Node won't connect - x509 certificate signed by unknown authority #5660
-
I have set up a cluster using non-standard folders and ports, and am getting an error when I try to connect the first node to the cluster. The version is teleport-v5.1.2-linux-arm-bin.tar.gz. This is to be a trusted cluster eventually, but I have not activated the cluster.yaml file, since my nodes won't connect. The auth, proxy, and ssh services are running on node12, with these config files: /etc/teleport2.yaml teleport:
/etc/systemd/system/teleport2.service [Unit] [Service] [Install] And the node that doesn't connect, node13, is running these config files /etc/teleport2.yaml teleport:
and /etc/systemd/system/teleport2.service [Unit] [Service] [Install] The service comes up fine on node12, but when node13 comes up and tries to connect I get this error: ERRO [PROC:1] Node failed to establish connection to cluster: Get "https://192.168.234.12:4025/v1/webapi/ Clusters I have set up with almost identical configs, other than the special folders and port numbers, work fine. Other nodes give the same error when I try to connect them. I have deleted the /var/lib/teleport2 folder on both nodes and restarted, and reinstalled from scratch, but so far the error remains identical. I got the ca pin by running sudo tctl status --config=/etc/teleport2.yaml on node12. Thanks for the help. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
teleport2.node12.service.txt teleport2.node13.yaml.txt (see answer from @webvictim below) |
Beta Was this translation helpful? Give feedback.
-
Thank you Gus, I will look at this in a new light.
Alan
From: Gus Luxton <[email protected]>
Sent: Thursday, March 4, 2021 9:49 AM
To: gravitational/teleport <[email protected]>
Cc: alanlubold <[email protected]>; Mention <[email protected]>
Subject: Re: [gravitational/teleport] Node won't connect - x509 certificate signed by unknown authority (#5660)
Hi @alanlubold <https://github.com/alanlubold> , sorry for the delay.
This is the token you have set on node12: - proxy,node: 4321
This indicates that proxy_service and ssh_service must both be enabled in the config on node13 for it to be able to join the cluster. The set of enabled services must match those in the token.
To fix this, you could either:
* change the token to - node: 4321 on node12 and restart node12
* add a new token: - node: 6789 on node12 and restart, then change the config on node13 to use auth_token: 6789 and restart.
I hope this makes sense.
(also, you can use markdown blocks (```) <https://github.github.com/gfm/#fenced-code-blocks> to preserve formatting when posting blocks of code in future)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#5660 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOXEI23275VRDZ3XGVEZ75LTB6MV3ANCNFSM4YBFHUXQ> . <https://github.com/notifications/beacon/AOXEI2ZGZWT5CX277ZGPI53TB6MV3A5CNFSM4YBFHUX2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAADI32A.gif>
|
Beta Was this translation helpful? Give feedback.
teleport2.node12.service.txt
teleport2.node13.service.txt
teleport2.node13.yaml.txt
teleport2.node12.yaml.txt
(see answer from @webvictim below)