Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy endpoint returning 502 Bad Gateway when deploying HA teleport cluster on AWS using Terraform #34284

Closed
tuladhar opened this issue Nov 7, 2023 · 2 comments · Fixed by #41668
Closed

Proxy endpoint returning 502 Bad Gateway when deploying HA teleport cluster on AWS using Terraform #34284

tuladhar opened this issue Nov 7, 2023 · 2 comments · Fixed by #41668
Labels
aws Used for AWS Related Issues. bug terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform

Comments

@tuladhar
Copy link
Contributor

tuladhar commented Nov 7, 2023

Expected behavior:

  • Deploying HA teleport cluster on AWS using Terraform with TLS routing enabled (TF_VAR_use_tls_routing = true) should work out of box.

Current behavior:

  • After deployment completes, public proxy endpoint return 502 Bad Gateway.
  • Target group of teleport-proxy-acm shows instances unhealthy.

Bug details:

Logs on proxy server

Nov 07 08:45:21 ip-172-31-2-101.eu-central-1.compute.internal teleport[3503]: 2023-11-07T08:45:21Z ERRO [PROC:1] Instance failed to establish connection to cluster: cluster pin does not match any provided certificate authority pin. This could have occurred if the Certificate Authority (CA) for the cluster was rotated, invalidating the old pin. This could also occur if a new HSM was added. Run "tctl status" to compare the pin used
Nov 07 08:45:21 ip-172-31-2-101.eu-central-1.compute.internal teleport[3503]: 2023-11-07T08:45:21Z ERRO [PROC:1] Check to see if the config has auth_server pointing to a Teleport Proxy. If it does, use proxy_server instead of auth_server. pid:3503.1 service/connect.go:110

Logs on auth server

Nov 07 09:22:43 ip-172-31-0-142.eu-central-1.compute.internal teleport[4381]: 2023-11-07T09:22:43Z WARN [MXTLS:1] Handshake failed. dst_addr:172.31.0.142:3025 error:[remote error: tls: bad certificate] src_addr:172.31.4.167:52380 multiplexer/tls.go:150

Resolution:

  • Set proxy_protocol=off for auth and proxy and restart the service.
@tuladhar tuladhar added the bug label Nov 7, 2023
@zmb3 zmb3 added terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform aws Used for AWS Related Issues. labels Dec 21, 2023
@webvictim
Copy link
Contributor

More broadly, this affects people trying to use IP pinning in Teleport 14+ with the Terraform deployment example. The proxy_protocol setting should either be exposed, or automatically set to on and PROXY protocol enabled on all NLBs.

@webvictim webvictim mentioned this issue May 16, 2024
Merged
@webvictim
Copy link
Contributor

The issue with proxy_protocol should be fixed in a week or two when v16.0.0 is released in a week or two - updating the cluster to use 16.0.0 or higher AMIs will automatically generate a config with proxy_protocol set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws Used for AWS Related Issues. bug terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ha-autoscale-cluster: Enable proxy protocol to allow the use of IP pinning gravitational/teleport
3 participants
@webvictim @tuladhar @zmb3