Skip to content

Instantly share code, notes, and snippets.

@hivelogic2018

hivelogic2018/gist:9772c10366f78d260343ae2ec975bd00

Created August 4, 2025 03:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hivelogic2018/9772c10366f78d260343ae2ec975bd00 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hivelogic2018/9772c10366f78d260343ae2ec975bd00 to your computer and use it in GitHub Desktop.
Download ZIP
Teleport server Docker container logs
Raw
gistfile1.md

From your Teleport server Docker container logs, here's a diagnosis of what's preventing you from accessing Teleport and its UI:

Core Problem: TLS Certificate Verification Failure

The most critical errors in your logs point to TLS certificate verification failures. This means the Teleport components are unable to trust each other's certificates, which is essential for secure communication.

You see these repeated errors:

  • WARN [MXTLS:1] Handshake failed src_addr:127.0.0.1:45258 dst_addr:127.0.0.1:3025 error:[tls: failed to verify certificate: x509: certificate signed by unknown authority] multiplexer/tls.go:152
  • ERRO [PROC:1] Failed to establish connection to cluster. pid:7.1 identity:Instance error:[...remote error: tls: unknown certificate authority"]

This indicates that the Teleport service running inside the container cannot establish a secure connection to its own Auth Server (listening on 0.0.0.0:3025) because it doesn't recognize the certificate authority that signed the Auth Server's certificate.

Contributing Factors and Potential Causes

  1. Self-Signed Certificates (and their handling):

    • WARN [PROC:1] No TLS Keys provided, using self-signed certificate. pid:7.1 service/service.go:6577
    • Teleport is starting with self-signed certificates. While this is common for initial setups or development environments, it means that components need to be explicitly configured to trust these self-signed certificates. If they are not, you'll get the "unknown certificate authority" error.
    • Possible issue: The client (likely the Teleport proxy/node trying to connect to the Auth service, or your browser trying to access the UI) isn't configured to trust the self-signed certificate generated by your Teleport Auth server.

  2. Auth Server Address and proxy_protocol Warning:

    • WARN [AUTH:1] 'proxy_protocol' unspecified. Starting Auth service with external PROXY protocol support, but IP pinned connection affected by PROXY headers will not be allowed. Set 'proxy_protocol: on' in 'auth_service' config if Auth service runs behind L4 load balancer with enabled PROXY protocol, or set 'proxy_protocol: off' otherwise pid:7.1 service/service.go:2444
    • WARN [AUTH:1] Configuration setting auth_service/advertise_ip is not set, using inferred address pid:7.1 address:172.18.0.6:3025 service/service.go:2527
    • The proxy_protocol warning suggests that if you have a load balancer in front of Teleport, it might be interfering with how IP addresses are seen by the Auth service. This is less likely to be the root cause of the "unknown certificate authority" error, but it's something to address for proper network setup, especially if you plan to use a load balancer.
    • The advertise_ip warning indicates Teleport is inferring its own IP address (172.18.0.6:3025). In a Docker environment, this is usually the container's internal IP. While not directly an error, if your clients are trying to connect via a different external IP/hostname, this could indirectly contribute to certificate issues if the certificate was issued for a different hostname.

  3. PostgreSQL Serialization Error (Minor/Transient):

    • DEBU [PGBK] Operation failed due to conflicts, retrying quickly. attempt:1 error:[Original Error: *pgconn.PgError ERROR: could not serialize access due to read/write dependencies among transactions (SQLSTATE 40001)]
    • This is a DEBUG level message and indicates a transient database transaction conflict with PostgreSQL, which Teleport handles by retrying. This is unlikely to be the primary cause of your access issues.

Actionable Steps to Diagnose and Resolve

Here's what you should check and try:

  1. Teleport Configuration (teleport.yaml):

    • Certificate Paths: Ensure that your teleport.yaml file explicitly defines paths for tls_key_file and tls_cert_file within the auth_service and proxy_service sections, and that these paths are correctly mounted into your Docker container. If you're using self-signed certificates, ensure they are generated correctly and placed where Teleport expects them.
    • Cluster Name: Verify that the cluster_name in teleport.yaml matches what you expect (e.g., infra.zingastay.com).
    • auth_service and proxy_service listen_addr and web_listen_addr:
      • Make sure listen_addr for auth_service is set to 0.0.0.0:3025 (which your logs show it's listening on).
      • Ensure your proxy_service has web_listen_addr configured, typically 0.0.0.0:443 or 0.0.0.0:3080 (or whatever port you've exposed for the UI).
      • If proxy_service is disabled, you won't have a web UI. Make sure it's enabled in your teleport.yaml.

  2. Trusting Certificates:

    • If using self-signed certs (common for quick starts): You'll need to configure your client (e.g., your web browser, tsh client) to trust the CA certificate generated by Teleport.
      • For the UI: When you first try to access the Teleport UI in your browser, you might get a "Your connection is not private" warning. You'll need to proceed past this warning or import the Teleport CA certificate into your browser's trust store.
      • For tsh (Teleport CLI): You'll often need to run tsh login --proxy=<proxy-address> --insecure initially if you haven't set up proper certificate trust, or ensure your tsh client is configured to use the correct CA.
    • For production: You'll want to use certificates signed by a trusted Certificate Authority (CA), like Let's Encrypt, and configure Teleport to use those.

  3. Port Mapping in docker-compose.yaml:

    • Confirm that your docker-compose.yaml correctly maps the necessary Teleport ports from the container to your host.
      • Auth Service: 3025 (for internal communication and tsh direct connections)
      • Proxy Service (Web UI): 3080 (HTTPS UI and tsh proxy connections) and potentially 3023 (SSH proxy).
    • Example: 
      services:
  teleport-server:
    # ... other configs
    ports:
      - "3025:3025" # Auth service
      - "3080:3080" # Web UI and HTTPS proxy
      - "3023:3023" # SSH proxy
      # ... other ports like 3024 (auth/node) if needed

  4. Network Connectivity:

    • From the host machine, can you curl the Teleport UI port? curl -k https://localhost:3080 (replace localhost and 3080 with your actual host IP and Teleport UI port). The -k ignores certificate errors, which helps confirm basic connectivity.
    • Ensure no firewall rules (either on the host or within your cloud provider/VM) are blocking access to the exposed Teleport ports.

  5. Review teleport.yaml again thoroughly. The teleport.yaml defines how your Teleport instance behaves. Small misconfigurations, especially around advertise_ip and proxy_protocol in conjunction with auth_server vs. proxy_server can lead to these kinds of issues.

By addressing the TLS certificate verification errors and ensuring your teleport.yaml and Docker Compose port mappings are correct, you should be able to resolve the access issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment