Unable to deploy Teleport: Get "https://teleport.domain.intern:443/webapi/find": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match teleport.domain.intern

[lennard-brinkhaus]

Installation Cmd:

helm install teleport-agent teleport/teleport-kube-agent -f prod-cluster-values.yaml --version 17.1.1 \
--create-namespace --namespace teleport

prod-cluster-values.yaml:

roles: kube,app,discovery
authToken: 01234567890123456789
proxyAddr: teleport.domain.intern:443
kubeClusterName: dev-cluster
labels:
    teleport.internal/resource-id: 38f422d1-cb01-45f5-ba18-66a7d46fd5ee

Error Log:

2024-12-23T12:34:30Z ERRO [PROC:1]    Failed to establish connection to cluster. pid:7.1 identity:Kube error:[
ERROR REPORT:
Original Error: trace.aggregate pinging proxy to determine signature algorithm suite
        Get "https://teleport.domain.intern:443/webapi/find": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match teleport.domain.intern
Stack Trace:
        github.com/gravitational/teleport/lib/auth/join/join.go:322 github.com/gravitational/teleport/lib/auth/join.Register
        github.com/gravitational/teleport/lib/service/connect.go:445 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnect
        github.com/gravitational/teleport/lib/service/connect.go:220 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
        github.com/gravitational/teleport/lib/service/connect.go:193 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
        github.com/gravitational/teleport/lib/service/connect.go:86 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
        github.com/gravitational/teleport/lib/service/service.go:3196 github.com/gravitational/teleport/lib/service.(*TeleportProcess).RegisterWithAuthServer.func1
        github.com/gravitational/teleport/lib/service/supervisor.go:581 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
        github.com/gravitational/teleport/lib/service/supervisor.go:307 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
        runtime/asm_amd64.s:1700 runtime.goexit
User Message: pinging proxy to determine signature algorithm suite
        Get "https://teleport.domain.intern:443/webapi/find": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match teleport.domain.intern] service/connect.go:102

I have the teleport cluster behind an nginx proxy.

Everything works normal and I can access everything from web-ui and from tsh except for registering an self hosted kubernetes cluster.

Some month ago we already bind the same cluster and it works without any problems. Now suddenly some weeks ago, the connection failed with the same error message. We updated teleport, linux and kubernetes but nothing resolves the error.

[webvictim]

Where did your TLS certificate on teleport.domain.intern:443 come from? I'm curious whether it has any Subject Alternative Names (SANs) set on it.

You can check with openssl (replace teleport.example.com:443 with teleport.domain.intern:443)

$ echo "" | openssl s_client -connect teleport.example.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:*.teleport.example.com, DNS:teleport.example.com

Alternatively, your nginx proxy may be misconfigured and your agent is failing to tunnel to the Teleport auth service through it. Can you share your nginx config?

[lennard-brinkhaus]

Right now we use the nginx proxy manager as our reverse proxy. This proxy manager creates and manage our TLS certificate.

I checked the Certificate and its currently configured with the following content:

X509v3 Subject Alternative Name:
    DNS:*.example.com, DNS:*.teleport.example.com

So it should work,

The Certificate was our first idea too, and maybe I'm missing something, but I don't think it has something to-do with certificates. We have also another server with connects without any problem. And if it's a certificate problem, this node shouldn't be able to connect, right..?
Also, the Kube-Agent forked at first and only after some months there was suddenly the problem. That was really confusing.