Skip to content

Add debug logging to tsh when there is a SAN mismatch connecting to Auth via Proxy#61059

Merged
cthach merged 18 commits intomasterfrom
cthach/improve-tsh-login-logging
Nov 10, 2025
Merged

Add debug logging to tsh when there is a SAN mismatch connecting to Auth via Proxy#61059
cthach merged 18 commits intomasterfrom
cthach/improve-tsh-login-logging

Conversation

@cthach
Copy link
Copy Markdown
Contributor

@cthach cthach commented Nov 5, 2025
edited
Loading

Closes #60676

Changelog: Improve error message of tsh when there is a certificate DNS SAN mismatch when connecting to Auth via Proxy.

Demo

Before

$ tsh login  --proxy=wrong.teleport.addr

ERROR: Cannot establish https connection to wrong.teleport.addr:
x509: certificate is valid for teleport.dev, *.teleport.dev, not wrong.teleport.addr
try a different hostname for --proxy or specify --insecure flag if you know what you're doing.

After

$ build/tsh login --proxy=somenumber.teleport.cluster.local:443

ERROR: Cannot connect to the Auth service via the Teleport Proxy.

  There might be one or more network intermediaries (like a proxy or VPN) that are modifying your connection before it
  reaches the Teleport Proxy. These intermediaries can alter how your connection is seen by the Teleport Proxy and
  routed, leading to certificate mismatches.

  To fix this, ensure that any network intermediaries are properly configured and not interfering with your connection.

DEBUG INFO:
  Host: somenumber.teleport.cluster.local

  Proxy Environment Variables:
    http_proxy: bad.proxy.example

  Server Certificate Details:
    Subject: OU=christhach@Chriss-MBP.local (Chris Thach),O=mkcert development certificate
    Issuer: CN=mkcert christhach@Chriss-MBP.local (Chris Thach),OU=christhach@Chriss-MBP.local (Chris Thach),O=mkcert development CA
    Serial Number: 12507712134221951695701778001476744009
    Not Before: 2025-08-14 17:37:06 +0000 UTC
    Not After: 2027-11-14 18:37:06 +0000 UTC
    DNS Names: [teleport.dev *.teleport.dev]
    IP Addresses: []

@cthach cthach self-assigned this Nov 5, 2025
@cthach cthach force-pushed the cthach/improve-tsh-login-logging branch from fead035 to a44b627 Compare November 5, 2025 19:38
@cthach
Add debug logging to tsh login when there is a DNS SAN mismatch
62c3257 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach cthach force-pushed the cthach/improve-tsh-login-logging branch from a44b627 to 62c3257 Compare November 5, 2025 19:41
@cthach cthach changed the title WIP: Add debug logging to tsh login when there is a DNS SAN mismatch Add debug logging to tsh login when there is a DNS SAN mismatch Nov 5, 2025
cthach added 2 commits November 5, 2025 15:28
@cthach
Fix formatting so it is consistent
4dd5c27 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach
Merge branch 'cthach/improve-tsh-login-logging' of github.com:gravita…
dad15fb 
…tional/teleport into cthach/improve-tsh-login-logging
@cthach cthach marked this pull request as ready for review November 5, 2025 20:28
@github-actions github-actions bot requested review from juliaogris and zmb3 November 5, 2025 20:28
@cthach cthach marked this pull request as draft November 5, 2025 20:30
@cthach cthach changed the title Add debug logging to tsh login when there is a DNS SAN mismatch WIP: Add debug logging to tsh login when there is a DNS SAN mismatch Nov 5, 2025
@cthach cthach removed request for juliaogris and zmb3 November 5, 2025 20:31
cthach
cthach commented Nov 5, 2025
View reviewed changes
Comment thread lib/utils/cli.go Outdated
cthach added 2 commits November 5, 2025 16:00
@cthach
Filter for only proxy env vars. Improve message.
8b71e01 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach
Add unit tests for formatCertError.
45d3b7d 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach cthach changed the title WIP: Add debug logging to tsh login when there is a DNS SAN mismatch Add debug logging to tsh login when there is a DNS SAN mismatch Nov 5, 2025
@cthach cthach marked this pull request as ready for review November 5, 2025 21:12
@github-actions github-actions bot requested review from atburke and kimlisa November 5, 2025 21:13
@cthach cthach requested a review from rosstimothy November 5, 2025 21:18
cthach
cthach commented Nov 5, 2025
View reviewed changes
Comment thread lib/utils/cli_test.go Outdated
@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented Nov 7, 2025
edited
Loading

While I think this is better than what we return to users today I don't know that it 100% covers the reasoning for the error message in the linked ticket.

@rosstimothy

I can enumerate that as one of potential causes in the error messages of why the client might be encountering a mismatched certificate, but it might not be the only cause for every situation. How about I suggest we go for a list approach covering more potential causes and fixes? Or would you prefer we just go with this one cause?

ERROR: The certificate does not match the address "wrong.teleport.addr" you are attempting to connect to.

  This usually happens for one or more of the following reasons:

    - You are connecting using an address that is not present in the certificate's Subject Alternative Names (SANs).
    - The Teleport Proxy is misconfigured and is presenting a certificate that does not include its public address in the SANs.
    - There is some network intermediary (like a proxy or VPN) that is modifying your connection that may alter how it is seen by the Teleport Proxy and routed.

