Open programmerq opened 2 years ago
Same general problem with running FIPS Teleport binaries with etcd. If the ETCD certs are invalid for FIPS, this was the only error produced in Teleport:
sudo teleport start
2022-03-15T07:26:26-06:00 INFO Using license from /var/lib/teleport/license.pem expires at 2122-01-03 17:59:53.371934139 +0000 UTC,supports application access. process/process.go:64
2022-03-15T07:26:26-06:00 DEBU [SQLITE] Connected to: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 1s lite/lite.go:172
2022-03-15T07:26:26-06:00 DEBU [SQLITE] Synchronous: 0, busy timeout: 10000 lite/lite.go:217
2022-03-15T07:26:26-06:00 DEBU [KEYGEN] SSH cert authority is going to pre-compute 25 keys. native/native.go:102
2022-03-15T07:26:26-06:00 DEBU [PROC:1] Using etcd backend. service/service.go:3731
ERROR REPORT:
Original Error: context.deadlineExceededError context deadline exceeded
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/backend/etcdbk/etcd.go:359 [github.com/gravitational/teleport/lib/backend/etcdbk.(*EtcdBackend).reconnect](http://github.com/gravitational/teleport/lib/backend/etcdbk.(*EtcdBackend).reconnect)
/go/src/github.com/gravitational/teleport/lib/backend/etcdbk/etcd.go:227 [github.com/gravitational/teleport/lib/backend/etcdbk.New](http://github.com/gravitational/teleport/lib/backend/etcdbk.New)
/go/src/github.com/gravitational/teleport/lib/service/service.go:3744 [github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthStorage](http://github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthStorage)
/go/src/github.com/gravitational/teleport/lib/service/service.go:1108 [github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthService](http://github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthService)
/go/src/github.com/gravitational/teleport/lib/service/service.go:779 [github.com/gravitational/teleport/lib/service.NewTeleport](http://github.com/gravitational/teleport/lib/service.NewTeleport)
/go/src/github.com/gravitational/teleport/e/tool/teleport/process/process.go:67 [github.com/gravitational/teleport/e/tool/teleport/process.NewTeleport](http://github.com/gravitational/teleport/e/tool/teleport/process.NewTeleport)
/go/src/github.com/gravitational/teleport/lib/service/service.go:503 [github.com/gravitational/teleport/lib/service.Run](http://github.com/gravitational/teleport/lib/service.Run)
/go/src/github.com/gravitational/teleport/e/tool/teleport/main.go:23 main.main
/opt/go/src/runtime/proc.go:255 runtime.main
/opt/go/src/runtime/asm_amd64.s:1581 runtime.goexit
User Message: initialization failed
context deadline exceeded
And on etcd side
Caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"<redacted>","server-name":"","error":"remote error: tls: bad certificate"}
This can lead to a lot of troubleshooting around how the TLS certificates and networking are set up between Teleport and etcd instead of focusing on a FIPS compliance failure in Teleport.
For those interested, root of the above issue was: https://github.com/gravitational/teleport/issues/3519
Description
What happened:
When attempting a login via OIDC, the auth server logs an error including this stacktrace:
The keycloak instance has a well trusted certificate and is up and running.
This is a teleport-fips binary. A network stacktrace showed that the TLS-level error was that teleport was disconnecting because it did not trust the 4096 bit certificate since it was using a cipher not allowed by fips.
What you expected to happen:
At the very least, the fips connection failure reason should be made clear in the logs. The "is not valid or not accessible" is too general and is confusing in conjunction with the endpoint referenced being up and running and accepting other requests and working with other tools on the system such as
curl
.Additionally, it may be appropriate to relax the stringent fips requirements when communicating with upstream services especially since the teleport admin may not have control over those.
Reproduction Steps
With a teleport fips binary, create an oidc connector that will cause teleport to try to make a TLS connection. Use a 4096 bit cert on that oidc server.
Server Details
teleport version
): teleport fips 6.x/etc/os-release
): N/AClient Details
tsh version
): N/A