From ace34c25bcd0dad5b11a0719f1134d19801db90d Mon Sep 17 00:00:00 2001 From: STeve Huang Date: Tue, 31 Oct 2023 11:37:03 -0400 Subject: [PATCH 1/2] [docs] troubleshooting for AWS Access SSM sessions --- .../cloud-apis/aws-console.mdx | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/pages/application-access/cloud-apis/aws-console.mdx b/docs/pages/application-access/cloud-apis/aws-console.mdx index df928ba9c2a3a..8bb15b9749032 100644 --- a/docs/pages/application-access/cloud-apis/aws-console.mdx +++ b/docs/pages/application-access/cloud-apis/aws-console.mdx @@ -374,6 +374,31 @@ To log out of the AWS application and remove credentials: $ tsh apps logout awsconsole-test ``` +## Troubleshooting +### `remote error: tls: bad certificate` error during SSM sessions + +You may encounter the `remote error: tls: bad certificate` error when starting +System Session Manager (SSM) sessions using `tsh aws ssm start-session` or `tsh +aws ecs execute-command` commands. + +The issue is that `tsh` cannot properly proxy WebSocket connections sent by +SSM. + +Please upgrade to the latest version of `tsh` where workarounds have been +implemented for [`tsh aws ssm +start-session`](https://github.com/gravitational/teleport/pull/30510) and [`tsh +aws ecs +execute-command`](https://github.com/gravitational/teleport/pull/33705). + +If you are using `tsh proxy aws` or if your `tsh` version does not contain the +above fixes, add the following domain to the `NO_PROXY` environment variable +before running `tsh` commands to ensure the WebSocket connections bypass `tsh`: +```bash +export NO_PROXY=ssmmessages.us-west-1.amazonaws.com +``` + +Replace `us-west-1` with the AWS region you are accessing. + ## Next steps - Take a closer look at [role-based access controls](../controls.mdx). From 39f1b983e1be11927d9b7a48c84efc4a07fc9d83 Mon Sep 17 00:00:00 2001 From: STeve Huang Date: Wed, 1 Nov 2023 13:24:06 -0400 Subject: [PATCH 2/2] list PRs explicitly --- .../application-access/cloud-apis/aws-console.mdx | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/pages/application-access/cloud-apis/aws-console.mdx b/docs/pages/application-access/cloud-apis/aws-console.mdx index 8bb15b9749032..928957c728560 100644 --- a/docs/pages/application-access/cloud-apis/aws-console.mdx +++ b/docs/pages/application-access/cloud-apis/aws-console.mdx @@ -378,17 +378,19 @@ $ tsh apps logout awsconsole-test ### `remote error: tls: bad certificate` error during SSM sessions You may encounter the `remote error: tls: bad certificate` error when starting -System Session Manager (SSM) sessions using `tsh aws ssm start-session` or `tsh -aws ecs execute-command` commands. +System Session Manager (SSM) sessions using the `tsh aws ssm start-session` or +`tsh aws ecs execute-command` commands. The issue is that `tsh` cannot properly proxy WebSocket connections sent by SSM. Please upgrade to the latest version of `tsh` where workarounds have been -implemented for [`tsh aws ssm -start-session`](https://github.com/gravitational/teleport/pull/30510) and [`tsh -aws ecs -execute-command`](https://github.com/gravitational/teleport/pull/33705). +implemented for `tsh aws ssm start-session` and `tsh aws ecs execute-command`. +For more information on the `tsh` workarounds, see the pull requests that +introduced them: + +- [https://github.com/gravitational/teleport/pull/30510](https://github.com/gravitational/teleport/pull/30510) +- [https://github.com/gravitational/teleport/pull/33705](https://github.com/gravitational/teleport/pull/33705) If you are using `tsh proxy aws` or if your `tsh` version does not contain the above fixes, add the following domain to the `NO_PROXY` environment variable