Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-signed SSL certificate handling #1392

Closed
kontsevoy opened this issue Oct 12, 2017 · 1 comment · Fixed by #1396
Closed

Self-signed SSL certificate handling #1392

kontsevoy opened this issue Oct 12, 2017 · 1 comment · Fixed by #1396
Assignees
@russjones
Milestone
2.3.5

Comments

@kontsevoy
Copy link
Contributor

Teleport appears to be handling self-signed certificates differently based on how you start it. (or maybe it's a user error).

Scenario 1

  1. Wipe out /var/lib/teleport
  2. Start teleport start without a config file.
  3. It will create a self-signed certificate/key pair (/var/lib/teleport/webproxy_cert.pem and /var/lib/teleport/webproxy_key.pem)
  4. It will work, i.e. teleport start will run.

Scenario 2

  1. The same
  2. Start teleport start with a config file: teleport start -c proxy-conf.yaml, which looks like this :
# proxy-conf.yaml
proxy_service:
  enabled: "yes"
  https_key_file: /var/lib/teleport/webproxy_key.pem
  https_cert_file: /var/lib/teleport/webproxy_cert.pem

These are basically the default values, i.e. the same thing which teleport should default to when no configuration file is present.

You will get this:

unable to verify HTTPS certificate chain in /var/lib/teleport/webproxy_cert.pem: WARNING:

  The proxy you are connecting to has presented a certificate signed by a
  unknown authority. This is most likely due to either being presented
  with a self-signed certificate or the certificate was truly signed by an
  authority not known to the client.

  If you know the certificate is self-signed and would like to ignore this
  error use the --insecure flag.

  If you have your own certificate authority that you would like to use to
  validate the certificate chain presented by the proxy, set the
  SSL_CERT_FILE and SSL_CERT_DIR environment variables respectively and try
  again.

  If you think something malicious may be occurring, contact your Teleport
  system administrator to resolve this issue.

Minor issue: formatting of the error (shall we place WARNING on a new line?)
Major issue: why isn't it starting? how do I start it?
@kontsevoy kontsevoy added this to the 2.3.5 milestone Oct 12, 2017
@kontsevoy kontsevoy mentioned this issue Oct 12, 2017
Closed
@moritzdietz
Copy link

@kontsevoy Yup that's exactly what I am seeing on my system. It doesn't help trying to start teleport with the --insecure flag; I still get that error message.

moritz@vps:~$ sudo teleport start --insecure --config=/etc/teleport/teleport.yaml
unable to verify HTTPS certificate chain in /var/lib/teleport/webproxy_cert.pem: x509: certificate signed by unknown authority
moritz@vps:~$

Now I am left with a system it won't start from again. If this isn't reproducible let me know :-)

@russjones russjones mentioned this issue Oct 13, 2017
Merged
hatched added a commit that referenced this issue Jan 30, 2023
@hatched
[v11] Use a single websocket for SSH connections (#1361) (#1392)
5575aa8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russjones russjones

Labels
None yet
Projects
None yet
Milestone
2.3.5
Development

Successfully merging a pull request may close this issue.

Validate self-signed certificates upon startup correctly. gravitational/teleport
3 participants
@kontsevoy @russjones @moritzdietz