diff --git a/docs/pages/application-access/getting-started.mdx b/docs/pages/application-access/getting-started.mdx index 9b107f121a734..0c3f6f5440f9e 100644 --- a/docs/pages/application-access/getting-started.mdx +++ b/docs/pages/application-access/getting-started.mdx @@ -31,32 +31,20 @@ $ docker run -d -p 3000:3000 grafana/grafana ``` ## Step 2/3. Install and configure Teleport +(!docs/pages/includes/permission-warning.mdx!) Download the latest version of Teleport for your platform from our [downloads page](https://goteleport.com/teleport/download). -Teleport requires a valid TLS certificate to operate and can fetch one automatically -using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. - We will assume that you have configured DNS records for `teleport.example.com` -and `*.teleport.example.com` to point to the Teleport node. - -(!docs/pages/includes/permission-warning.mdx!) +and `*.teleport.example.com` to point to the Teleport Proxy Service. -Let's generate a Teleport config with ACME enabled: - -```code -$ sudo teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com -o file -``` +### Configure TLS +Teleport uses TLS to communicate with clients, and can fetch certificates automatically via Let's Encrypt. - - Teleport uses [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01) - ACME challenge to validate certificate requests which only works on port `443`. Make sure your Teleport proxy is accessible on port `443` when using ACME for certificate management. - +(!docs/pages/includes/acme.mdx!) +### Start Teleport Now start Teleport and point it to the application endpoint: ```code @@ -69,6 +57,7 @@ $ sudo teleport start \ Make sure to update `--app-name` and `--app-uri` accordingly if you're using your own web application. +### Create a user Next, let's create a user to access the application we've just connected. Teleport has a built-in role called `access` that allows users to access cluster resources. Create a local user assigned this role: ```code diff --git a/docs/pages/application-access/guides/connecting-apps.mdx b/docs/pages/application-access/guides/connecting-apps.mdx index f6028e38f1263..65fd6321ecb7a 100644 --- a/docs/pages/application-access/guides/connecting-apps.mdx +++ b/docs/pages/application-access/guides/connecting-apps.mdx @@ -59,31 +59,13 @@ In our example: - `teleport.example.com` will host the Access Plane. - `*.teleport.example.com` will host all of the applications e.g. `grafana.teleport.example.com`. -Teleport can obtain a certificate automatically from Let's Encrypt using -[ACME](https://letsencrypt.org/how-it-works/) protocol. - -Enable ACME in your proxy config: - -```yaml -proxy_service: - enabled: "yes" - web_listen_addr: "0.0.0.0:443" - public_addr: "teleport.example.com:443" - acme: - enabled: "yes" - email: alice@example.com -``` - - - Teleport uses [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01) - ACME challenge to validate certificate requests which only works on port `443`. Make sure your Teleport proxy is accessible on port `443` when using ACME for certificate management. - - -Alternatively, if you have obtained certificate/key pairs for your domain -(e.g. using [certbot](https://certbot.eff.org/)), they can be provided directly +You can either configure Teleport to obtain a TLS certificate via Let's Encrypt or use an existing certificate and private key (e.g. using [certbot](https://certbot.eff.org/)). + + +(!docs/pages/includes/acme.mdx!) + + +If you have obtained certificate/key pairs for your domain they can be provided directly to the proxy service: ```yaml @@ -97,6 +79,8 @@ proxy_service: - key_file: "/etc/letsencrypt/live/*.teleport.example.com/privkey.pem" cert_file: "/etc/letsencrypt/live/*.teleport.example.com/fullchain.pem" ``` + + ### Create a user diff --git a/docs/pages/database-access/getting-started.mdx b/docs/pages/database-access/getting-started.mdx index 1ed302fe23dc1..8d6d3cc0f2885 100644 --- a/docs/pages/database-access/getting-started.mdx +++ b/docs/pages/database-access/getting-started.mdx @@ -14,7 +14,7 @@ Here's an overview of what we will do: 2. Download and install Teleport (=teleport.version=) and connect it to the Aurora database. 3. Connect to the Aurora database via Teleport. -## Step 1/3. Setup Aurora +## Step 1/3. Set up Aurora In order to allow Teleport connections to an Aurora instance, it needs to support IAM authentication. @@ -73,33 +73,22 @@ GRANT rds_iam TO alice; For more information about connecting to the PostgreSQL instance directly, see Amazon [documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToPostgreSQLInstance.html). -## Step 2/3. Setup Teleport +## Step 2/3. Set up Teleport Teleport Database Access is available starting from `6.0.0` release. Download the appropriate version of Teleport for your platform from our [downloads page](https://goteleport.com/teleport/download). -Teleport requires a valid TLS certificate to operate and can fetch one automatically -using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. -We will assume that you have configured DNS records for `teleport.example.com` and -`*.teleport.example.com` to point to the node where you're launching Teleport. +### Configure TLS -Let's generate a Teleport config with ACME enabled: +Teleport requires a valid TLS certificate to operate and can fetch one automatically +using Let's Encrypt. -```code -$ teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com > /tmp/teleport.yaml -``` +(!docs/pages/includes/acme.mdx!) - - Teleport's ACME protocol integration currently requires web proxy to run on - port 443 so open /tmp/teleport.yaml and update `proxy_service.web_listen_addr` - and `proxy_service.public_addr` to use port 443 instead of the default 3080. - +### Start Teleport Now start Teleport and point it to your Aurora database instance. Make sure to update the database endpoint and region appropriately. @@ -118,9 +107,11 @@ $ sudo teleport start --config=/tmp/teleport.yaml \ title="AWS Credentials" > The node that connects to the database should have AWS credentials configured - with the policy from [step 1](#step-13-setup-aurora). + with the policy from [step 1](#step-13-set-up-aurora). +### Create a user and role + Create the role that will allow a user to connect to any database using any database account: diff --git a/docs/pages/getting-started/linux-server.mdx b/docs/pages/getting-started/linux-server.mdx index 6fb878b58d268..89e16da91cc84 100644 --- a/docs/pages/getting-started/linux-server.mdx +++ b/docs/pages/getting-started/linux-server.mdx @@ -61,9 +61,49 @@ Start Teleport: $ sudo teleport start ``` -You can access Teleport's Web UI on port `443`. + + + (!docs/pages/includes/acme.mdx!) + + + + + On your Teleport host, place a valid private key and a certificate chain in `/var/lib/teleport/privkey.pem` + and `/var/lib/teleport/fullchain.pem` respectively. + + The leaf certificate must have a subject that corresponds to the domain of your Teleport host, e.g., `*.teleport.example.com`. + + Configure Teleport, changing the values of the `--cluster-name` and `--public-addr` flags to match the domain name of your Teleport host. + + ```code + $ sudo teleport configure -o file \ + --cluster-name=tele.example.com \ + --public-addr=tele.example.com:443 \ + --cert-file=/var/lib/teleport/fullchain.pem \ + --key-file=/var/lib/teleport/privkey.pem + ``` + + + + + +## Start Teleport + + + + ```code + $ sudo systemctl start teleport + ``` + + + + ```code + $ sudo teleport start + ``` + + -Replace `tele.example.com` with your domain: `https://tele.example.com/`. +You can access Teleport's Web UI via HTTPS at the domain you created earlier. ## Step 2/4. Create a Teleport user and set up two-factor authentication diff --git a/docs/pages/includes/acme.mdx b/docs/pages/includes/acme.mdx new file mode 100644 index 0000000000000..fb33518d61cdd --- /dev/null +++ b/docs/pages/includes/acme.mdx @@ -0,0 +1,23 @@ +Let's Encrypt verifies that you control the domain name of your Teleport deployment by communicating with the HTTPS server listening on port 443 of your Teleport Proxy Service. + +You can configure the Teleport Proxy service to complete the Let's Encrypt verification process when it starts up. + +Run the following `teleport configure` command, where `tele.example.com` is the domain name of your Teleport cluster and `user@example.com` is an email address used for notifications (you can use any domain): + +```code +teleport configure --acme --acme-email=user@example.com --cluster-name=tele.example.com > /etc/teleport.yaml +``` + +The `--acme`, `--acme-email`, and `--cluster-name` flags will add the following settings to your Teleport configuration file: + +```yaml +proxy_service: + enabled: "yes" + web_listen_addr: :443 + public_addr: tele.example.com:443 + acme: + enabled: "yes" + email: user@example.com +``` + +Port 443 on your Teleport Proxy Service host must allow traffic from all sources. diff --git a/docs/pages/includes/database-access/start-auth-proxy.mdx b/docs/pages/includes/database-access/start-auth-proxy.mdx index c9492a4a29472..37b95327ac65c 100644 --- a/docs/pages/includes/database-access/start-auth-proxy.mdx +++ b/docs/pages/includes/database-access/start-auth-proxy.mdx @@ -6,7 +6,7 @@ issue a TLS certificate for the Teleport Proxy host's domain, the ACME protocol must verify that an HTTPS server is reachable on port 443 of the host. We will assume that you have configured DNS records for `teleport.example.com` -and `*.teleport.example.com` to point to your Teleport node. +and `*.teleport.example.com` to point to your Teleport Node. To support the ACME protocol, Teleport Proxy must listen on port 443, rather @@ -17,13 +17,13 @@ Download the latest version of Teleport for your platform from our [downloads page](https://goteleport.com/teleport/download) and follow the installation [instructions](../../installation.mdx). -Generate a Teleport configuration file with ACME enabled: +Teleport requires a valid TLS certificate to operate and can fetch one automatically +using Let's Encrypt. +We will assume that you have configured DNS records for `teleport.example.com` and `*.teleport.example.com` to point to the Teleport Node. -```code -$ teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com -o file -``` +(!docs/pages/includes/acme.mdx!) -Start the Teleport Auth and Proxy services: +Next, start the Teleport Auth and Proxy Services: ```code $ sudo teleport start diff --git a/docs/pages/server-access/getting-started.mdx b/docs/pages/server-access/getting-started.mdx index 3b599a0c5a6c7..97c3a096f49bf 100644 --- a/docs/pages/server-access/getting-started.mdx +++ b/docs/pages/server-access/getting-started.mdx @@ -70,15 +70,9 @@ This guide introduces some of these common scenarios and how to interact with Te 3. Configure Teleport on the *Bastion Host*. - Teleport will now automatically acquire an X.509 certificate using the ACME protocol. + Teleport uses TLS to communicate with clients, and can fetch certificates automatically via Let's Encrypt. - ```code - # Configure Teleport with TLS certs - $ sudo teleport configure \ - --acme --acme-email=your_email@example.com \ - --cluster-name=tele.example.com \ - -o file - ``` + (!docs/pages/includes/acme.mdx!) Run the command above on `tele.example.com`.