diff --git a/docs/pages/application-access/getting-started.mdx b/docs/pages/application-access/getting-started.mdx index 9b107f121a734..7fcd5304f3da4 100644 --- a/docs/pages/application-access/getting-started.mdx +++ b/docs/pages/application-access/getting-started.mdx @@ -15,7 +15,11 @@ Let's connect to Grafana using Teleport Application Access in three steps: ## Prerequisites - We will use Docker to launch Grafana in a container. Alternatively, if you have another web application you'd like to protect with App Access, you can use that instead. -- We will assume your Teleport cluster is accessible at `teleport.example.com` and `*.teleport.example.com`. Configured DNS records are required to automatically fetch a [Let's Encrypt](https://letsencrypt.org) certificate. +- We will assume your Teleport cluster is accessible at `teleport.example.com` and `*.teleport.example.com`. Configured DNS records are required to automatically fetch a [Let's Encrypt](https://letsencrypt.org) certificate. + + +Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you need to create a DNS A record with a wildcard subdomain (e.g., `*.teleport.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + ## Step 1/3. Start Grafana @@ -41,6 +45,10 @@ using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. We will assume that you have configured DNS records for `teleport.example.com` and `*.teleport.example.com` to point to the Teleport node. + +Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so the wildcard certificate enables clients to verify your Teleport hosts regardless of application. + + (!docs/pages/includes/permission-warning.mdx!) Let's generate a Teleport config with ACME enabled: diff --git a/docs/pages/application-access/guides/connecting-apps.mdx b/docs/pages/application-access/guides/connecting-apps.mdx index 4468d6544d894..282af90dd8c3c 100644 --- a/docs/pages/application-access/guides/connecting-apps.mdx +++ b/docs/pages/application-access/guides/connecting-apps.mdx @@ -54,6 +54,10 @@ applications. When setting up Teleport, the minimum requirement is a certificate for the proxy and a wildcard certificate for its sub-domain. This is where everyone will log into Teleport. + +Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so the wildcard certificate enables clients to verify your Teleport hosts regardless of application. + + In our example: - `teleport.example.com` will host the Access Plane. diff --git a/docs/pages/database-access/getting-started.mdx b/docs/pages/database-access/getting-started.mdx index 51e4f6ff3cc42..376313ecee750 100644 --- a/docs/pages/database-access/getting-started.mdx +++ b/docs/pages/database-access/getting-started.mdx @@ -83,8 +83,13 @@ our [downloads page](https://goteleport.com/teleport/download). Teleport requires a valid TLS certificate to operate and can fetch one automatically using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. -We will assume that you have configured DNS records for `teleport.example.com` and -`*.teleport.example.com` to point to the node where you're launching Teleport. +We will assume that you have configured a DNS record for `teleport.example.com` to point to the node where you're launching Teleport. + +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you need to create a DNS A record with a wildcard subdomain (e.g., `*.teleport.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../application-access/getting-started.mdx) +
Let's generate a Teleport config with ACME enabled: diff --git a/docs/pages/getting-started/linux-server.mdx b/docs/pages/getting-started/linux-server.mdx index c23165f0389df..b5e36093a1127 100644 --- a/docs/pages/getting-started/linux-server.mdx +++ b/docs/pages/getting-started/linux-server.mdx @@ -77,7 +77,13 @@ Take a look at the [Installation Guide](../installation.mdx) for more options. ### Configure DNS -Teleport uses TLS to provide secure access to its Proxy Service and Auth Service, and this requires a domain name that clients can use to verify Teleport's certificate. To get started, set up two `A` records for `tele.example.com` and `*.tele.example.com` pointing to the IP/FQDN of the machine with Teleport installed. +Teleport uses TLS to provide secure access to its Proxy Service and Auth Service, and this requires a domain name that clients can use to verify Teleport's certificate. To get started, set up a DNS `A` record for `tele.example.com` pointing to the IP/FQDN of the machine with Teleport installed. + +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you will also need to create a DNS A record with a wildcard subdomain (e.g., `*.tele.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../application-access/getting-started.mdx) +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you will also need to create a DNS A record with a wildcard subdomain (e.g., `*.tele.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../../application-access/getting-started.mdx) + Generate Teleport config with ACME enabled: diff --git a/docs/pages/kubernetes-access/getting-started/cluster.mdx b/docs/pages/kubernetes-access/getting-started/cluster.mdx index 5ec9a8a527f53..239029da26069 100644 --- a/docs/pages/kubernetes-access/getting-started/cluster.mdx +++ b/docs/pages/kubernetes-access/getting-started/cluster.mdx @@ -104,8 +104,13 @@ to create a public IP for Teleport. -Set up two `A` DNS records - `tele.example.com` for UI and `*.tele.example.com` -for web apps using [application access](../../application-access/introduction.mdx). +You will also need to create a DNS A record for `tele.example.com` so clients can verify the TLS certificate of your Teleport hosts. + +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you will also need to create a DNS A record with a wildcard subdomain (e.g., `*.tele.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../../application-access/getting-started.mdx) +
