Error x509 with "flyctl auth login"

drg · February 22, 2024, 5:05pm

I just created an account, have verified my email address. When I attempt to login I receive this error:

$ flyctl auth login
Error: Post "https://api.fly.io/api/v1/cli_sessions": tls: failed to verify certificate: x509: “api.fly.io” certificate is not standards compliant

What I’m using:

Starship shell on top of zsh
MacOS Ventura
M2 Macbook Pro

Do I need to update a package or should I be doing this from within a Docker container (the docs don’t mention Docker at this stage)

michael · February 22, 2024, 6:44pm

You shouldn’t need to make changes or use docker to hit our api. Our certificate is from LetsEncrypt and is currently valid, so that error makes me think there’s something happening in the network between your machine and our api. For example, some public wifi captive portals will hijack connections until you auth which can make certificates appear invalid. Enterprise or university networks could also have firewall rules in place that could cause this.

What type of network are you on? Does curl work? eg curl -v https://api.fly.io

drg · February 22, 2024, 7:36pm

Thanks for the response! I just moved into a new place so I’m on a high bandwidth mobile connection. Thus far it hasn’t been an issue, but it sound like your security is tight.

When I run curl I get:

 curl -v https://api.fly.io
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 77.83.143.220:443...
* Connected to api.fly.io (77.83.143.220) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [315 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [3757 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=api.fly.io
*  start date: Jan 24 11:19:37 2024 GMT
*  expire date: Apr 23 11:19:36 2024 GMT
*  subjectAltName: host "api.fly.io" matched cert's "api.fly.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: api.fly.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x127013400)
> GET / HTTP/2
> Host: api.fly.io
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Thu, 22 Feb 2024 19:34:22 GMT
< content-length: 19
< server: Fly/17d0263d (2024-02-15)
< via: 1.1 fly.io, 2 fly.io
< fly-request-id: 01HQ94ZKM3DSRQ9TKGZ5XFJBAW-iad
< 
{ [19 bytes data]
100    19  100    19    0     0     46      0 --:--:-- --:--:-- --:--:--    47
* Connection #0 to host api.fly.io left intact

michael · February 22, 2024, 8:07pm

Okay good, that’s the expected response. There’s nothing at api.fly.io so it’ll 404, but getting that far is the goal!

drg · February 22, 2024, 8:12pm

Still getting the same error message when I try to authenticate. I get this with ping:

ping api.fly.io                    
PING api.fly.io (77.83.143.220): 56 data bytes
64 bytes from 77.83.143.220: icmp_seq=0 ttl=51 time=115.725 ms
64 bytes from 77.83.143.220: icmp_seq=1 ttl=51 time=173.335 ms
64 bytes from 77.83.143.220: icmp_seq=2 ttl=51 time=113.344 ms
64 bytes from 77.83.143.220: icmp_seq=3 ttl=51 time=117.713 ms
64 bytes from 77.83.143.220: icmp_seq=4 ttl=51 time=119.470 ms

drg · February 22, 2024, 8:15pm

I just tried it with a VPN turned on, in the long shot hope that would bypass the cert issue. New error:

$ flyctl auth login
WARN failed querying for new release: Get "https://formulae.brew.sh/api/formula/flyctl.json": write tcp [fc00::6440:1]:62865->[2606:50c0:8001::153]:443: write: socket is not connected
Error: Post "https://api.fly.io/api/v1/cli_sessions": write tcp [fc00::6440:1]:62868->[2a09:8280:1:f28:246e:d6a:949:dbbf]:443: write: socket is not connected

drg · February 23, 2024, 2:45pm

Still not working. Worse, the problem is affecting other things like connecting to AWS. In the source code repo is there a place where changes to OSX setup are listed? (I’m not a golang coder).

kwaw · February 23, 2024, 5:18pm

Worse, the problem is affecting other things like connecting to AWS

that doesn’t seem right. I doubt whatever issue you’re facing has anything to do with flyctl

drg · February 25, 2024, 5:18pm

I upgraded from OSX Ventura to OSX Sonoma. Now it works and my certificates are working again across everything. I feel like I hit an obscure edge cases, but since everything is working now if someone else on Ventura reports an error I would suggest you tell them to upgrade to Ventura.

Thanks for the assist!

system · March 3, 2024, 5:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
TLS: certificate is not standards compliant Questions / Help	4	111	November 8, 2024
Failed to start remote builder heartbeat: You hit a Fly API error with request ID Questions / Help	5	316	July 16, 2023
flyctl auth login 500 error Questions / Help	7	534	April 21, 2023
flyctl auth login problems	9	1338	December 5, 2022
flyctl auth docker not working	3	972	October 15, 2022

Error x509 with "flyctl auth login"

Related topics