Open ibeckermayer opened 7 months ago
Doesn't look like a regression, I think it's always worked this way.
There's some special handling to detect if the certificate is self-signed, but based on the name of the cert I suspect you are using certs generated by mkcert
, which are not self-signed.
True, I don't think it's a regression, at least it reproduces back in v12. Regardless, our documentation for the flag is
--[no-]insecure Insecure mode disables certificate validation
for which the most straightforward interpretation is that certificate verification is skipped entirely, not just that self signed certificates are allowed.
Expected behavior:
I have a proxy service configured like
where
/Users/ibeckermayer/teleport-config/proxy.127.0.0.1.nip.io+4.pem
is not trusted by my system keychain.I would expect that adding the
--insecure
flag toteleport start --insecure
would make this lack of trust irrelevant based on the documentation for that flagCurrent behavior:
Instead, despite include
--insecure
, I still end up with a crash on startup:Crash logs
``` ERROR REPORT: Original Error: *trace.BadParameterError unable to verify HTTPS certificate chain in : ERROR REPORT: Original Error: *errors.errorString x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/utils/certs.go:193 github.com/gravitational/teleport/lib/utils.VerifyCertificateChain github.com/gravitational/teleport/lib/config/configuration.go:1201 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/config/configuration.go:1202 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: unable to verify HTTPS certificate chain in : ERROR REPORT: Original Error: *errors.errorString x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted Stack Trace: github.com/gravitational/teleport/lib/utils/certs.go:193 github.com/gravitational/teleport/lib/utils.VerifyCertificateChain github.com/gravitational/teleport/lib/config/configuration.go:1201 github.com/gravitational/teleport/lib/config.applyProxyConfig github.com/gravitational/teleport/lib/config/configuration.go:535 github.com/gravitational/teleport/lib/config.ApplyFileConfig github.com/gravitational/teleport/lib/config/configuration.go:2393 github.com/gravitational/teleport/lib/config.Configure github.com/gravitational/teleport/tool/teleport/common/teleport.go:548 github.com/gravitational/teleport/tool/teleport/common.Run github.com/gravitational/teleport/tool/teleport/main.go:33 main.main runtime/proc.go:271 runtime.main runtime/asm_arm64.s:1222 runtime.goexit User Message: x509: “ibeckermayer@Isaiahs-MacBook-Pro.local (Isaiah Becker-Mayer)” certificate is not trusted ```Instructing my keychain to trust this certificate fixes this.
Bug details:
Teleport v16.0.0-dev git:api/v13.4.16-48-ga33d88e649 go1.22.0