Hasura console fails to launch when using --insecure-skip-tls-verify

[pradyuman]

I get the error "Invalid admin-secret passed from CLI" when trying to use the console UI with the --insecure-skip-tls-verify flag.

The other cli commands run just fine (e.g. migrate apply) but I cannot access the console UI.

[scriptonist]

@pradyuman this seems to be working on my end 🤔 can you provide a bit more info so that I can reproduce ?

[ste824]

@scriptonist I get the same as you on the cmd, but then when I go to http://localhost:9695/ in a browser I get this, which sounds like the same thing as @pradyuman

[pradyuman]

Yep, this is exactly what happens to me as well.

[galipmedia]

Same here all other CLI things work fine only console fails with invalid password no matter what I try.

[divramod]

same problem here. what could be the problem?

[pkong-ds]

Same problem here. All commands except hasura console work fine with the provided admin secret in config.yaml file.

[rlanyi]

for me it doesn't even work if I provide the admin secret with --admin-secret

my version is:

bash-5.0# hasura version
INFO hasura cli                                    version=v1.3.3
INFO hasura graphql engine                         endpoint="http://hasura:8080" version=v1.3.3

[andreikaralkou]

Same problem for me. Doesn't work hasura console

[sergiogcx]

Try removing (or adjusting) the HASURA_GRAPHQL_CORS_DOMAIN env var. I ran into this problem a few moments ago, after playing a bit with the environment variables I found that I had a strict CORS policy. That's what worked for me anyways.

[brancusi]

Same problem here. This is only happening on v2. Have tried many variations. Any ideas?

[marbemac]

For us we had HASURA_GRAPHQL_DISABLE_CORS: 'true' which broke the cli console - removing that when we need to use the console fixed the issue for us.

[samuela]

Same here. I get this issue when trying to run hasura console on a remote NixOS machine and connect through SSH. When running locally on macOS I don't see this error.

Complicating matters is the fact there are no logs anywhere with the issue, even when running with HASURA_GRAPHQL_LOG_LEVEL: "debug".

At least it'd be nice to get a correct error message. It's clearly not an invalid admin-secret issue...

[samuela]

Setting HASURA_GRAPHQL_CORS_DOMAIN="*" doesn't make any difference for me.

[samuela]

Just talked about this issue in office hours... Mysteriously my issue went away! Not 100% clear what changed. There were some package upgrades, though they should've been inconsequential.

I'll report back if I manage to reproduce the issue!

[samuela]

... and it's back! No idea what changed. Everything about my environment is the same, running all the same commands the same as I did during office hours...

EDIT: did a bit more poking around... I have two machines: laptop and a remote machine called doodoo. I'm attempting to run hasura console on doodoo, and then connect to it from laptop. One thing that I've noticed is that the --endpoint must be accessible from laptop. So

hasura console --address=0.0.0.0 --endpoint=http://localhost:8080/

gives me an error when I try to access http://doodoo:9695/console/login: "Hasura console is not able to reach your Hasura GraphQL engine instance. Please ensure that your instance is running and the endpoint is configured correctly." as well as "Invalid admin-secret passed from CLI"

But

hasura console --address=0.0.0.0 --endpoint=http://doodoo:8080/

only gives me the "Invalid admin-secret passed from CLI" error.

Also, I can be certain that my secret is valid since if I intentionally pass in an incorrect secret via --admin-secret I get a different error altogether:

[nix-shell:~/dev/cuddlefish/hasura]$ hasura console --address=0.0.0.0 --endpoint=http://doodoo:8080/ --admin-secret=incorrect
FATA[0000] {
  "path": "$",
  "error": "invalid x-hasura-admin-secret/x-hasura-access-key",
  "code": "access-denied"
}

EDIT EDIT: I think I figured out why it worked in office hours but not otherwise... I believe the difference is that I was accidentally running two hasura instances one on the doodoo and one on laptop. I'm still not able to come up with a 100% reliable reproduction however.

[CKnoppas]

ran into the same issue after migrating from v1.x.x to v2.x.x... what worked for me was setting a different --console-port and --no-browser. Maybe you try playing around with that.

INFO hasura cli                                    version=v2.1.0
INFO hasura graphql engine                         endpoint="http://localhost:8080" version=v2.1.0

so i ran hasura console --console-port 9090 and that fixed the issue for me
i assume --no-browser flag has no effect here

[purush7]

The below process can act as a workaround solution

• Make sure to passHASURA_GRAPHQL_CORS_DOMAIN env var with value http://localhost:9695 in the case of graphql-engine endpoint being a different origin than localhost
• execute hasura console
• If there is an error message x509: certificate signed by unknown authority, make the certificate a trusted one
• If there isn't any error messages, go to http://localhost:9695/console in the preferred browser.

The response in #4926 (comment) occurs for the endpoint
http://localhost:9695/console/login and I think http://localhost:9695 is getting redirected to http://localhost:9695/console/login (ref:#4926 (comment))

@samuela (regarding:#4926 (comment)) http://localhost:9695/console is the correct page for cli-console and http://localhost:9695/console/login displays the error message for cli-console

[purush7]

This can be a temporary workaround solution after making the self-signed certificates as trusted and addition of http://localhost:9695 to HASURA_GRAPHQL_CORS_DOMAIN
and here the reason behind is browser blocking the API because of a self-signed certificate
Here https://app.hasura.local is server endpoint proxy

Screen.Recording.2022-01-06.at.5.48.07.PM.mov

[akvilibrium]

Yeah. For me too, the problem was the disabling cors option.