@@ -115,7 +120,6 @@ for web apps using [application access](../../application-access/introduction.md $ gcloud dns record-sets transaction start --zone="${MYZONE?}" $ gcloud dns record-sets transaction add ${MYIP?} --name="${MYDNS?}" --ttl="30" --type="A" --zone="${MYZONE?}" - $ gcloud dns record-sets transaction add ${MYIP?} --name="*.${MYDNS?}" --ttl="30" --type="A" --zone="${MYZONE?}" $ gcloud dns record-sets transaction describe --zone="${MYZONE?}" $ gcloud dns record-sets transaction execute --zone="${MYZONE?}" ``` @@ -131,8 +135,7 @@ for web apps using [application access](../../application-access/introduction.md # Create a JSON file changeset for AWS. $ jq -n --arg ip ${MYIP?} --arg dns ${MYDNS?} '{"Comment": "Create records", "Changes": [ - {"Action": "CREATE", "ResourceRecordSet": {"Name": $dns, "Type": "A", "TTL": 300, "ResourceRecords": [{ "Value": $ip}]}}, - {"Action": "CREATE", "ResourceRecordSet": {"Name": ("*." + $dns), "Type": "A", "TTL": 300, "ResourceRecords": [{ "Value": $ip}]}} + {"Action": "CREATE", "ResourceRecordSet": {"Name": $dns, "Type": "A", "TTL": 300, "ResourceRecords": [{ "Value": $ip}]}} ]}' > myrecords.json # Review records before applying. diff --git a/docs/pages/kubernetes-access/helm/guides/aws.mdx b/docs/pages/kubernetes-access/helm/guides/aws.mdx index e5e23cccd1e35..0f9de1221ccf3 100644 --- a/docs/pages/kubernetes-access/helm/guides/aws.mdx +++ b/docs/pages/kubernetes-access/helm/guides/aws.mdx @@ -302,9 +302,13 @@ $ kubectl --namespace teleport get all ## Step 6. Set up DNS -You'll need to set up two DNS `A` records: `teleport.example.com` for the web UI, and `*.teleport.example.com` -for web apps using [application access](../../../application-access/introduction.mdx). In our example, both records are -aliases to an ELB. +You'll need to set up a DNS `A` record for `teleport.example.com`. In our example, this record is an alias to an ELB. + +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you will also need to create a DNS A record with a wildcard subdomain (e.g., `*.tele.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../../../application-access/getting-started.mdx) +
Here's how to do this in a hosted zone with AWS Route 53: @@ -340,18 +344,6 @@ $ jq -n --arg dns "${MYDNS?}" --arg elb "${MYELB?}" --arg elbz "${MYELB_ZONE?}" "EvaluateTargetHealth": false } } - }, - { - "Action": "CREATE", - "ResourceRecordSet": { - "Name": ("*." + $dns), - "Type": "A", - "AliasTarget": { - "HostedZoneId": $elbz, - "DNSName": ("dualstack." + $elb), - "EvaluateTargetHealth": false - } - } } ] }' > myrecords.json diff --git a/docs/pages/kubernetes-access/helm/guides/gcp.mdx b/docs/pages/kubernetes-access/helm/guides/gcp.mdx index 444ff81735ed9..78f209e65c4d5 100644 --- a/docs/pages/kubernetes-access/helm/guides/gcp.mdx +++ b/docs/pages/kubernetes-access/helm/guides/gcp.mdx @@ -346,8 +346,13 @@ $ kubectl --namespace teleport get all ## Step 6. Set up DNS -You'll need to set up two DNS `A` records: `teleport.example.com` for the web UI, and `*.teleport.example.com` -for web apps using [application access](../../../application-access/introduction.mdx). +You'll need to set up a DNS `A` record for `teleport.example.com`. + +
+Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you will also need to create a DNS A record with a wildcard subdomain (e.g., `*.tele.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. + +[Learn more about Teleport Application Access](../../../application-access/getting-started.mdx) +
Here's how to do this using Google Cloud DNS: @@ -362,7 +367,6 @@ $ MYDNS="teleport.example.com" $ gcloud dns record-sets transaction start --zone="${MYZONE?}" $ gcloud dns record-sets transaction add ${MYIP?} --name="${MYDNS?}" --ttl="300" --type="A" --zone="${MYZONE?}" -$ gcloud dns record-sets transaction add ${MYIP?} --name="*.${MYDNS?}" --ttl="300" --type="A" --zone="${MYZONE?}" $ gcloud dns record-sets transaction describe --zone="${MYZONE?}" $ gcloud dns record-sets transaction execute --zone="${MYZONE?}" ``` diff --git a/docs/pages/kubernetes-access/helm/reference.mdx b/docs/pages/kubernetes-access/helm/reference.mdx index 64c09814793e4..27471a3ab6f37 100644 --- a/docs/pages/kubernetes-access/helm/reference.mdx +++ b/docs/pages/kubernetes-access/helm/reference.mdx @@ -44,8 +44,9 @@ This reference details available values for the `teleport-cluster` chart. (!docs/pages/kubernetes-access/helm/includes/kubernetes-externaladdress.mdx!) - You will need to manually add DNS records pointing `teleport.example.com` and `*.teleport.example.com` to either the IP or hostname - of the Kubernetes load balancer. + You will need to manually add a DNS A record pointing `teleport.example.com` to either the IP or hostname of the Kubernetes load balancer. + + If you are using Teleport Application Access, you will also need to add a DNS A record for `*.teleport.example.com`. This is because Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so the wildcard enables clients to verify your Teleport hosts regardless of application. If you are not using ACME certificates, you may also need to accept insecure warnings in your browser to view the page successfully.