Unable to use warp-cli on Ubuntu [Possible Bug]

I am trying to implement a Cloudflare Zero Trust Setup on a Ubuntu 22.04 host machine. I have installed the warp-cli using the package repository method detailed here.

After installing, I created a ‘Service Token’ and followed the guide here for the MDM deployment and created a file at: /var/lib/cloudflare-warp/mdm.xml following the guide. I used a service token as opposed to logging in from <team-domain>.cloudflareaccess.com/warp because the server is being accessed over an SSH connection and it is headless and I can’t open a browser on the server to handle the auth response callback.

My deplyoment/configuration file looked like the below:

<dict>
  <key>organization</key>
    <string>[teams-org-name]</string>
  <key>auth_client_id</key>
    <string>[redacted]</string>
  <key>auth_client_secret</key>
    <string>[redacted]</string>
</dict>

After this, I’m unsure how to proceed further as no docs seem to mention how to establish a connection with this setup to teams. I want to connect my warp-cli to this teams setup. I tried to do a warp-cli register command and got an error: "Error: Old registration is still around. Try running warp-cli delete". Should I simply do a ‘warp-cli connect’? I tried and it showed “success”, however I got a conflicting response output when I ran a ‘warp-cli status’:

Status update: Unable to connect. Reason: Registration Missing
Success

As this method failed, I thought I’ll do it the manual way by using ‘warp-cli teams-enroll’ command and therefore I deleted the MDM config file: /var/lib/cloudflare-warp/mdm.xml and decided to use the command teams-enroll-token such as “warp-cli teams-enroll-token <url>”. It showed the same error that old regsitration is still around.

However, here’s where the error occurs:
Attempting to delete the previous registration shows the below:

Error: Missing Registration. Try running warp-cli register

Thus, this becomes a loop. I have checked and there’s nothing in /var/lib/cloudflare-warp. There was, iirc, a settings.json file, and I tried before and after deleting it, and still getting the same error.

Now, I’m unable to both register or delete any (should it exist) an existing configuration. The /var/lib/cloudflare-warp/ is empty.

This is new machine, I haven’t attempted to successfully or unsuccesfully install warp-cli on this machine before. The entire steps that I’ve tried is documented here.

Please check the below image that shows a screenshot of the commands run in succession >

which is weird because I’m neither able to register or delete.

Please note:
For some reasons, typing “Cloudflare-for-Teams” (without the dashes) in this forum automatically changes the text to “Cloudflare Zero Trust” right on the client-side itself when typing. In the initial line, I mentioned I am trying to achieve a “CF for Teams” setup and this post should mean that. The converted text would convey a generic meaning otherwise.

Any help in this regard would be appreciated. For now I’m not making any changes to the machine, to help track down the bug, do let me know if I need to look for post the output of ls somewhere. Thanks.

Akshay.

I am also experiencing the same issue. Any feedback from a Cloudflare official would be appreciated.

I’m also experiencing the same issue on a new Ubuntu server. I was at least able to make it accept a new registration by using warp-cli reset-settings, however when doing another warp-cli register it says success, followed by no actual success. warp-cli connect returns success, however warp-cli status returns the exact message the poster above faces.

Status update: Unable to connect. Reason: Registration Missing
Success

I’ve figured it out. upon inspecting the logs at /var/log/cloudflare-warp/cfwarp_service_log.txt you may see the following:

2023-10-28T17:03:49.257Z ERROR warp::teams_auth: Response for Access JWT did not include 'token' query parameter.
2023-10-28T17:03:49.257Z  INFO warp::teams_auth: Is Service Auth allowed in Device Enrollment Rules in the Dash?

The documentation does clearly state to create a rule for Service Auth in your dashboard, however, what’s less clear (at least to me) is that the Action must be Service Auth, not Allow.

The action type Service Auth removes the need for a screen and JWT token, and will automatically register the device in a few seconds as it reloads the configuration.

You will still be unable to use warp-cli register or warp-cli delete as the MDM file will automatically register the device and set all settings - it will not allow you to delete this configuration with the cli.

With an MDM file, there is no need to run register or any other kind of command, you can immediately connect with warp-cli connect.

You can also force warp-cli to reload the configuration immediately by killing the PID for /bin/warp-svc

6 Likes

This is brilliant, thank you very much @james.mantz for taking time to post the detailed solution!
Appreciate the input. I’m yet to try this but I guess this should work.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.