Open dfredell opened 3 years ago
I believe the reason that Teleport requires the use of a DNS01 challenge at the moment is because it's the only supported challenge for wildcard certificates (i.e. *.teleport.example.com
) which are required to be able to use Teleport application access.
I would agree the only way to get wildcard certificate from ACME/ LetsEncrypt is via DNS01 Challenge. The hope of this ticket is that we don't need a wildcard certificate and any new Teleport Application service would ACME HTTP01 Challenge a FQDN certificate for themselves.
https://letsencrypt.org/docs/challenge-types/
Let’s Encrypt doesn’t let you use [HTTP-01] challenge to issue wildcard certificates.
What
What would you like Teleport to do differently? Create FQDN certificates for the Application Access teleport feature via ACME HTTP01 challenge.
How
How would you implement this?
Why
Why do you need this? We don't want to give teleport a service account the power to edit our DNS entries in GCP. All of our prod DNS entries exist in this GCP project's Cloud-DNS. We are deployed in HA kubernetes and using certificate-manager helm chart.
Workaround
If a workaround exists, please include it.