Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: failed to get policy: failed to get OK status code: 401 Unauthorized #15

Open
plittlefield opened this issue Jul 18, 2024 · 13 comments
Open

Error: failed to get policy: failed to get OK status code: 401 Unauthorized #15

plittlefield opened this issue Jul 18, 2024 · 13 comments
Assignees
@cterence

Comments

@plittlefield
Copy link

I'm sure I have missed something in your instructions.

When I run

tailout init

I get the error:-

Error: failed to get policy: failed to get OK status code: 401 Unauthorized

I have an AWS_PROFILE environment variable set with correct permissions for EC2.
@cterence
Copy link
Owner

cterence commented Jul 24, 2024
edited
Loading

Hi, @plittlefield , thanks for opening an issue !
Sorry the error is pretty obscure and the README doesn't tell enough, the 401 is not coming from AWS but from Tailscale.
The init command works by supplying a Tailscale API key and your tailnet name. Don't hesitate to check the commands flags with tailout init --help.
Check out the configuration section of the README to see how you can supply it.

EDIT: I have updated the README to add clearer setup instructions, don't hesitate to check it out.

@cterence cterence self-assigned this Jul 26, 2024
@plittlefield
Copy link
Author

Thanks, I will redo it all and read the new setup instructions and try again :)

@plittlefield
Copy link
Author

plittlefield commented Aug 3, 2024
edited
Loading

OK, so I have tried again and get to the same point after reading your new setup instructions.

I have connected my laptop to my tailnet, can tailnet ip and tailnet ping to check that part works.

I have an AWS account, have the AWS cli installed and can list my other running instances to check that part works.

I have installed tailout.

I have created a tailout config file, my headscale server has created an API which I have added to check that part works.

However ...

If I run tailout init, I get this error ...

$ (paully-laptop) tailout init
Error: failed to get policy: failed to get OK status code: 401 Unauthorized

If I run tailout create, this is the (sanitised) output ...

$ (paully-laptop) tailout create
Creating tailout node in AWS with the following parameters:
- AWS Account ID: xxxxxxxxxxxxx
- AMI ID: ami-09edbb170cde0ca31
- Instance Type: t3a.micro
- Region: eu-west-3
- Auto shutdown after: 15m
- Connect after instance up: false
- Network: default VPC / Subnet / Security group of the region
✔ Yes
EC2 instance created successfully: i-09850098xxxxxxxx
Instance will be named tailout-eu-west-3-i-0985009xxxxxxxx
Waiting for instance to be running...
OK.
Waiting for instance to join tailnet...
Error: failed to get nodes: failed to get OK status code: 401 Unauthorized

What am I doing wrong?

Are there any verbose logs I can check?

Thanks.

@cterence
Copy link
Owner

cterence commented Aug 7, 2024

Thanks for giving it time. I think the problem comes from using Headscale. Tailout only queries the Tailscale API and I haven't tested it with Headscale.
I'm working on #33 to add the option to define an API URL so that you'd be able to set your Headscale URL.

@plittlefield
Copy link
Author

Nice!

Thanks and keep up the great work.

@cterence
Copy link
Owner

cterence commented Aug 7, 2024
edited
Loading

I just pushed the feature, you can try by updating to v0.3.2 : go install github.com/cterence/[email protected] whenever you feel like it!
There is a new --tailscale-base-url flag that you can customize.

@plittlefield
Copy link
Author

Thanks!

I’ll try tomorrow and report back!

@plittlefield
Copy link
Author

Hi,

Well, a bit further I think ...

$ tailout --tailscale-base-url https://headscale.mydomain.uk init
Error: unexpected end of JSON input

Here is my (sanitised) config ...

$ cat .tailout/config.yml 
tailscale:
  api_key: tskey-api-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  auth_key: tskey-auth-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  tailnet: name.tailscale.mydomain.uk
region: eu-west-3
create:
  shutdown: 15m

Happy to try some beta version to fix this.

Here is the page on my Wiki for Headscale ...

https://wiki.indie-it.com/wiki/Tailscale

Thanks.

@cterence
Copy link
Owner

cterence commented Aug 8, 2024

Hey thanks for reporting back, I've been able to reproduce your issue using a Headscale instance I just set up.
The API call that the Tailscale go client when running the init command returns 404 on a Headscale instance:

"GET /api/v2/tailnet/xxx/acl HTTP/2.0" 404

I'll try to find a workaround!

@cterence
Copy link
Owner

Reporting back, it appears that the tailscale client SDK hardcodes all the routes it uses for the calls, see the faulty call for example : https://github.com/tailscale/tailscale-client-go/blob/main/tailscale/client.go#L501.
That makes it de facto incompatible with Headscale, since it does not implement these routes...
I tried going further by running the create command, but I got the same error with this call : https://github.com/tailscale/tailscale-client-go/blob/main/tailscale/client.go#L731.

@plittlefield
Copy link
Author

Oh, so … for the time being it’s a non starter for me.

Is there anything the developer of Headscale can do to help?

@plittlefield plittlefield mentioned this issue Sep 4, 2024
Closed
2 tasks
@plittlefield
Copy link
Author

I’ve opened a feature request issue :)

juanfont/headscale#2103

@cterence
Copy link
Owner

cterence commented Sep 5, 2024

Awesome, thanks for pushing for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cterence cterence

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plittlefield @cterence