Closed scottbessler closed 6 years ago
Scott, sorry for the slow response. We need to dig into the code path to understand why it happens as it's not clear right away.
@scottbessler have you always had cluster_name
in there? It's a strange name to pick (a GUID) which I suspect you pulled from one of the node IDs. If you comment out cluster_name
it should stop complaining. (the docs mention that this setting cannot be changed after a cluster is created)
yeah, @kontsevoy sorry i should have included that. without the cluster_name i get:
root@teleport:/home/ubuntu/teleport-235# ./teleport start --config ./teleport.yaml
[AUTH] Auth service is starting on 0.0.0.0:4025
WARN advertise_ip is not set for this auth server. Trying to guess the IP this server can be reached at: 172.31.101.203:4025 file="service/service.go:443" func="service.(*TeleportProcess).initAuthService.func3"
WARN conn(127.0.0.1:55898->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55896->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55900->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55902->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55906->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55904->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55908->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55910->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55912->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55914->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55916->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55918->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55920->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55922->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55924->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55926->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55928->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55930->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
WARN conn(127.0.0.1:55932->127.0.0.1:4025, user=cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7) ERROR: failed auth user cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7, err: ssh: certificate signed by unrecognized authority file="auth/tun.go:429" func="auth.(*AuthTunnel).keyAuth"
access denied to 'cfe5152a-5494-45f4-8ade-fb531de0c4f7.cfe5152a-5494-45f4-8ade-fb531de0c4f7': bad username or credentials
(i changed the ports so i could run it alongside my working teleport 2.2 instance)
@scottbessler would you be comfortable sharing data from /var/lib/teleport
with our engineers? I feel like this would be the fastest way to troubleshoot.
@kontsevoy i'd rather not share all of it, but are there specific things you want to see? perhaps a screen share debug session or something?
we can do that also. can you send me a few time slots that work for you? email would be best: ev@gravitational.com
@scottbessler Can you update the configuration of the Auth Server to the following (replacing teleport.hostname.fake
with the real cluster name) and trying to upgrade to Teleport 2.3.
auth_service:
cluster_name: teleport.hostname.fake
We changed how we handle configuration substantially in Teleport 2.3, and I think you are seeing some side effects of that: properties that were (sometimes) ignored in Teleport 2.2 became mandatory in Teleport 2.3 so Teleport would always start up in a consistent manner.
I'm going to close this issue for now and remove it from the 2.4.2 release. If it's still occurring we can investigate in the 2.5.1 release.
I currently have a 2.2.7 cluster running just fine with this config:
(redacted secrets and replaced the current auth server hostname with teleport.hostname.fake for purposes of this issue)
when i try and upgrade by stopping the 2.2.7 server and swapping in the 2.3.5 binaries (using same config an data dir) I get this error on startup: