Error: failed to get policy: failed to get OK status code: 401 Unauthorized

[plittlefield]

I'm sure I have missed something in your instructions.

When I run

tailout init

I get the error:-

Error: failed to get policy: failed to get OK status code: 401 Unauthorized

I have an AWS_PROFILE environment variable set with correct permissions for EC2.

[cterence]

Hi, @plittlefield , thanks for opening an issue ! Sorry the error is pretty obscure and the README doesn't tell enough, the 401 is not coming from AWS but from Tailscale. The init command works by supplying a Tailscale API key and your tailnet name. Don't hesitate to check the commands flags with tailout init --help. Check out the configuration section of the README to see how you can supply it.

EDIT: I have updated the README to add clearer setup instructions, don't hesitate to check it out.

[plittlefield]

Thanks, I will redo it all and read the new setup instructions and try again :)

[plittlefield]

OK, so I have tried again and get to the same point after reading your new setup instructions.

I have connected my laptop to my tailnet, can tailnet ip and tailnet ping to check that part works.

I have an AWS account, have the AWS cli installed and can list my other running instances to check that part works.

I have installed tailout.

I have created a tailout config file, my headscale server has created an API which I have added to check that part works.

However ...

If I run tailout init, I get this error ...

$ (paully-laptop) tailout init
Error: failed to get policy: failed to get OK status code: 401 Unauthorized

If I run tailout create, this is the (sanitised) output ...

$ (paully-laptop) tailout create
Creating tailout node in AWS with the following parameters:
- AWS Account ID: xxxxxxxxxxxxx
- AMI ID: ami-09edbb170cde0ca31
- Instance Type: t3a.micro
- Region: eu-west-3
- Auto shutdown after: 15m
- Connect after instance up: false
- Network: default VPC / Subnet / Security group of the region
✔ Yes
EC2 instance created successfully: i-09850098xxxxxxxx
Instance will be named tailout-eu-west-3-i-0985009xxxxxxxx
Waiting for instance to be running...
OK.
Waiting for instance to join tailnet...
Error: failed to get nodes: failed to get OK status code: 401 Unauthorized

What am I doing wrong?

Are there any verbose logs I can check?

Thanks.

[cterence]

Thanks for giving it time. I think the problem comes from using Headscale. Tailout only queries the Tailscale API and I haven't tested it with Headscale. I'm working on #33 to add the option to define an API URL so that you'd be able to set your Headscale URL.

[plittlefield]

Nice!

Thanks and keep up the great work.

[cterence]

I just pushed the feature, you can try by updating to v0.3.2 : go install github.com/cterence/tailout@v0.3.2 whenever you feel like it! There is a new --tailscale-base-url flag that you can customize.

[plittlefield]

Thanks!

I’ll try tomorrow and report back!

[plittlefield]

Hi,

Well, a bit further I think ...

$ tailout --tailscale-base-url https://headscale.mydomain.uk init
Error: unexpected end of JSON input

Here is my (sanitised) config ...

$ cat .tailout/config.yml 
tailscale:
  api_key: tskey-api-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  auth_key: tskey-auth-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  tailnet: name.tailscale.mydomain.uk
region: eu-west-3
create:
  shutdown: 15m

Happy to try some beta version to fix this.

Here is the page on my Wiki for Headscale ...

https://wiki.indie-it.com/wiki/Tailscale

Thanks.

[cterence]

Hey thanks for reporting back, I've been able to reproduce your issue using a Headscale instance I just set up. The API call that the Tailscale go client when running the init command returns 404 on a Headscale instance:

"GET /api/v2/tailnet/xxx/acl HTTP/2.0" 404

I'll try to find a workaround!

[cterence]

Reporting back, it appears that the tailscale client SDK hardcodes all the routes it uses for the calls, see the faulty call for example : https://github.com/tailscale/tailscale-client-go/blob/main/tailscale/client.go#L501. That makes it de facto incompatible with Headscale, since it does not implement these routes... I tried going further by running the create command, but I got the same error with this call : https://github.com/tailscale/tailscale-client-go/blob/main/tailscale/client.go#L731.

[plittlefield]

Oh, so … for the time being it’s a non starter for me.

Is there anything the developer of Headscale can do to help?

[plittlefield]

I’ve opened a feature request issue :)

https://github.com/juanfont/headscale/issues/2103

[cterence]

Awesome, thanks for pushing for this!