can't access application if acme domain use port other than 443

dfang commented 1 year ago

Expected behavior: can access applications

Current behavior: access denied in web ui or nothing when access grafana.teleport.example.com:444

Bug details:

Teleport version 12.0.2
Recreation steps just follow get started guide, use port 444 other than 443 when setup a cluster

Debug logs

$ Feb 18 12:34:37 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:37+08:00 INFO [CA]        Generating TLS certificate {0xa67e2c0 0xc00228a9a0 1.3.9999.1.15=#13046e6f6e65,1.3.9999.1.7=#131174656c652e6375727279746563682e636e,1.3.9999.1.5=#131174656c652e6375727279746563682e636e,1.3.9999.1.6=#131967726166616e612e74656c652e6375727279746563682e636e,1.3.9999.1.4=#132432633065313963332d653936612d346330372d396161322d356639386133383230326462,CN=teleport-admin,OU=usage:apps,O=access+O=editor+O=auditor,POSTALCODE={\"aws_role_arns\":null\,\"azure_identities\":null\,\"db_names\":null\,\"db_users\":null\,\"gcp_service_accounts\":null\,\"kubernetes_groups\":null\,\"kubernetes_users\":null\,\"logins\":[\"root\"]\,\"windows_logins\":null},STREET=tele.currytech.cn,L=root+L=-teleport-internal-join 2023-02-18 14:16:03.00243066 +0000 UTC [] [] 5 []}. common_name:teleport-admin dns_names:[] locality:[root -teleport-internal-join] not_after:2023-02-18 14:16:03.00243066 +0000 UTC org:[access editor auditor] org_unit:[usage:apps] tlsca/ca.go:1091
Feb 18 12:34:37 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:37+08:00 INFO [AUDIT]     cert.create cert_type:user cluster_name:tele.currytech.cn code:TC000I ei:0 event:cert.create expires:2023-02-18T14:16:03.00243066Z logins:[root -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z roles:[access editor auditor] cluster_name:tele.currytech.cn name: public_addr:grafana.tele.currytech.cn session_id:2c0e19c3-e96a-4c07-9aa2-5f98a38202db route_to_cluster:tele.currytech.cn teleport_cluster:tele.currytech.cn aws_role_arns:<nil> azure_identities:<nil> db_names:<nil> db_users:<nil> gcp_service_accounts:<nil> kubernetes_groups:<nil> kubernetes_users:<nil> logins:[root] windows_logins:<nil> usage:[usage:apps] user:teleport-admin time:2023-02-18T04:34:37.259Z uid:3ee2cb67-21a0-46d3-a710-f90446ef3b52 events/emitter.go:265
Feb 18 12:34:37 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:37+08:00 INFO [AUDIT]     app.session.start addr.remote:117.152.203.204:27004 app_name:grafana app_public_addr:grafana.tele.currytech.cn app_uri:http://localhost:3000/ cluster_name:tele.currytech.cn code:T2007I ei:0 event:app.session.start namespace:default public_addr:grafana.tele.currytech.cn server_id:09b4a22b-60d3-4a7a-b5ee-4aaefc8cb355 sid:2c0e19c3-e96a-4c07-9aa2-5f98a38202db time:2023-02-18T04:34:37.944Z uid:9d29e15a-10c2-4522-aa9a-cbbb1bca3479 user:teleport-admin events/emitter.go:265
Feb 18 12:34:37 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:37+08:00 INFO [AUDIT]     app.session.start addr.remote:117.152.203.204:27004 app_name:grafana app_public_addr:grafana.tele.currytech.cn app_uri:http://localhost:3000/ cluster_name:tele.currytech.cn code:T2007I ei:0 event:app.session.start namespace:default public_addr:grafana.tele.currytech.cn server_id:09b4a22b-60d3-4a7a-b5ee-4aaefc8cb355 sid:2c0e19c3-e96a-4c07-9aa2-5f98a38202db time:2023-02-18T04:34:37.944Z uid:9d29e15a-10c2-4522-aa9a-cbbb1bca3479 user:teleport-admin events/emitter.go:265
Feb 18 12:34:50 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:50+08:00 INFO [CA]        Generating TLS certificate {0xa67e2c0 0xc001aceaa0 1.3.9999.1.15=#13046e6f6e65,1.3.9999.1.7=#131174656c652e6375727279746563682e636e,CN=teleport-admin,O=access+O=editor+O=auditor,POSTALCODE={\"aws_role_arns\":null\,\"azure_identities\":null\,\"db_names\":null\,\"db_users\":null\,\"gcp_service_accounts\":null\,\"kubernetes_groups\":null\,\"kubernetes_users\":null\,\"logins\":[\"root\"]\,\"windows_logins\":null},STREET=tele.currytech.cn,L=root+L=-teleport-internal-join 2023-02-18 14:16:03.743223713 +0000 UTC [] [] 5 []}. common_name:teleport-admin dns_names:[] locality:[root -teleport-internal-join] not_after:2023-02-18 14:16:03.743223713 +0000 UTC org:[access editor auditor] org_unit:[] tlsca/ca.go:1091
Feb 18 12:34:50 VM-0-2-centos teleport[7300]: 2023-02-18T12:34:50+08:00 INFO [AUDIT]     cert.create cert_type:user cluster_name:tele.currytech.cn code:TC000I ei:0 event:cert.create expires:2023-02-18T14:16:03.743223713Z logins:[root -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z roles:[access editor auditor] route_to_cluster:tele.currytech.cn teleport_cluster:tele.currytech.cn aws_role_arns:<nil> azure_identities:<nil> db_names:<nil> db_users:<nil> gcp_service_accounts:<nil> kubernetes_groups:<nil> kubernetes_users:<nil> logins:[root] windows_logins:<nil> user:teleport-admin time:2023-02-18T04:34:50.261Z uid:a8c8e126-9d19-40d8-b56a-56ebcc21b042 events/emitter.go:265

stevenGravy commented 1 year ago

@dfang this is a Let's Encrypt requirement to use 443 for challenges. You can install let's encrypt or other certificates directly if you want to use other prots.

