fixup untrusted cert errors (#16127)

* Add util helpers for untrusted cert errors * Remove superfluous error checking * Add helpful message on first time node join * Cleanup cert error messages when connecting to auth service * Add helpful certs message for tctl * Fix flaky TestHandlerConnectionUpgrade * Change long line back to the way it was before Co-authored-by: STeve Huang <xin.huang@goteleport.com>
2024-10-20 17:23:22 +00:00 · 2022-09-07 15:49:20 -07:00 · 2022-09-07 15:49:20 -07:00 · 4a3f241e2a
parent a707e88b84
commit 4a3f241e2a
4 changed files with 28 additions and 15 deletions
--- a/lib/reversetunnel/transport.go
+++ b/lib/reversetunnel/transport.go
@ -23,7 +23,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"strings"
 	"time"

 	"golang.org/x/crypto/ssh"
@ -88,12 +87,6 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Co

 	addr, err := t.Resolver(ctx)
 	if err != nil {
-		if strings.Contains(err.Error(), "certificate is not trusted") {
-			err = trace.Wrap(
-				err,
-				"Your proxy certificate is not trusted or expired. Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs",
-			)
-		}
 		t.Log.Errorf("Failed to resolve tunnel address: %v", err)
 		return nil, trace.Wrap(err)
 	}
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@ -607,6 +607,9 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
 			CircuitBreakerConfig: process.Config.CircuitBreakerConfig,
 		})
 		if err != nil {
+			if utils.IsUntrustedCertErr(err) {
+				return nil, trace.WrapWithMessage(err, utils.SelfSignedCertsMsg)
+			}
 			return nil, trace.Wrap(err)
 		}

@ -1071,19 +1074,17 @@ func (process *TeleportProcess) newClient(authServers []utils.NetAddr, identity
 	tunnelClient, err := process.newClientThroughTunnel(authServers, tlsConfig, sshClientConfig)
 	if err != nil {
 		process.log.Errorf("Node failed to establish connection to Teleport Proxy. We have tried the following endpoints:")
-		// Can't errors.As directErr in the "x509: certificate is valid for x but not y" error case, as only message field is set
-		if trace.IsConnectionProblem(directErr) && strings.Contains(directErr.Error(), "x509: certificate is valid for") {
-			directErr = trace.Wrap(directErr, "Your proxy certificate is not trusted or expired."+
-				" Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs")
-		}
 		process.log.Errorf("- connecting to auth server directly: %v", directErr)
 		if trace.IsConnectionProblem(err) && strings.Contains(err.Error(), "connection refused") {
 			err = trace.Wrap(err, "This is the alternative port we tried and it's not configured.")
 		}
 		process.log.Errorf("- connecting to auth server through tunnel: %v", err)
-		return nil, trace.WrapWithMessage(
-			trace.NewAggregate(directErr, err),
-			trace.Errorf("Failed to connect to Auth Server directly or over tunnel, no methods remaining."))
+		collectedErrs := trace.NewAggregate(directErr, err)
+		if utils.IsUntrustedCertErr(collectedErrs) {
+			collectedErrs = trace.WrapWithMessage(collectedErrs, utils.SelfSignedCertsMsg)
+		}
+		return nil, trace.WrapWithMessage(collectedErrs,
+			"Failed to connect to Auth Server directly or over tunnel, no methods remaining.")
 	}

 	logger.Debug("Connected to Auth Server through tunnel.")
--- a/lib/utils/errors.go
+++ b/lib/utils/errors.go
@ -75,3 +75,19 @@ func IsConnectionRefused(err error) bool {
 func IsExpiredCredentialError(err error) bool {
 	return IsHandshakeFailedError(err) || IsCertExpiredError(err) || trace.IsBadParameter(err) || trace.IsTrustError(err)
 }
+
+// IsUntrustedCertErr checks if an error is an untrusted cert error.
+func IsUntrustedCertErr(err error) bool {
+	if err == nil {
+		return false
+	}
+	errMsg := err.Error()
+	return strings.Contains(errMsg, "x509: certificate is valid for") ||
+		strings.Contains(errMsg, "certificate is not trusted")
+}
+
+const (
+	// SelfSignedCertsMsg is a helper message to point users towards helpful documentation.
+	SelfSignedCertsMsg = "Your proxy certificate is not trusted or expired. " +
+		"Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs/"
+)
--- a/tool/tctl/common/tctl.go
+++ b/tool/tctl/common/tctl.go
@ -174,6 +174,9 @@ func Run(commands []CLICommand) {

 	client, err := authclient.Connect(ctx, clientConfig)
 	if err != nil {
+		if utils.IsUntrustedCertErr(err) {
+			err = trace.WrapWithMessage(err, utils.SelfSignedCertsMsg)
+		}
 		utils.Consolef(os.Stderr, log.WithField(trace.Component, teleport.ComponentClient), teleport.ComponentClient,
 			"Cannot connect to the auth server: %v.\nIs the auth server running on %q?",
 			err, cfg.AuthServers[0].Addr)