search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.37k stars 1.74k forks source link

Add HTTP01 challenge type for ACME #7592

Open dfredell opened 3 years ago

dfredell commented 3 years ago

What

What would you like Teleport to do differently? Create FQDN certificates for the Application Access teleport feature via ACME HTTP01 challenge.

How

How would you implement this?

  1. Spin up an HTTP solver pod that would listen on port 80 for .well-known requests from LetsEncrypt.
  2. Save this fully qualified domain name FQDN certificate into a K8s secret
  3. Allow the teleport application pod to suck in this k8s secret certificate

Why

Why do you need this? We don't want to give teleport a service account the power to edit our DNS entries in GCP. All of our prod DNS entries exist in this GCP project's Cloud-DNS. We are deployed in HA kubernetes and using certificate-manager helm chart.

Workaround

If a workaround exists, please include it.

  1. Buy a wildcard certificate
  2. Move the root domain of our teleport to a subdomain and create a GCP ServiceAccount in this limited scoped GCP Project
  3. Roll our own HTTP01 ACME challenge solver
webvictim commented 3 years ago

I believe the reason that Teleport requires the use of a DNS01 challenge at the moment is because it's the only supported challenge for wildcard certificates (i.e. *.teleport.example.com) which are required to be able to use Teleport application access.

dfredell commented 3 years ago

I would agree the only way to get wildcard certificate from ACME/ LetsEncrypt is via DNS01 Challenge. The hope of this ticket is that we don't need a wildcard certificate and any new Teleport Application service would ACME HTTP01 Challenge a FQDN certificate for themselves.

https://letsencrypt.org/docs/challenge-types/

Let’s Encrypt doesn’t let you use [HTTP-01] challenge to issue wildcard certificates.