Open webvictim opened 1 year ago
or writing our own
By the looks of it, we may be able to write an adapter for certmagic
that would hook it into whatever Teleport backend they have configured. That avoids the weirdness of folks having to configure some separate storage backend just for handling certs. Although, I imagine at that point, we wouldn't be too far from just writing our own tooling for synchronising an autocert
session across cluster entities.
Absolutely. My thought was just that there's no need to reinvent the wheel when someone has already solved all the distributed challenge/response/locking issues :)
Teleport's built-in ACME implementation currently uses autocert to automatically request and store TLS certificates locally for Teleport clusters.
autocert
is very simple and works well for standalone single-node clusters, but cannot be used in HA Teleport configurations as it has no concept of shared storage when multiple instances of Teleport need certs to serve the same domain. This leaves cluster admins with a requirement to provision their web TLS certificates by some out-of-band process and distribute them to Teleport proxy instances, or use services like ACM and offload the task to AWS.The author of Caddy has an alternative to autocert called certmagic which supports various storage implementations such as PostgreSQL, DynamoDB and S3.
Switching from autocert to certmagic and supporting some of these shared storage implementations (or writing our own) would allow Teleport to have full automatic HTTPS out of the box when running in HA configurations, reducing configuration overhead and time to value.