsencrypt
portainer.redacted.com -> portainer:9000
edge-portainer.redacted.com -> portainer:8000

Attempted to setup a new edge agent on a new ec2 instance, setting the new "Portainer tunnel server address" to https://edge-portainer.redacted.com

Used the new EDGE_ID, EDGE_KEY to configure the new edge agent.

it seems to try to connect over tcp, even if you specify a https address
What is the expected behavior here? Id like the option to do the tunnel through https

The edge connection will use TCP yes (by using the Chisel library).

I'm kind of confused, I'd be happy if someone could help me out :)

The Issue is still open, but the Documentation found at https://docs.portainer.io/admin/settings/edge already shows and mentions "Portainer tunnel server address".

Is this feature available already?
Is this a CE or EE Feature?

If it's a EE feature, having the documentation mention that would be really nice.

The documentation for compose already has an issue using such a configuration.
portainer/portainer-compose#24

@acul009 Good catch, this is indeed a BE-only feature. I've updated the documentation to make this clearer.

In some cases we don't have automation attached to the closing of issues, and because we're human sometimes we miss closing them once a release goes out. In any case, I'll close this one now too.