Type:
issue
Question/Problem:
Running tctl
commands locally with an --identity
flag and file throws x509 errors and suggests that teleport is attempting to dial localhost.
Symptoms:
Teleport will log that it's failing to resolve when dialing locally and will error out.
Logs:
ERRO Failed to resolve tunnel address Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs reversetunnel/transport.go:90
[CLIENT] Cannot connect to the auth server: failed direct dial to auth server:
Get "<https://teleport.cluster.local/v2/configuration/name>": x509: certificate signed by unknown authority Get "<https://teleport.cluster.local/v2/configuration/name>": x509: certificate signed by unknown authority, failed dial to auth server through reverse tunnel: Get "<https://teleport.cluster.local/v2/configuration/name>": Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
Get "<https://teleport.cluster.local/v2/configuration/name>": Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.
Is the auth server running on "127.0.0.1:3025"?
ERRO Failed to resolve tunnel address Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs reversetunnel/transport.go:90
Repro Steps:
- Log into teleport with
tsh login
and generate an identity file - Run
tctl
command and pass in the--identity
flag and file, without using the--auth-server
flag and addr. - Observe error shown above.
Solution:
When you pass in the identity file to a tctl
command it makes tctl
default to localhost which is why that is why you see it trying to dial to 127.0.0.1. If you do pass in the identity file then you also need to pass the --auth-server
flag and addr. Otherwise, you can just run `tctl` commands without the --identity flag and file and it will pull from your local profile which is generated via tsh login
once you log in.
Comments
0 comments
Article is closed for comments.