search

andyet / teleport

Fork for the purpose of a consulting project October 2019. Privileged access management for elastic infrastructure.
https://gravitational.com/teleport
Apache License 2.0
0 stars 0 forks source link

`--out` flag appears to be broken #14

Open one000mph opened 5 years ago

one000mph commented 5 years ago

Currently working on CLI Docs and encountered a problem using the --out flag for identity file

I try logging in normally, no problems

 tsh login --proxy=proxy.starty.io
Enter password for Teleport user teleport:
Enter your OTP token:
XXXXXX
> Profile URL:  https://proxy.starty.io:3080
  Logged in as: teleport
  Cluster:      proxy.starty.io
  Roles:        admin*
  Logins:       teleport, root
  Valid until:  2019-10-12 03:02:12 +0300 +03 [valid for 12h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty

* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

I try logging in with --out flag

DEBU [KEYSTORE]  Returning SSH certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-cert.pub" valid until "2019-10-12 03:02:12 +0300 +03", TLS certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-x509.pem" valid until "2019-10-12 00:02:12 +0000 UTC". client/keystore.go:262
INFO [CLIENT]    no host login given. defaulting to heather client/api.go:769
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.HYAeLp6aZZ/Listeners" client/api.go:1940
DEBU [KEYSTORE]  Returning SSH certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-cert.pub" valid until "2019-10-12 03:02:12 +0300 +03", TLS certificate "/Users/heather/.tsh/keys/proxy.starty.io/teleport-x509.pem" valid until "2019-10-12 00:02:12 +0000 UTC". client/keystore.go:262
INFO [KEYAGENT]  Loading key for "teleport" client/keyagent.go:108
DEBU [CLIENT]    not using loopback pool for remote proxy addr: proxy.starty.io:3080 client/api.go:1901
DEBU [CLIENT]    HTTPS client init(proxyAddr=proxy.starty.io:3080, insecure=false) client/weblogin.go:252
Enter password for Teleport user teleport:
Enter your OTP token:
XXXXXX
DEBU [CLIENT]    not using loopback pool for remote proxy addr: proxy.starty.io:3080 client/api.go:1901
DEBU [CLIENT]    HTTPS client init(proxyAddr=proxy.starty.io:3080, insecure=false) client/weblogin.go:252
INFO [CLIENT]    Connecting proxy=proxy.starty.io:3023 login='teleport' method=0 client/api.go:1483
DEBU [KEYAGENT]  Validated host proxy.starty.io:3023. client/keyagent.go:280
INFO [CLIENT]    Successful auth with proxy proxy.starty.io:3023 client/api.go:1489
DEBU [CLIENT]    Client  is connecting to auth server on cluster "grav-00". client/client.go:311

ERROR REPORT:
Original Error: *trace.ConnectionProblemError x509: certificate signed by unknown authority
Stack Trace:
    /tmp/20190917T164217/src/github.com/gravitational/teleport/lib/httplib/httplib.go:110 github.com/gravitational/teleport/lib/httplib.ConvertResponse
    /tmp/20190917T164217/src/github.com/gravitational/teleport/lib/auth/clt.go:339 github.com/gravitational/teleport/lib/auth.(*Client).Get
    /tmp/20190917T164217/src/github.com/gravitational/teleport/lib/auth/clt.go:529 github.com/gravitational/teleport/lib/auth.(*Client).GetCertAuthorities
    /tmp/20190917T164217/src/github.com/gravitational/teleport/lib/client/api.go:1660 github.com/gravitational/teleport/lib/client.(*TeleportClient).GetTrustedCA
    /tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:438 main.onLogin
    /tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:324 main.Run
    /tmp/20190917T164217/src/github.com/gravitational/teleport/tool/tsh/tsh.go:174 main.main
    /usr/local/go/src/runtime/proc.go:209 runtime.main
    /usr/local/go/src/runtime/asm_amd64.s:1338 runtime.goexit
User Message: Get https://teleport.cluster.local/v2/authorities/host?load_keys=false: x509: certificate signed by unknown authority

From the log message it looks like it is trying to access the proxy at teleport.cluster.local which, of course, would not resolve correctly.

The behavior is the same regardless of whether the commands are run outside of the cluster or on one of the nodes.

Config File

ssh_service:
  enabled: "yes"
auth_service:
  public_addr: 10.164.0.7:3025
  enabled: "yes"
proxy_service:
  ssh_public_addr: proxy.starty.io:3023
  public_addr: proxy.starty.io:3080
  enabled: "yes"
  https_cert_file: /etc/letsencrypt/live/proxy.starty.io/fullchain.pem
  https_key_file: /etc/letsencrypt/live/proxy.starty.io/privkey.pem
one000mph commented 5 years ago

It looks like this default api domain teleport.cluster.local setting comes from https://github.com/andyet/teleport/blob/master/constants.go#L459