2.6.1 missing certificate error when migrating identities from v2.2.4

[james-lawrence]

what happened

teleport start --roles=auth --config=/etc/teleport/auth.yml
INFO [AUTH]      Auth server is running periodic operations. auth/auth.go:109
INFO [AUTH]      Updating cluster configuration: StaticTokens([ProvisionToken(Token=...,Roles=Proxy,Node,Expires=never)]). auth/init.go:221
INFO [AUTH]      Updating cluster configuration: AuthPreference(Type="local",SecondFactor="off"). auth/init.go:230
INFO [AUTH]      Created namespace: "default". auth/init.go:237
error: missing parameter TLSCert, initialization failed

What you expected to happen: expected the auth server process to start up.

sample configuration makes no mention of TLS in the auth_service section.

teleport configure
#
# Sample Teleport configuration file.
#
teleport:
  nodename: bastion.talla.com
  data_dir: /var/lib/teleport
  pid_file: /var/run/teleport.pid
  auth_token: cluster-join-token
  auth_servers:
  - 0.0.0.0:3025
  connection_limits:
    max_connections: 1000
    max_users: 250
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  tokens:
  - proxy,node:cluster-join-token
  session_recording: ""
ssh_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3022
  labels:
    db_role: master
    db_type: postgres
  commands:
  - name: hostname
    command: [/usr/bin/hostname]
    period: 1m0s
  - name: arch
    command: [/usr/bin/uname, -p]
    period: 1h0m0s
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  https_key_file: /var/lib/teleport/webproxy_key.pem
  https_cert_file: /var/lib/teleport/webproxy_cert.pem

How to reproduce it (as minimally and precisely as possible):

Environment:

teleport version
Teleport v2.6.1 git:v2.6.1-0-g63d4968f

Relevant Debug Logs If Applicable

/gopath/src/github.com/gravitational/teleport/lib/auth/state.go:191 github.com/gravitational/teleport/lib/auth.(*IdentityV2).CheckAndSetDefaults
    /gopath/src/github.com/gravitational/teleport/lib/auth/state.go:131 github.com/gravitational/teleport/lib/auth.(*ProcessStorage).WriteIdentity
    /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:415 github.com/gravitational/teleport/lib/auth.migrateIdentity
    /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:400 github.com/gravitational/teleport/lib/auth.migrateIdentities
    /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:387 github.com/gravitational/teleport/lib/auth.migrateLegacyResources
    /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:370 github.com/gravitational/teleport/lib/auth.Init

[russjones]

Did you upgrade from 2.2 straight to 2.6? To upgrade your cluster you would have to go from 2.2 -> 2.3 -> 2.4 -> 2.5 -> 2.6: https://gravitational.com/teleport/docs/admin-guide/#component-compatibilitiy

[james-lawrence]

aww that makes me sad k. will try it out and see what happens.

[james-lawrence]

closing this resolved the issue.

[klizhentas]

glad it worked for you. going forward we are trying to make less disruptive changes, but here is our guarantee so far:

https://gravitational.com/teleport/docs/admin-guide/#component-compatibilitiy

[james-lawrence]

not terribly concerned about disruptive changes, in all fairness the upgrade was smooth enough. biggest gain would be having prebuilt packages for the major package managers so I don't have to manually fetch and unpack the binaries =)