search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.41k stars 1.74k forks source link

`--insecure` mode not being respected #38372

Open ibeckermayer opened 7 months ago

ibeckermayer commented 7 months ago

Expected behavior:

I have a proxy service configured like

proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:3080
  public_addr: proxy.127.0.0.1.nip.io:3080
  https_keypairs:
    - key_file: /Users/ibeckermayer/teleport-config/proxy.127.0.0.1.nip.io+4-key.pem
      cert_file: /Users/ibeckermayer/teleport-config/proxy.127.0.0.1.nip.io+4.pem

where /Users/ibeckermayer/teleport-config/proxy.127.0.0.1.nip.io+4.pem is not trusted by my system keychain.

I would expect that adding the --insecure flag to teleport start --insecure would make this lack of trust irrelevant based on the documentation for that flag

"Insecure mode disables certificate validation"

Current behavior:

Instead, despite include --insecure, I still end up with a crash on startup:

Crash logs ``` ERROR REPORT: Original Error: *trace.BadParameterError unable to verify HTTPS certificate chain in : ERROR REPORT: Original Error: *errors.errorString x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/utils/certs.go:193 github.com/gravitational/teleport/lib/utils.VerifyCertificateChain github.com/gravitational/teleport/lib/config/configuration.go:1201 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/config/configuration.go:1202 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: unable to verify HTTPS certificate chain in : ERROR REPORT: Original Error: *errors.errorString x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/utils/certs.go:193 github.com/gravitational/teleport/lib/utils.VerifyCertificateChain github.com/gravitational/teleport/lib/config/configuration.go:1201 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted ```

Instructing my keychain to trust this certificate fixes this.

Bug details:

zmb3 commented 7 months ago

Doesn't look like a regression, I think it's always worked this way.

There's some special handling to detect if the certificate is self-signed, but based on the name of the cert I suspect you are using certs generated by mkcert, which are not self-signed.

ibeckermayer commented 7 months ago

True, I don't think it's a regression, at least it reproduces back in v12. Regardless, our documentation for the flag is

--[no-]insecure            Insecure mode disables certificate validation

for which the most straightforward interpretation is that certificate verification is skipped entirely, not just that self signed certificates are allowed.