Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS handschake error | acme can't get a cert for domain #6448

Closed
dion22 opened this issue Apr 14, 2021 · 4 comments · Fixed by #9556
Closed

TLS handschake error | acme can't get a cert for domain #6448

dion22 opened this issue Apr 14, 2021 · 4 comments · Fixed by #9556

Comments

@dion22
Copy link

dion22 commented Apr 14, 2021

Description

What happened:
Followed instruction:
https://goteleport.com/docs/getting-started/
and for TLS certs
https://goteleport.com/blog/letsencrypt-teleport-ssh/

DNS records: (renamed to teleport.com for this purpose)
A record connect.teleport.com
A record *.connect.teleport.com

First 20/24 hours everything was working as it should be. Except for this TLS error showing in the server log.
After some time i noticed that the server section on the teleport webpage showed No Data Available

Error:

ERRO [PROXY:SER] "proxy2021/04/14 10:15:58 http: TLS handshake error from <client_ip>:46010: acme can't get a cert for domain 636f6e6e6563742e616c6c63732e636c6f7564.teleport.cluster.local, add it to the proxy_service.public_addr, or use one of the domains: connect.teleport.com\n" utils/cli.go:304
ERRO [PROXY:SER] "proxy2021/04/14 10:15:58 http: TLS handshake error from <client_ip>:46008: acme can't get a cert for domain 636f6e6e6563742e616c6c63732e636c6f7564.teleport.cluster.local, add it to the proxy_service.public_addr, or use one of the domains: connect.teleport.com\n" utils/cli.go:304
ERRO [PROXY:SER] "proxy2021/04/14 10:19:17 http: TLS handshake error from <client_ip>:46022: acme can't get a cert for domain 636f6e6e6563742e616c6c63732e636c6f7564.teleport.cluster.local, add it to the proxy_service.public_addr, or use one of the domains: connect.teleport.com\n" utils/cli.go:304
ERRO [PROXY:SER] "proxy2021/04/14 10:19:17 http: TLS handshake error from <client_ip>:46020: acme can't get a cert for domain 636f6e6e6563742e616c6c63732e636c6f7564.teleport.cluster.local, add it to the proxy_service.public_addr, or use one of the domains: connect.teleport.com\n" utils/cli.go:304

Server config:

teleport:
  nodename: connect.teleport.com
  data_dir: /var/lib/teleport
  auth_servers:
  - 127.0.0.1:3025
  log:
    output: stderr
    severity: INFO
  ca_pin: sha256:<ca_pin>
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  public_addr: connect.teleport.com:3025
  cluster_name: connect.teleport.com
ssh_service:
  enabled: "yes"
  labels:
    teleport: server
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:443
  tunnel_listen_addr: 0.0.0.0:3024
  public_addr: connect.teleport.com:443
  https_keypairs:
    - key_file: /etc/letsencrypt/live/connect.teleport.com/privkey.pem
      cert_file: /etc/letsencrypt/live/connect.teleport.com/fullchain.pem
  acme:
    enabled: "yes"
    email: [email protected]

node config:

teleport:
  nodename: node-100101
  data_dir: /var/lib/teleport
  auth_token: <auth_token>
  ca_pin: sha256:<ca_pin>
  auth_servers:
    - connect.teleport.com:443
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
ssh_service:
  enabled: yes
  labels:
    teleport: node
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: no

Server Details

  • Teleport version (run teleport version): Teleport v6.1.1 git:v6.1.1-0-geacd474d8 go1.15.5
  • Server OS (e.g. from /etc/os-release): Ubuntu 18.04.5 LTS

Client Details

  • Tsh version (tsh version): Teleport v6.1.1 git:v6.1.1-0-geacd474d8 go1.15.5
  • Computer OS (e.g. Linux, macOS, Windows): Ubuntu 20.04.2 LTS
  • Browser version (for UI-related issues): Chrome
  • Installed via (e.g. apt, yum, brew, website download): apt

Debug Logs

included

teleport-log.txt
teleport-log-client.txt

@dion22 dion22 added the bug label Apr 14, 2021
@stevenGravy
Copy link
Contributor

@dion22 is port 443 open and can be connected from the internet? That's required for Acme to call back. We typically ask these type of issues entered into the github discussion tab..

@dion22
Copy link
Author

dion22 commented Apr 16, 2021

@stevenGravy port 443 is open and can be connected from the internet. When a new node is added its showing up for 24 hours (no alarm or anything) after 24 hours it is showing the http: TLS handshake error. Also the nodes are gone from the servers list.

I tried changing port 443 to 3080 (public + web) but same issue. Even with fresh install of the teleport server and client.

Sorry, next time i will ask this type of issues into the discussion tab.

@inertial-frame
Copy link
Contributor

@dion22 - we're in the process of further improving our documentation surrounding ACME. Hopefully, #7340 addresses some of the items you mentioned a bit better. Cheers!

@gramosbr
Copy link

gramosbr commented Aug 4, 2021

Any updates on this?

ptgott added a commit that referenced this issue Dec 23, 2021
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Dec 29, 2021
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Jan 4, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Jan 18, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Jan 19, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Jan 20, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Jan 24, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 4, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 10, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 11, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 15, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 16, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 17, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Feb 24, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 2, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 3, 2022
* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 3, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 3, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 4, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 4, 2022
* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 4, 2022
Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448
ptgott added a commit that referenced this issue Mar 4, 2022
* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 9, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 10, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 14, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 16, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 18, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
ptgott added a commit that referenced this issue Mar 18, 2022
Backports #9556

* Standardize ACME instruction details

Our Getting Started guides often include instructions for
configuring Let's Encrypt and ACME before starting
Teleport, but not all of these instructions have the same
level of detail, and some are missing some context around
how Teleport uses ACME and why you need to open port 443 on
your Proxy Service host. This change adds an include that
spells out these instructions and invokes the include in the
appropriate guides.

The intention was to include as much relevant information within
the guides themselves to prevent the reader from having to
navigate to other pages.

Closes #6448

* Respond to PR feedback

- Substitute "proxy" for "node" where it was incorrectly used
- Some small stylistic fixes
- Clarify that "teleport configure" does not write the config
  itself
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants