Configuring Teleport 13+ behind nginx as an HTTPS reverse proxy

[webvictim]

Here's how to configure Teleport 13+ behind nginx as an HTTPS reverse proxy.

Notes:

• In all examples, replace teleport.example.com with your own public domain.
• Teleport listens on port 3080. nginx listens on port 443 and forwards traffic to port 3080.
  • It also optionally listens on port 80 to forward requests for http://teleport.example.com to https://teleport.example.com
• Port 443 must be open to the outside via firewall/security groups etc.
  • Also open port 80 for HTTP redirection if you want that
• Add an A record for teleport.example.com, pointing to the external IP address of your nginx server
  • Also add an A record for *.teleport.example.com pointing to the external IP address of your nginx server if you want to use Teleport application access
  • If you're using Cloudflare, your DNS records must be set to "DNS only" rather than "proxied" EDIT: Since version 15.1, Teleport uses regular websocket upgrades which work fine with Cloudflare proxying. However, Application Access subdomains should remain unproxied ("DNS only") unless you're using Advanced Certificate Manager.
• You will need to get a valid TLS certificate for your domain using something like certbot which you can supply to nginx:
  • Example: sudo certbot certonly -d teleport.example.com
• If you want to use Teleport application access, you should also add a wildcard SAN to the certificate request. Bear in mind that you will need a DNS-01 challenge to request wildcard certificates, which may require a certbot plugin and additional configuation.
  • Example: sudo certbot certonly -d teleport.example.com,*.teleport.example.com --dns-route53
• Don't forget to configure a cron job or some kind of process to automatically run certbot renew at least every 90 days
  • Add a hook to automatically reload nginx to read the updated certificates when this is done.
• Teleport itself will use a self-signed certificate and does not need to be configured to use certbot.
• Make sure you're using Teleport version 13+, and that you have tsh version 13+ installed locally.
  • If you're using an older version of tsh, commands like tsh login will not work as expected. Check your version with tsh version and upgrade if necessary.

/etc/teleport.yaml:

version: v3
teleport:
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: true
  cluster_name: "teleport.example.com" # update to your own public domain
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
  authentication:
    second_factor: on
    webauthn:
      rp_id: teleport.example.com # update to your own public domain
ssh_service:
  enabled: true
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: true
  web_listen_addr: 0.0.0.0:3080
  public_addr: teleport.example.com:443 # update to your own public domain
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}
  trust_x_forwarded_for: true
# optional: enable the app service
app_service:
  enabled: true
  debug_app: true
  apps:
  - name: test
    uri: http://localhost:8000

/etc/nginx/conf.d/teleport.conf:

server {
    server_name teleport.example.com *.teleport.example.com; # update to your own public domain
    client_max_body_size 1024M;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass https://127.0.0.1:3080;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen [::]:443 ssl;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/teleport.example.com/fullchain.pem; # change this to your actual domain/path
    ssl_certificate_key /etc/letsencrypt/live/teleport.example.com/privkey.pem; # change this to your actual domain/path
}

# optional section - listen for HTTP requests on port 80 and redirect them to HTTPS on 443
server {
    server_name teleport.example.com *.teleport.example.com; # update to your own public domain

    # update to your own public domain
    if ($host = teleport.example.com) {
        return 301 https://$host$request_uri;
    }

    listen [::]:80;
    listen 80;
    return 404;
}

Once these files are in place, start Teleport with sudo systemctl start teleport or similar, then start nginx with sudo systemctl start nginx.

• You can check Teleport logs with sudo journalctl -u teleport -f.
• You can check nginx's default access log using sudo tail -F /var/log/nginx/access.log

If you have any issues, post comments here for assistance. We'd also love to hear if you just get it working!

[sbourdette]

Hi, thank you for your tutorial.
I have tried to adapt to my configuration but I'm block.

The difference is that I use cloudflare and cloudflare universal SSL doesnt support sub sub domain
So I had to configure a public_addr for my application : app1.example.com

Now I have a CORS preflight issue in browser's console :

app1.example.com:1 Access to fetch at 'https://app1.example.com/x-teleport-auth' from origin 'https://tele.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I tried to add in teleport config app :

    rewrite:
      headers:
        - "Origin: https://tele.bourdette.com"
        - "Access-Control-Allow-Origin: *"

I have put in nginx

proxy_set_header Access-Control-Allow-Origin *;

[webvictim]

I'm afraid I can't recreate this either. I set up an app with a config like this:

app_service:
  enabled: true
  debug_app: true
  apps:
  - name: test
    uri: http://localhost:8000
    public_addr: gus-nginx-app-test.teleportdemo.com

The public address of my cluster is a different subdomain of the same root domain (teleportdemo.com):

proxy_service:
  enabled: true
  web_listen_addr: 0.0.0.0:3080
  public_addr: gus-nginx.teleportdemo.com:443

I pointed the DNS records for both to my server's IP.

