DNS-01 ACME Support

[YoSev]

I would like to discuss adding DNS-01 ACME Support to support LetsEncrypt when using a Domain routing to a private IP.

The current ACME support relys on TLS-01 which requires the cluster name to point to a public accessible IP. We would like access Teleport via VPN without issuing custom SSL certificates - DNS-01 would allow that when using LetsEncrypt.

[webvictim]

IMO The best way to handle DNS-01 challenges is to run certbot directly or use something like cert-manager when running in Kubernetes. These tools will be better supported overall.

Part of the issue with DNS-01 challenges is that they're not suitable for just-in-time certificate provisioning in the same way as Teleport currently does for application access - they require a DNS TXT record to be added for each domain to prove ownership and this cannot be done in real-time without plugins providing support for different DNS providers (in the same way as certbot and cert-manager do).

[YoSev]

I totally agree. It would be nice to be able to provide the challange code you need to renew after doing the DNS-01 approval. That way, we could "prepare" the LetsEncrypt code, pass it to teleport which uses the code to request updated certificates instead of requesting its own challange code.

[YoSev]

I can imaging running teleport behind a VPN is not an uncommon request..

[webvictim]

I’m curious why using certbot with a DNS challenge plugin doesn’t or wouldn’t work for you?

[YoSev]

It does it does, i got it runnign that way.. I just thought it would be more convinient using teleport instead of certbot on top as it is implemented but yes, i got it working, thats not the problem

[YoSev]

We can close that discussion if it doesn't make sense to put the effort in implementing DNS-01 support in teleport directly as there might be no requests for it..

[webvictim]

OK, good to know!

[gecube]

#23996

[webvictim]

Related: #27613