Add support for ACME #5177
Comments
klizhentas
added
ux
feature-request
This commit fixes #5177 Initial implementation uses dir backend as a cache and is OK for small clusters, but will be a problem for many proxies. This implementation uses Go autocert that is quite limited compared to Caddy's certmagic or lego. Autocert has no OCSP stapling and no locking for cache for example. However, it is much simpler and has no dependencies. It will be easier to extend to use Teleport backend as a cert cache. ```yaml proxy_service: public_addr: ['example.com'] # ACME - automatic certificate management environment. # # It provisions certificates for domains and # valid subdomains in public_addr section. # # The sudomains are valid if there is a registered application. # For example, app.example.com will get a cert if app is a regsitered # application access app. The sudomain cookie.example.com is not. # # Teleport acme is using TLS-ALPN-01 challenge: # # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01 # acme: # By default acme is disabled. enabled: true # Use a custom URI, for example staging is # # https://acme-staging-v02.api.letsencrypt.org/directory # # Default is letsencrypt.org production URL: # # https://acme-v02.api.letsencrypt.org/directory uri: '' # Set email to receive alerts and other correspondence # from your certificate authority. email: 'alice@example.com' ```
|
+1 for this issue. I've found that newer versions of Chrome are getting fussier about self-signed certs and the setup for certbot is as many steps as Teleport itself. This makes the community setup process smoother. I would suggest we add it to the output for For Enterprise users, do we envision supporting ACM / GCPs Cert manager or will we offload this to other scripting / setup tools / terraform etc. |
|
Another thought on this issue. It'll be good to obtain a wild card certificate for the subdomain to support Applications. e.g. "teleport.example.com, *.teleport.example.com" |
This commit fixes #5177 Initial implementation uses dir backend as a cache and is OK for small clusters, but will be a problem for many proxies. This implementation uses Go autocert that is quite limited compared to Caddy's certmagic or lego. Autocert has no OCSP stapling and no locking for cache for example. However, it is much simpler and has no dependencies. It will be easier to extend to use Teleport backend as a cert cache. ```yaml proxy_service: public_addr: ['example.com'] # ACME - automatic certificate management environment. # # It provisions certificates for domains and # valid subdomains in public_addr section. # # The sudomains are valid if there is a registered application. # For example, app.example.com will get a cert if app is a regsitered # application access app. The sudomain cookie.example.com is not. # # Teleport acme is using TLS-ALPN-01 challenge: # # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01 # acme: # By default acme is disabled. enabled: true # Use a custom URI, for example staging is # # https://acme-staging-v02.api.letsencrypt.org/directory # # Default is letsencrypt.org production URL: # # https://acme-v02.api.letsencrypt.org/directory uri: '' # Set email to receive alerts and other correspondence # from your certificate authority. email: 'alice@example.com' ```
|
Great improvement! |
|
@awly it uses TLS-ALPN-01 challenge, so it will work behind non-terminating load balancer. It will get into 6.0 so it's not in the docs for 5.0 yet. |
Feature Request
I've been running a quickstart guide and it was quite tedious to get to a running teleport server.
One of the obstacles running it in any environment is getting certs provisioned.
Add support for ACME mode for proxy service. It does not have to be scalable on the first release.
The text was updated successfully, but these errors were encountered: