Skip to main content

tctl commands with `--identity` flag and file throw x509 errors

Alen
  • Updated

Type:

issue

Question/Problem:

Running tctl commands locally with an --identity flag and file throws x509 errors and suggests that teleport is attempting to dial localhost.

Symptoms:

Teleport will log that it's failing to resolve when dialing locally and will error out.

Logs:

ERRO Failed to resolve tunnel address Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs reversetunnel/transport.go:90 
[CLIENT] Cannot connect to the auth server: failed direct dial to auth server: 
     Get "<https://teleport.cluster.local/v2/configuration/name>": x509: certificate signed by unknown authority Get "<https://teleport.cluster.local/v2/configuration/name>": x509: certificate signed by unknown authority, failed dial to auth server through reverse tunnel: Get "<https://teleport.cluster.local/v2/configuration/name>": Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs 
     Get "<https://teleport.cluster.local/v2/configuration/name>": Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs. 
Is the auth server running on "127.0.0.1:3025"? 
ERRO Failed to resolve tunnel address Get "<https://127.0.0.1:3025/webapi/find>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs reversetunnel/transport.go:90

Repro Steps:

  1. Log into teleport with tsh login and generate an identity file
  2. Run tctl command and pass in the --identity flag and file, without using the --auth-server flag and addr.
  3. Observe error shown above.

Solution:

When you pass in the identity file to a tctl command it makes tctl default to localhost which is why that is why you see it trying to dial to 127.0.0.1. If you do pass in the identity file then you also need to pass the --auth-server flag and addr. Otherwise, you can just run `tctl` commands without the --identity flag and file and it will pull from your local profile which is generated via tsh login once you log in.

Related articles

Comments

0 comments

Article is closed for comments.