`tsh login` times out if proxy presents invalid certificate

[r0mant]

Description

What happened:

If Teleport proxy presents an invalid certificate (in my case I was using ACME with LetsEncrypt staging environment), tsh login hangs for a while and eventually fails with a timeout error (I'm guessing because the default port 3080 is not open). Only when launched with -d flag it shows the actual x509 error. See the logs below.

It works ok when --insecure flag is provided. Looks like it may be related to proxy auto-selection logic?

What you expected to happen:

When getting a permanent error, tsh login should fail quicker and return the actual error.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

1. Setup a Teleport proxy with an invalid certificate.
2. tsh login into it.

Server Details

• Teleport version (run teleport version): 7.0.0-beta.3

Client Details

• Tsh version (tsh version): 7.0.0-beta.3

Debug Logs

➜  chart git:(branch/v7) tsh -d login --proxy=r0mant.authops.com --user=test
DEBU [CLIENT]    open /Users/r0mant/.tsh/r0mant.authops.com.yaml: no such file or directory client/api.go:710
DEBU [TSH]       Web proxy port was not set. Attempting to detect port number to use. tsh/tsh.go:1858
DEBU [TSH]       Resolving default proxy port (insecure: false) tsh/resolve_default_addr.go:121
DEBU [TSH]       Trying r0mant.authops.com:3080... tsh/resolve_default_addr.go:109
DEBU [TSH]       Trying r0mant.authops.com:443... tsh/resolve_default_addr.go:109
DEBU [TSH]       Race request failed error:[Get "https://r0mant.authops.com:443/webapi/ping": x509: certificate signed by unknown authority] tsh/resolve_default_addr.go:83
DEBU [TSH]       Race request failed error:[Get "https://r0mant.authops.com:3080/webapi/ping": context deadline exceeded] tsh/resolve_default_addr.go:83
DEBU [TSH]       Waiting for all in-flight racers to finish tsh/resolve_default_addr.go:144
DEBU [TSH]       Proxy port resolution failed, falling back to legacy default. error:[context deadline exceeded] tsh/tsh.go:1867
INFO [CLIENT]    no host login given. defaulting to r0mant client/api.go:1033
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.DsyMJMS9mh/Listeners" client/api.go:2779
DEBU [CLIENT]    not using loopback pool for remote proxy addr: r0mant.authops.com:3080 client/api.go:2740

ERROR REPORT:
Original Error: *url.Error Get "https://r0mant.authops.com:3080/webapi/ping": dial tcp 35.184.86.230:3080: connect: operation timed out
Stack Trace:
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/vendor/github.com/gravitational/teleport/api/client/webclient/webclient.go:81 github.com/gravitational/teleport/api/client/webclient.Ping
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/lib/client/api.go:2342 github.com/gravitational/teleport/lib/client.(*TeleportClient).Ping
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/lib/client/api.go:2196 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:793 main.onLogin
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:583 main.Run
    /Users/r0mant/code/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:261 main.main
    /usr/local/Cellar/go/1.16.3/libexec/src/runtime/proc.go:225 runtime.main
    /usr/local/Cellar/go/1.16.3/libexec/src/runtime/asm_amd64.s:1371 runtime.goexit
User Message: Get "https://r0mant.authops.com:3080/webapi/ping": dial tcp 35.184.86.230:3080: connect: operation timed out

[r0mant]

@tcsc Looks like this may be related to proxy auto-detection, could you take a look when you get a chance?

[benarent]

@tcsc Looks like this may be related to proxy auto-detection, could you take a look when you get a chance?

Also see this https://github.com/gravitational/teleport/issues/7634