dfang commented 1 year ago

@stevenGravy thanks for your reply, i can access WEB UI Portal by https://tele.example.com:444 (the certificate is issued), and i can connect to servers in web ui, i just can't access applications. what do you mean by install certificates directly ?

stevenGravy commented 1 year ago

@stevenGravy thanks for your reply, i can access WEB UI Portal by https://tele.example.com:444 (the certificate is issued), and i can connect to servers in web ui, i just can't access applications. what do you mean by install certificates directly ?

How are you managing TLS certs? Please share the configuration for the app access.

dfang commented 1 year ago

just change 443 to 444 in /etc/teleport.yaml

webvictim commented 1 year ago

I just reproduced this myself by running teleport configure with these arguments:

sudo teleport configure -o /etc/teleport.yaml \
  --acme --acme-email=acme@email.com \
  --cluster-name=gus-acme.example.com \
  --public-addr=gus-acme.example.com:3080

This gives me a default config file like this:

version: v3
teleport:
  nodename: ip-172-31-3-106
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: gus-acme.example.com
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:3080
  public_addr: gus-acme.example.com:3080
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme:
    enabled: "yes"
    email: acme@email.com

I also:

configured iptables to log all incoming traffic on port 443 with sudo iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "iptables:"
pointed an A record for gus-acme.example.com to the IP of my server
opened up 443/3080 to all traffic in the AWS security group

After this, Starting Teleport and hitting https://gus-acme.example.com:3080 in my browser results in incoming traffic from Let's Encrypt on port 443 (not 3080), then a failed challenge and an error being logged:

Aug 23 18:23:09 ip-172-31-3-106 kernel: [  384.520271] iptables: IN=eth0 OUT= MAC=02:3b:a1:8c:d3:ad:02:a7:4c:9a:67:2c:08:00 SRC=3.142.146.196 DST=172.31.3.106 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17106 DF PROTO=TCP SPT=25732 DPT=443 WINDOW=62727 RES=0x00 SYN URGP=0
Aug 23 18:23:09 ip-172-31-3-106 kernel: [  384.580113] iptables: IN=eth0 OUT= MAC=02:3b:a1:8c:d3:ad:02:a7:4c:9a:67:2c:08:00 SRC=23.178.112.202 DST=172.31.3.106 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=6444 DF PROTO=TCP SPT=19948 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 23 18:23:10 ip-172-31-3-106 kernel: [  384.633040] iptables: IN=eth0 OUT= MAC=02:3b:a1:8c:d3:ad:02:a7:4c:9a:67:2c:08:00 SRC=35.90.20.57 DST=172.31.3.106 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=54219 DF PROTO=TCP SPT=46464 DPT=443 WINDOW=62727 RES=0x00 SYN URGP=0

Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: 2023-08-23T18:23:11Z [ALPN:PROX] WARN Failed to handle client 
connection. error:[
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: ERROR REPORT:
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: Original Error: *errors.errorString acme/autocert: unable to satisfy &#34;https://acme-v02.api.letsencrypt.org/acme/authz-v3/257682551106&#34; for domain &#34;gus-acme.example.com&#34;: no viable challenge type found
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: Stack Trace:
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:392 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:326 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011runtime/asm_amd64.s:1598 runtime.goexit
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: User Message: acme/autocert: unable to satisfy &#34;https://acme-v02.api.letsencrypt.org/acme/authz-v3/257682551106&#34; for domain &#34;gus-acme.example.com&#34;: no viable challenge type found] alpnproxy/proxy.go:337
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: 2023-08-23T18:23:11Z [ALPN:PROX] WARN Failed to handle client connection. error:[
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: ERROR REPORT:
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: Original Error: *errors.errorString acme/autocert: missing certificate
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: Stack Trace:
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:392 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:326 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: #011runtime/asm_amd64.s:1598 runtime.goexit
Aug 23 18:23:11 ip-172-31-3-106 teleport[2007]: User Message: acme/autocert: missing certificate] alpnproxy/proxy.go:337

After a short delay, the browser shows an SSL error: Screenshot 2023-08-23 at 15 29 31

The root of the issue seems to be that the TLS-ALPN-01 challenge only works over port 443: https://letsencrypt.org/docs/challenge-types/#tls-alpn-01

Like TLS-SNI-01, it is performed via TLS on port 443.

I would suggest that the following list of circumstances ought to generate a fatal error where Teleport refuses to start:

acme.enabled: true
web_listen_addr set to a value that does not end in :443
public_addr not set, or public_addr set to a value that does not end in :443

Related issue: #29863

Still an issue in 13.3.5.

dfang commented 1 year ago

@webvictim since teleport can run behind nginx or caddy now, I don't need this feature.

webvictim commented 1 year ago

Indeed @dfang - but we should still fix it 😅

zmb3 commented 3 months ago

I would suggest that the following list of circumstances ought to generate a fatal error where Teleport refuses to start

Sounds good in theory, but I'm not sure it's worth the risk of breaking people. Feels like there are too many corner cases to handle.

webvictim commented 3 months ago

At this point anyone having the issue probably just googles it and finds this issue anyway...

gravitational / teleport

can't access application if acme domain use port other than 443 #22049