From 3f99b06b933824dd67ea5da9e493f4ae46dddf2e Mon Sep 17 00:00:00 2001
From: Jeff Pihach <hatched@users.noreply.github.com>
Date: Tue, 5 Apr 2022 11:57:26 -0600
Subject: [PATCH 1/2] Add hint when the user receives an error about an
 "unknown certificate authority" (#11550)

* Intercept and update error message when there is a certificate error joining a node.

* Log out error hint and return full wrapped error.

* Updated error message.
---
 lib/service/connect.go | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/lib/service/connect.go b/lib/service/connect.go
index 4f9a3fdad1f05..989424a8e67b6 100644
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"math"
 	"path/filepath"
+	"strings"
 
 	"github.com/coreos/go-semver/semver"
 	"github.com/gravitational/roundtrip"
@@ -143,7 +144,6 @@ func (process *TeleportProcess) connect(role types.SystemRole) (conn *Connector,
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-
 	rotation := state.Spec.Rotation
 
 	switch rotation.State {
@@ -160,6 +160,15 @@ func (process *TeleportProcess) connect(role types.SystemRole) (conn *Connector,
 		process.log.Infof("Connecting to the cluster %v with TLS client certificate.", identity.ClusterName)
 		clt, err := process.newClient(process.Config.AuthServers, identity)
 		if err != nil {
+			// In the event that a user is attempting to connect a machine to
+			// a different cluster it will give a cryptic warning about an
+			// unknown certificate authority. Unfortunately we cannot intercept
+			// this error as it comes from the http package before a request is
+			// made. So provide a more user friendly error as a hint of what
+			// they can do to resolve the issue.
+			if strings.Contains(err.Error(), "certificate signed by unknown authority") {
+				process.log.Error("Was this node already registered to a different cluster? To join this node to a new cluster, remove `/var/lib/teleport` and try again")
+			}
 			return nil, trace.Wrap(err)
 		}
 		return &Connector{
@@ -848,18 +857,18 @@ func (process *TeleportProcess) newClient(authServers []utils.NetAddr, identity
 
 	logger := process.log.WithField("auth-addrs", utils.NetAddrsToStrings(authServers))
 	logger.Debug("Attempting to connect to Auth Server directly.")
-	directClient, err := process.newClientDirect(authServers, tlsConfig)
-	if err == nil {
+	directClient, directErr := process.newClientDirect(authServers, tlsConfig)
+	if directErr == nil {
 		logger.Debug("Connected to Auth Server with direct connection.")
 		return directClient, nil
 	}
 	logger.Debug("Failed to connect to Auth Server directly.")
 	// store err in directLogger, only log it if tunnel dial fails.
-	directErrLogger := logger.WithError(err)
+	directErrLogger := logger.WithError(directErr)
 
 	// Don't attempt to connect through a tunnel as a proxy or auth server.
 	if identity.ID.Role == types.RoleAuth || identity.ID.Role == types.RoleProxy {
-		return nil, trace.Wrap(err)
+		return nil, trace.Wrap(directErr)
 	}
 
 	logger.Debug("Attempting to discover reverse tunnel address.")
@@ -873,7 +882,9 @@ func (process *TeleportProcess) newClient(authServers []utils.NetAddr, identity
 	if err != nil {
 		directErrLogger.Debug("Failed to connect to Auth Server directly.")
 		logger.WithError(err).Debug("Failed to connect to Auth Server through tunnel.")
-		return nil, trace.Errorf("Failed to connect to Auth Server directly or over tunnel, no methods remaining.")
+		return nil, trace.WrapWithMessage(
+			trace.NewAggregate(directErr, err),
+			trace.Errorf("Failed to connect to Auth Server directly or over tunnel, no methods remaining."))
 	}
 
 	logger.Debug("Connected to Auth Server through tunnel.")

From f6b91be229ca0bad0961f9348d2c92d3f826986c Mon Sep 17 00:00:00 2001
From: Jeff Pihach <hatched@users.noreply.github.com>
Date: Tue, 5 Apr 2022 17:34:37 -0600
Subject: [PATCH 2/2] Show the user the actual data directory to remove when
 trying to join to the wrong cluster. (#11754)

---
 lib/service/connect.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/service/connect.go b/lib/service/connect.go
index 989424a8e67b6..9e3620a008c14 100644
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@@ -167,7 +167,7 @@ func (process *TeleportProcess) connect(role types.SystemRole) (conn *Connector,
 			// made. So provide a more user friendly error as a hint of what
 			// they can do to resolve the issue.
 			if strings.Contains(err.Error(), "certificate signed by unknown authority") {
-				process.log.Error("Was this node already registered to a different cluster? To join this node to a new cluster, remove `/var/lib/teleport` and try again")
+				process.log.Errorf("Was this node already registered to a different cluster? To join this node to a new cluster, remove `%s` and try again", process.Config.DataDir)
 			}
 			return nil, trace.Wrap(err)
 		}