Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--out flag appears to be broken #14

Open
one000mph opened this issue Oct 11, 2019 · 1 comment
Open

--out flag appears to be broken #14

one000mph opened this issue Oct 11, 2019 · 1 comment

Comments

@one000mph
Copy link

one000mph commented Oct 11, 2019
edited
Loading

Currently working on CLI Docs and encountered a problem using the --out flag for identity file

I try logging in normally, no problems

 tsh login --proxy=proxy.starty.io
Enter password for Teleport user teleport:
Enter your OTP token:
XXXXXX
> Profile URL:  https://proxy.starty.io:3080
  Logged in as: teleport
  Cluster:      proxy.starty.io
  Roles:        admin*
  Logins:       teleport, root
  Valid until:  2019-10-12 03:02:12 +0300 +03 [valid for 12h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

I try logging in with --out flag

DEBU [KEYSTORE]  Returning SSH certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-cert.pub" valid until "2019-10-12 03:02:12 +0300 +03", TLS certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-x509.pem" valid until "2019-10-12 00:02:12 +0000 UTC". client/keystore.go:262
INFO [CLIENT]    no host login given. defaulting to heather client/api.go:769
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.HYAeLp6aZZ/Listeners" client/api.go:1940
DEBU [KEYSTORE]  Returning SSH certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-cert.pub" valid until "2019-10-12 03:02:12 +0300 +03", TLS certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-x509.pem" valid until "2019-10-12 00:02:12 +0000 UTC". client/keystore.go:262
INFO [KEYAGENT]  Loading key for "teleport" client/keyagent.go:108
DEBU [CLIENT]    not using loopback pool for remote proxy addr: proxy.starty.io:3080 client/api.go:1901
DEBU [CLIENT]    HTTPS client init(proxyAddr=proxy.starty.io:3080, insecure=false) client/weblogin.go:252
Enter password for Teleport user teleport:
Enter your OTP token:
XXXXXX
DEBU [CLIENT]    not using loopback pool for remote proxy addr: proxy.starty.io:3080 client/api.go:1901
DEBU [CLIENT]    HTTPS client init(proxyAddr=proxy.starty.io:3080, insecure=false) client/weblogin.go:252
INFO [CLIENT]    Connecting proxy=proxy.starty.io:3023 login='teleport' method=0 client/api.go:1483
DEBU [KEYAGENT]  Validated host proxy.starty.io:3023. client/keyagent.go:280
INFO [CLIENT]    Successful auth with proxy proxy.starty.io:3023 client/api.go:1489
DEBU [CLIENT]    Client  is connecting to auth server on cluster "grav-00". client/client.go:311

ERROR REPORT:
Original Error: *trace.ConnectionProblemError x509: certificate signed by unknown authority
Stack Trace:
	/tmp/20190917T164217/src/github.com/gravitational/teleport/lib/httplib/httplib.go:110 github.com/gravitational/teleport/lib/httplib.ConvertResponse
	/tmp/20190917T164217/src/github.com/gravitational/teleport/lib/auth/clt.go:339 github.com/gravitational/teleport/lib/auth.(*Client).Get
	/tmp/20190917T164217/src/github.com/gravitational/teleport/lib/auth/clt.go:529 github.com/gravitational/teleport/lib/auth.(*Client).GetCertAuthorities
	/tmp/20190917T164217/src/github.com/gravitational/teleport/lib/client/api.go:1660 github.com/gravitational/teleport/lib/client.(*TeleportClient).GetTrustedCA
	/tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:438 main.onLogin
	/tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:324 main.Run
	/tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:174 main.main
	/usr/local/go/src/runtime/proc.go:209 runtime.main
	/usr/local/go/src/runtime/asm_amd64.s:1338 runtime.goexit
User Message: Get https://teleport.cluster.local/v2/authorities/host?load_keys=false: x509: certificate signed by unknown authority

From the log message it looks like it is trying to access the proxy at teleport.cluster.local which, of course, would not resolve correctly.

The behavior is the same regardless of whether the commands are run outside of the cluster or on one of the nodes.

Config File

ssh_service:
  enabled: "yes"
auth_service:
  public_addr: 10.164.0.7:3025
  enabled: "yes"
proxy_service:
  ssh_public_addr: proxy.starty.io:3023
  public_addr: proxy.starty.io:3080
  enabled: "yes"
  https_cert_file: /etc/letsencrypt/live/proxy.starty.io/fullchain.pem
  https_key_file: /etc/letsencrypt/live/proxy.starty.io/privkey.pem
@one000mph
Copy link
Author

one000mph commented Oct 11, 2019
edited
Loading

It looks like this default api domain teleport.cluster.local setting comes from https://github.com/andyet/teleport/blob/master/constants.go#L459

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@one000mph