Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds ACME - auto cert management #5178

Merged
merged 1 commit into from
Dec 23, 2020
Merged

Adds ACME - auto cert management #5178

merged 1 commit into from
Dec 23, 2020

Conversation

klizhentas
Copy link
Contributor

This commit fixes #5177

Initial implementation uses dir backend as a cache and is OK
for small clusters, but will be a problem for many proxies.

This implementation uses Go autocert that is quite limited
compared to Caddy's certmagic or lego.

Autocert has no OCSP stapling and no locking for cache for example.
However, it is much simpler and has no dependencies.
It will be easier to extend to use Teleport backend as a cert cache.

proxy_service:
  public_addr: ['example.com']
  # ACME - automatic certificate management environment.
  #
  # It provisions certificates for domains and
  # valid subdomains in public_addr section.
  #
  # The sudomains are valid if there is a registered application.
  # For example, app.example.com will get a cert if app is a regsitered
  # application access app. The sudomain cookie.example.com is not.
  #
  # Teleport acme is using TLS-ALPN-01 challenge:
  #
  # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
  #
  acme:
    # By default acme is disabled.
    enabled: true
    # Use a custom URI, for example staging is
    #
    # https://acme-staging-v02.api.letsencrypt.org/directory
    #
    # Default is letsencrypt.org production URL:
    #
    # https://acme-v02.api.letsencrypt.org/directory
    uri: ''
    # Set email to receive alerts and other correspondence
    # from your certificate authority.
    email: 'alice@example.com'

@klizhentas
Adds ACME - auto cert management
9aac1c1 
This commit fixes #5177

Initial implementation uses dir backend as a cache and is OK
for small clusters, but will be a problem for many proxies.

This implementation uses Go autocert that is quite limited
compared to Caddy's certmagic or lego.

Autocert has no OCSP stapling and no locking for cache for example.
However, it is much simpler and has no dependencies.
It will be easier to extend to use Teleport backend as a cert cache.

```yaml
proxy_service:
  public_addr: ['example.com']
  # ACME - automatic certificate management environment.
  #
  # It provisions certificates for domains and
  # valid subdomains in public_addr section.
  #
  # The sudomains are valid if there is a registered application.
  # For example, app.example.com will get a cert if app is a regsitered
  # application access app. The sudomain cookie.example.com is not.
  #
  # Teleport acme is using TLS-ALPN-01 challenge:
  #
  # https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
  #
  acme:
    # By default acme is disabled.
    enabled: true
    # Use a custom URI, for example staging is
    #
    # https://acme-staging-v02.api.letsencrypt.org/directory
    #
    # Default is letsencrypt.org production URL:
    #
    # https://acme-v02.api.letsencrypt.org/directory
    uri: ''
    # Set email to receive alerts and other correspondence
    # from your certificate authority.
    email: 'alice@example.com'
```
@klizhentas
Copy link
Contributor Author

klizhentas commented Dec 20, 2020
edited
Loading

Hey folks, I've been improving our docs from the perspective of an inexperienced user who has no idea about Teleport.

One of the obstacles for such user is the amount of work required to get a single node cluster that is secure. It requires quite a lot of work with certificates, DNS records and other plumbing just to get started.

After I have added ACME support, Teleport became more fun for compared to the manual cert setup.

a-palchikov
a-palchikov approved these changes Dec 21, 2020
View reviewed changes
lib/web/app/match.go
GetAppServers(context.Context, string, ...services.MarshalOption) ([]services.Server, error)
}

// ResolveFQDN makes a best effort attempt to resolve FQDN to an application
// running a root or leaf cluster.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// running a root or leaf cluster.
// running in a root or leaf cluster.

@klizhentas
Copy link
Contributor Author

@russjones @fspmarshall can you guys take a look at it when you have a chance in case if you any concerns.

fspmarshall
fspmarshall approved these changes Dec 23, 2020
View reviewed changes
Copy link
Contributor

@fspmarshall fspmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code & UX looks good to me. I'm not familiar enough with ACME to comment beyond that.

@klizhentas klizhentas merged commit c0bb732 into master Dec 23, 2020
@klizhentas klizhentas deleted the sasha/acme branch December 23, 2020 01:33
@webvictim webvictim mentioned this pull request Mar 5, 2021
Closed
This was referenced May 2, 2021
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fspmarshall fspmarshall fspmarshall approved these changes

@a-palchikov a-palchikov a-palchikov approved these changes

@r0mant r0mant r0mant approved these changes

@russjones russjones Awaiting requested review from russjones

@alex-kovoy alex-kovoy Awaiting requested review from alex-kovoy

@awly awly Awaiting requested review from awly

@kimlisa kimlisa Awaiting requested review from kimlisa

@webvictim webvictim Awaiting requested review from webvictim

Assignees

@r0mant r0mant

@fspmarshall fspmarshall

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for ACME
4 participants
@klizhentas @r0mant @a-palchikov @fspmarshall