CLI Login not working with custom proxy port after upgrade to 3.1.1

[kajogo777]

What happened:

tsh login --proxy=domain:443

error timeout trying to connect to port 3080 instead of 443

What you expected to happen:

be able to login

How to reproduce it (as minimally and precisely as possible):

tsh login --proxy=domain:443

Environment:

• Teleport version (use teleport version): 3.1.1
• Tsh version (use tsh version): 3.1.1

Relevant Debug Logs If Applicable

INFO [CLIENT] no host login given. defaulting to client/api.go:700 INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/run/user/1000/keyring/ssh" client/api.go:1907 DEBU [CLIENT] not using loopback pool for remote proxy addr: domain:443 client/api.go:1868 DEBU [CLIENT] HTTPS client init(proxyAddr=domain:443, insecure=false) client/weblogin.go:531 DEBU [CLIENT] not using loopback pool for remote proxy addr: domain:3080 client/api.go:1868

Enter password for Teleport user user_name: Enter your OTP token:

DEBU [CLIENT] HTTPS client init(proxyAddr=domain:3080, insecure=false) client/weblogin.go:531

ERROR REPORT: Original Error: *trace.ConnectionProblemError dial tcp ip:3080: i/o timeout

[kajogo777]

same for versions 3.0.2 & 3.0.0

[klizhentas]

what :3080 is supposed to mean? --proxy accepts host:port address, we should probably prohibit the form you are passing.

[kajogo777]

i am using --proxy=domain:443, what wrong form am i passing? i am not using 3080

the included logs show that after i type in my password and 2nd factor OTP, the clients try to authenticate by connecting to 3080 instead of 443 which i specified via host:port

[kajogo777]

i substituted my domain name with "domain" in the log snippets i included, and ip with "ip"

[klizhentas]

That's probably because port 3080 is specified in your configuration file, can you post it here without secrets?

[kajogo777]

443 is specified in my proxy configuration file as well this worked perfectly well with 2.6.7, and the web interface 3.1.1 also works (i am able to login and ssh)

... proxy_service: enabled: yes listen_addr: ip:3023 tunnel_listen_addr: 127.0.0.1:3024 web_listen_addr: ip:443 public_addr: domain ...

which configuration file are you referring to?

[toby1991]

same issue +1

Teleport v3.2.2 git: go1.12.5

[toby1991]

I fix it by make teleport behind the Traefik,

and reverse the traffic from traefik:443 -> teleport:3080 traefik:3080 -> teleport:3080

@kajogo777

I think this is a bug

[janlauber]

Got a similar problem: installed teleport cluster helm chart (Version: 8.3.4) with the following values:

clusterName: "teleport.example.com"
kubeClusterName: prod-rke-cluster
authenticationType: local
labels:
  environment: prod
  type: k8s
  tenant: admin
acme: false
highAvailability:
  certManager:
    addCommonName: true
    enabled: true
    issuerName: letsencrypt-<issuername>
    issuerKind: ClusterIssuer

Exposed the https service via loadbalancer service of our citrix netscaler over the port 3080.

Now when I try to login via tsh the following error occurs:

$ tsh --proxy=teleport.example.com:3080 --auth github login
ERROR: Post "https://teleport.example.com:443/v1/webapi/github/login/console": remote error: tls: unrecognized name

why does it try on port 443??

Now when I try another port, the correct port for the POST request was chosen:

$ tsh --proxy=teleport.example.com:3081 --auth github login
ERROR: Get "https://teleport.example.com:3081/webapi/ping/github": context canceled

Probably a CLI bug imo

[Aur0nd]

Such a shame this is still an issue after all these years..... Essentially the only way we can make this work is by deploying it behind a loadbalancer (aws, traefik, nginx etc.). Which creates a bunch of other unsolved TLS issues..

[camorobot]

+1 Same problem Teleport v11.1.1