Error x509 with "flyctl auth login"

I just created an account, have verified my email address. When I attempt to login I receive this error:

$ flyctl auth login
Error: Post "https://api.fly.io/api/v1/cli_sessions": tls: failed to verify certificate: x509: “api.fly.io” certificate is not standards compliant

What I’m using:

  • Starship shell on top of zsh
  • MacOS Ventura
  • M2 Macbook Pro

Do I need to update a package or should I be doing this from within a Docker container (the docs don’t mention Docker at this stage)

You shouldn’t need to make changes or use docker to hit our api. Our certificate is from LetsEncrypt and is currently valid, so that error makes me think there’s something happening in the network between your machine and our api. For example, some public wifi captive portals will hijack connections until you auth which can make certificates appear invalid. Enterprise or university networks could also have firewall rules in place that could cause this.

What type of network are you on? Does curl work? eg curl -v https://api.fly.io

Thanks for the response! I just moved into a new place so I’m on a high bandwidth mobile connection. Thus far it hasn’t been an issue, but it sound like your security is tight.

When I run curl I get:

 curl -v https://api.fly.io
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 77.83.143.220:443...
* Connected to api.fly.io (77.83.143.220) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [315 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [3757 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=api.fly.io
*  start date: Jan 24 11:19:37 2024 GMT
*  expire date: Apr 23 11:19:36 2024 GMT
*  subjectAltName: host "api.fly.io" matched cert's "api.fly.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: api.fly.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x127013400)
> GET / HTTP/2
> Host: api.fly.io
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Thu, 22 Feb 2024 19:34:22 GMT
< content-length: 19
< server: Fly/17d0263d (2024-02-15)
< via: 1.1 fly.io, 2 fly.io
< fly-request-id: 01HQ94ZKM3DSRQ9TKGZ5XFJBAW-iad
< 
{ [19 bytes data]
100    19  100    19    0     0     46      0 --:--:-- --:--:-- --:--:--    47
* Connection #0 to host api.fly.io left intact

Okay good, that’s the expected response. There’s nothing at api.fly.io so it’ll 404, but getting that far is the goal!

Still getting the same error message when I try to authenticate. I get this with ping:

ping api.fly.io                    
PING api.fly.io (77.83.143.220): 56 data bytes
64 bytes from 77.83.143.220: icmp_seq=0 ttl=51 time=115.725 ms
64 bytes from 77.83.143.220: icmp_seq=1 ttl=51 time=173.335 ms
64 bytes from 77.83.143.220: icmp_seq=2 ttl=51 time=113.344 ms
64 bytes from 77.83.143.220: icmp_seq=3 ttl=51 time=117.713 ms
64 bytes from 77.83.143.220: icmp_seq=4 ttl=51 time=119.470 ms

I just tried it with a VPN turned on, in the long shot hope that would bypass the cert issue. New error:

$ flyctl auth login
WARN failed querying for new release: Get "https://formulae.brew.sh/api/formula/flyctl.json": write tcp [fc00::6440:1]:62865->[2606:50c0:8001::153]:443: write: socket is not connected
Error: Post "https://api.fly.io/api/v1/cli_sessions": write tcp [fc00::6440:1]:62868->[2a09:8280:1:f28:246e:d6a:949:dbbf]:443: write: socket is not connected

Still not working. Worse, the problem is affecting other things like connecting to AWS. In the source code repo is there a place where changes to OSX setup are listed? (I’m not a golang coder).

Worse, the problem is affecting other things like connecting to AWS

that doesn’t seem right. I doubt whatever issue you’re facing has anything to do with flyctl

I upgraded from OSX Ventura to OSX Sonoma. Now it works and my certificates are working again across everything. I feel like I hit an obscure edge cases, but since everything is working now if someone else on Ventura reports an error I would suggest you tell them to upgrade to Ventura.

Thanks for the assist!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.