Open d9705996 opened 2 years ago
Not sure if this is related but I am seeing the following from our agents trying to connect to the auth server upon upgrading to 8.0.5:
App failed to establish connection to cluster: special characters are not allowed in resource names, please use name composed only from characters, hyphens, dots, and plus signs: "/tokens/<redacted>", invalid character '<' looking for beginning of value. service/connect.go:68
Same issue after upgrading client and server to 8.0.6
tsh version
Teleport v8.0.6 git:v8.0.6-0-g807c6d662 go1.17.3
teleport version
Teleport v8.0.6 git:v8.0.6-0-g807c6d6 go1.17.3
FWIW we were seeing the same issues with 8.0.3 and 8.0.5 and have had to downgrade to 7.3.5 to get everthing up and running again in our environment.
Same issue here, downgrading tsh to 8.0.0 fixed it for me
So after some time of working fine with 7.3.5 this issue reared it's head again and after some digging the fix that worked for us was to generate new static tokens with no special characters.
This did the trick and we were also able to upgrade to 8.x successfully, not sure if this is your issue too @RiwanBodereau @d9705996 but worth looking at. The odd part was we have been using these tokens for a long time with 7.x with no issue then after a reboot the other day we began seeing them.
I've reproduced this issue when attempting to log in with --proxy
set to an address that is different to the one configured in proxy_service.public_addr
, but where that name does route to the proxy and the proxy does have a valid certificate for that name. It appears this is caused because the Proxy HTTP API detecting that the host is not the host configured and attempting to redirect to /web/launch/$CONFIGURED_PROXY_ADDRESS
.
Partially related to #13012.
For some further detail, this error also appears in tbot
during the join process when a proxy address is specified, but connecting via proxy fails and then the client falls back to trying to connect to it as an auth server.
You can see this within the aggregate error returned, which includes the real error and then this misleading red-herring:
ERROR: user "bot-bot1" has already been issued a renewable certificate and cannot be issued another; consider deleting and recreating the bot, invalid character '<' looking for beginning of value
We should better detect when this response comes from the proxy, rather than the auth server, and omit this error and output one suggesting that it has tried to connect to a proxy as if it were an auth server.
Description
What happened:
What you expected to happen:
tsh
to successfully connect to the clusterReproduction Steps
As minimally and precisely as possible, describe step-by-step how to reproduce the problem.
/usr/local/bin/tctl users add dwalker --roles=editor,auditor,access
Server Details
teleport version
):Teleport v8.0.5 git:v8.0.5-0-g0e304c3 go1.17.3
/etc/os-release
):CentOS Linux release 7.9.2009 (Core)
Dedicated Hardware
teleport.example.com:443
to the teleport service unmolested.Client Details
tsh version
):Teleport v8.0.1 git:v8.0.1-0-gb95fb530b go1.17.3
Windows
website download
Debug Logs
Please include or attach debug logs, when appropriate. Obfuscate sensitive information!
teleport --debug
)tsh --debug
)Manually querying the URI on the same client returns a valid JSON response