Can't connect to postgres with flyctl (SSH allowed-apps certificate)

When I ran flyctl pg connect -a <my pg cluster>, it showed

flyctl pg connect -a <my pg cluster>
Connecting to fdaa:0:<rest IP address>... complete
Error: error connecting to SSH server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
Stacktrace:
goroutine 1 [running]:
runtime/debug.Stack()
        /opt/hostedtoolcache/go/1.21.0/x64/src/runtime/debug/stack.go:24 +0x5e
github.com/superfly/flyctl/internal/cli.printError(0xc000520640, 0xc0005edb46, 0x1d063a0?, {0x2569da0, 0xc000f1d4d0})
        /home/runner/work/flyctl/flyctl/internal/cli/cli.go:162 +0x4db
github.com/superfly/flyctl/internal/cli.Run({0x2585308?, 0xc000657900?}, 0xc000520640, {0xc000050240?, 0x6, 0x6})
        /home/runner/work/flyctl/flyctl/internal/cli/cli.go:110 +0x948
main.run()
        /home/runner/work/flyctl/flyctl/main.go:47 +0x156
main.main()
        /home/runner/work/flyctl/flyctl/main.go:26 +0x18

The same error showed up when connecting using flyctl ssh console -a <my pg cluster>, but for my other projects it worked. Is there anything changed in flyctl pg connect?

1 Like

Does fly logs -a <your pg cluster> show any errors?

(In past forum threads, it has turned up DNS glitches, an atypical base image, etc.)

Thank you for your reply. I’m seeing a bunch of

2023-12-24T01:39:18Z app[148edd6b7d0589] sjc [info]2023/12/24 01:39:18 unexpected error: [ssh: no auth passed yet, ssh: unsupported critical option "allowed-apps@fly.io" in certificate]

in the logs. Probably flyctl is passing a bad certificate for authenticating?

Or perhaps newer than what that particular server is expecting…

I belatedly checked the flyctl source-code history, and it turns out that there was actually a change this month:

issue app-specific SSH certs where possible

How long has it been since that machine was last restarted? It may just have an old version of hallpass, the SSH daemon, :snowflake:.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.