  To fix this, ensure the following:

    - You are using the public address as configured in Teleport.
    - The Teleport Proxy is configured to present a certificate that includes its public address in the SANs.
    - Any network intermediaries are properly configured and not interfering with your connection.

  If you know what you are doing, you can bypass this check by using the --insecure flag.

That's better but I think it still might be confusing to people because the address they are connecting to might not be one that they are familiar with. When we dial auth we dial <hex-encoded-cluster-name>.teleport.cluster.local which I think would be rendered as the following.


ERROR: The certificate does not match the address "<hex-encoded-cluster-name>.teleport.cluster.local"

In that case I think it would be better if we can explicitly have a message indicating that we were unable to connect to Auth via the Proxy.

@cthach
Copy link
Copy Markdown
Contributor Author

cthach commented Nov 7, 2025

While I think this is better than what we return to users today I don't know that it 100% covers the reasoning for the error message in the linked ticket.

@rosstimothy
I can enumerate that as one of potential causes in the error messages of why the client might be encountering a mismatched certificate, but it might not be the only cause for every situation. How about I suggest we go for a list approach covering more potential causes and fixes? Or would you prefer we just go with this one cause?

ERROR: The certificate does not match the address "wrong.teleport.addr" you are attempting to connect to.

  This usually happens for one or more of the following reasons:

    - You are connecting using an address that is not present in the certificate's Subject Alternative Names (SANs).
    - The Teleport Proxy is misconfigured and is presenting a certificate that does not include its public address in the SANs.
    - There is some network intermediary (like a proxy or VPN) that is modifying your connection that may alter how it is seen by the Teleport Proxy and routed.

  To fix this, ensure the following:

    - You are using the public address as configured in Teleport.
    - The Teleport Proxy is configured to present a certificate that includes its public address in the SANs.
    - Any network intermediaries are properly configured and not interfering with your connection.

  If you know what you are doing, you can bypass this check by using the --insecure flag.

That's better but I think it still might be confusing to people because the address they are connecting to might not be one that they are familiar with. When we dial auth we dial <hex-encoded-cluster-name>.teleport.cluster.local which I think would be rendered as the following.


ERROR: The certificate does not match the address "<hex-encoded-cluster-name>.teleport.cluster.local"

In that case I think it would be better if we can explicitly have a message indicating that we were unable to connect to Auth via the Proxy.

Ohhhh that makes sense. I'll push an update.

@cthach cthach marked this pull request as draft November 7, 2025 14:26
@cthach
Revert general HostnameError case. Add message for just the case of c…
cad3fe0 
…onnecting to Auth.

Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach cthach changed the title Add debug logging to tsh login when there is a DNS SAN mismatch Add debug logging to tsh login when there is a SAN mismatch connecting to Auth via Proxy Nov 7, 2025
@cthach cthach changed the title Add debug logging to tsh login when there is a SAN mismatch connecting to Auth via Proxy Add debug logging to tsh when there is a SAN mismatch connecting to Auth via Proxy Nov 7, 2025
@cthach cthach marked this pull request as ready for review November 7, 2025 16:30
@github-actions github-actions bot requested a review from espadolini November 7, 2025 16:31
zmb3
zmb3 reviewed Nov 7, 2025
View reviewed changes
Comment thread lib/utils/cli.go Outdated
cthach and others added 2 commits November 7, 2025 13:13
@cthach @zmb3
Apply suggestions from code review
498f616 
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
@cthach
Fix missing deref. Only build in the special case.
9199f5a 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@GavinFrazar GavinFrazar removed their request for review November 7, 2025 18:32
rosstimothy
rosstimothy reviewed Nov 7, 2025
View reviewed changes
Comment thread lib/utils/cli.go Outdated
}
}

return fmt.Sprintf(`Cannot connect to the Auth service via the Teleport Proxy using the internal cluster domain %q.
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about removing the internal domain reference from this message? This is more of an internal thing that might be better suited for the debug info below.

Copy link
Copy Markdown
Contributor Author

@cthach cthach Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return fmt.Sprintf(`Cannot connect to the Auth service via the Teleport Proxy using the internal cluster domain %q.
return fmt.Sprintf(`Cannot connect to the Auth service via the Teleport Proxy.

Yeah, good point. It's not really useful or actionable to an end user AFAIK, so I'm fine with removing it and moving it to the debug info.

Side note: I'm not totally familiar with how and why that internal cluster domain resolves to Auth. If you have any reading material, please send it my way if you get a chance.

Copy link
Copy Markdown
Contributor Author

@cthach cthach Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved in 785103a

cthach added 2 commits November 7, 2025 15:21
@cthach
Remove internal cluster domain and move hostname to debug info.
785103a 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach
Add vertical space.
bdfc0a9 
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
juliaogris
juliaogris approved these changes Nov 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@juliaogris juliaogris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juliaogris

Updated. Please see PR description and let me know if it's more readable now 🙏🏾

Looks great to me.

@cthach cthach added this pull request to the merge queue Nov 10, 2025
Merged via the queue into master with commit e16a7ad Nov 10, 2025
42 checks passed
@cthach cthach deleted the cthach/improve-tsh-login-logging branch November 10, 2025 18:58
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Nov 10, 2025

@cthach See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Nov 10, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmb3 zmb3 zmb3 left review comments

@juliaogris juliaogris juliaogris approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

@cthach cthach

Labels

backport/branch/v17 backport/branch/v18 backport-required size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve debug logs when tsh fails to connect when presented with an invalid certificate

4 participants

@cthach @rosstimothy @juliaogris @zmb3