mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 17:23:22 +00:00
fixup untrusted cert errors (#16127)
* Add util helpers for untrusted cert errors * Remove superfluous error checking * Add helpful message on first time node join * Cleanup cert error messages when connecting to auth service * Add helpful certs message for tctl * Fix flaky TestHandlerConnectionUpgrade * Change long line back to the way it was before Co-authored-by: STeve Huang <xin.huang@goteleport.com>
This commit is contained in:
parent
a707e88b84
commit
4a3f241e2a
|
@ -23,7 +23,6 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/ssh"
|
||||
|
@ -88,12 +87,6 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Co
|
|||
|
||||
addr, err := t.Resolver(ctx)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "certificate is not trusted") {
|
||||
err = trace.Wrap(
|
||||
err,
|
||||
"Your proxy certificate is not trusted or expired. Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs",
|
||||
)
|
||||
}
|
||||
t.Log.Errorf("Failed to resolve tunnel address: %v", err)
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
|
|
@ -607,6 +607,9 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
|
|||
CircuitBreakerConfig: process.Config.CircuitBreakerConfig,
|
||||
})
|
||||
if err != nil {
|
||||
if utils.IsUntrustedCertErr(err) {
|
||||
return nil, trace.WrapWithMessage(err, utils.SelfSignedCertsMsg)
|
||||
}
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
||||
|
@ -1071,19 +1074,17 @@ func (process *TeleportProcess) newClient(authServers []utils.NetAddr, identity
|
|||
tunnelClient, err := process.newClientThroughTunnel(authServers, tlsConfig, sshClientConfig)
|
||||
if err != nil {
|
||||
process.log.Errorf("Node failed to establish connection to Teleport Proxy. We have tried the following endpoints:")
|
||||
// Can't errors.As directErr in the "x509: certificate is valid for x but not y" error case, as only message field is set
|
||||
if trace.IsConnectionProblem(directErr) && strings.Contains(directErr.Error(), "x509: certificate is valid for") {
|
||||
directErr = trace.Wrap(directErr, "Your proxy certificate is not trusted or expired."+
|
||||
" Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs")
|
||||
}
|
||||
process.log.Errorf("- connecting to auth server directly: %v", directErr)
|
||||
if trace.IsConnectionProblem(err) && strings.Contains(err.Error(), "connection refused") {
|
||||
err = trace.Wrap(err, "This is the alternative port we tried and it's not configured.")
|
||||
}
|
||||
process.log.Errorf("- connecting to auth server through tunnel: %v", err)
|
||||
return nil, trace.WrapWithMessage(
|
||||
trace.NewAggregate(directErr, err),
|
||||
trace.Errorf("Failed to connect to Auth Server directly or over tunnel, no methods remaining."))
|
||||
collectedErrs := trace.NewAggregate(directErr, err)
|
||||
if utils.IsUntrustedCertErr(collectedErrs) {
|
||||
collectedErrs = trace.WrapWithMessage(collectedErrs, utils.SelfSignedCertsMsg)
|
||||
}
|
||||
return nil, trace.WrapWithMessage(collectedErrs,
|
||||
"Failed to connect to Auth Server directly or over tunnel, no methods remaining.")
|
||||
}
|
||||
|
||||
logger.Debug("Connected to Auth Server through tunnel.")
|
||||
|
|
|
@ -75,3 +75,19 @@ func IsConnectionRefused(err error) bool {
|
|||
func IsExpiredCredentialError(err error) bool {
|
||||
return IsHandshakeFailedError(err) || IsCertExpiredError(err) || trace.IsBadParameter(err) || trace.IsTrustError(err)
|
||||
}
|
||||
|
||||
// IsUntrustedCertErr checks if an error is an untrusted cert error.
|
||||
func IsUntrustedCertErr(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
errMsg := err.Error()
|
||||
return strings.Contains(errMsg, "x509: certificate is valid for") ||
|
||||
strings.Contains(errMsg, "certificate is not trusted")
|
||||
}
|
||||
|
||||
const (
|
||||
// SelfSignedCertsMsg is a helper message to point users towards helpful documentation.
|
||||
SelfSignedCertsMsg = "Your proxy certificate is not trusted or expired. " +
|
||||
"Please update the certificate or follow this guide for self-signed certs: https://goteleport.com/docs/setup/admin/self-signed-certs/"
|
||||
)
|
||||
|
|
|
@ -174,6 +174,9 @@ func Run(commands []CLICommand) {
|
|||
|
||||
client, err := authclient.Connect(ctx, clientConfig)
|
||||
if err != nil {
|
||||
if utils.IsUntrustedCertErr(err) {
|
||||
err = trace.WrapWithMessage(err, utils.SelfSignedCertsMsg)
|
||||
}
|
||||
utils.Consolef(os.Stderr, log.WithField(trace.Component, teleport.ComponentClient), teleport.ComponentClient,
|
||||
"Cannot connect to the auth server: %v.\nIs the auth server running on %q?",
|
||||
err, cfg.AuthServers[0].Addr)
|
||||
|
|
Loading…
Reference in a new issue