I ran sudo certbot -d *.teleportdemo.com --plugin route53 to get a wildcard cert for everything under teleportdemo.com:

[ec2-user@ip-172-31-28-4 ~]$ sudo openssl x509 -in /etc/letsencrypt/live/teleportdemo.com/fullchain.pem -text | grep -A1 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:*.teleportdemo.com

I provided that to nginx:

    ssl_certificate /etc/letsencrypt/live/teleportdemo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/teleportdemo.com/privkey.pem;

Restarted both nginx and teleport, logged in and saw the application:

When I click "Launch", the application loads fine:

(the 500 error is because there's actually nothing listening on http://localhost:8000)

May 26 16:23:20 ip-172-31-28-4.us-east-2.compute.internal teleport[466948]: 2023-05-26T16:23:20Z ERRO             Error forwarding to /, err: dial tcp 127.0.0.1:8000: connect: connection refused forward/fwd.go:176

I'm not sure exactly what the issue is here :(

I'm not using Cloudflare so I have to conclude that's probably where the root of the issue lies.

[mighty-services]

Hey Guys,

thanks a ton for all your questions and answers. I'm also fighting with a reverse proxy setup. I'm using the nginx proxy manager, since I'm not that skilled to use pure config-files. I got it working though... I read somewhere (I'm sorry I forgot the Website), to create the certificates within nginx proxy manager, copy them over to teleport and add the path within the teleport.yaml file - so it looks like this:

version: v3
teleport:
  nodename: teleport
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport.example.com
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  listen_addr: 0.0.0.0:3023
  public_addr: teleport.example.com:443
  tunnel_public_addr: teleport.example.com:3024
  tunnel_listen_addr: 0.0.0.0:3024
  peer_listen_addr: 0.0.0.0:3022
  ssh_public_addr: teleport.example.com:3023
  kube_listen_addr: 0.0.0.0:3026
  kube_public_addr: teleport.example.com:3026
  https_keypairs:
  - key_file: /var/lib/teleport/privkey.pem
    cert_file: /var/lib/teleport/fullchain.pem
  https_keypairs_reload_interval: 0s
  acme: {}

so what I (also) did was:

• as in this issue described, I removed "proxy_listener_mode: multiplex" from the preconfigured YAML-File
• added this lines to teleport.yaml file
  • tunnel_listen_addr: 0.0.0.0:3024
  • public_addr: teleport.example.com:443
  • tunnel_public_addr: teleport.example.com:3024
  • tunnel_listen_addr: 0.0.0.0:3024
  • peer_listen_addr: 0.0.0.0:3022
  • ssh_public_addr: teleport.example.com:3023
  • kube_listen_addr: 0.0.0.0:3026
  • kube_public_addr: teleport.example.com:3026

I created one entry in nginx proxy manager just for teleport.example.com:

server {
  set $forward_scheme https;
  set $server         "10.0.9.199";
  set $port           443;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name teleport.example.com;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-79/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-79/privkey.pem;

  # added manually
  client_max_body_size 1024M;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

  # Force SSL
  include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-38_access.log proxy;
  error_log /data/logs/proxy-host-38_error.log warn;

  location / {
  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

Please note that this file is created by nginx proxy manager itself - I just cut out empty lines.

Then I added another one for the wildcard with no certificate yet:

server {
  set $forward_scheme https;
  set $server         "10.0.9.199";
  set $port           443;

  listen 80;
listen [::]:80;

  server_name *.teleport.example.com;

  # Asset Caching
  include conf.d/include/assets.conf;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-39_access.log proxy;
  error_log /data/logs/proxy-host-39_error.log warn;

  location / {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

Caveats:

• I´m not able to use web-access, since I don´t have my domain registered on any service able to server wildcard-certificates, but I ordered one on Kzuhlma IT to a reasonable price (I think at least)
• I need to copy the certificates manually over to my teleport cluster-host

Feel free to add your two cents to this since my solution is far from perfect :)

[webvictim]

You don't need a wildcard certificate unless you're planning to use Teleport application access, and even then it's only a recommendation to save time. I believe Nginx proxy manager has native support for the use of Let's Encrypt to get SSL certificates as well, so you shouldn't need to pay anything at all (unless you mean that you don't have any DNS records for your domain?)

[mighty-services]

Thanks for your advise. Yes I want to use the Web access Feature.

Nginx reverse proxy manager doesn't support the Hoster, where my domain is registered. If you are on cloud flare for instance, you can use the DNS challenge to get a wildcard certificate through let's Encrypt.
the other option would be to move one of the supported Hoster, which is not an option for me... Or to use the generic api method and try to get the api of the Hoster working for me. Since I'm not good at that and there's not enough documentation from my Hoster, this isn't an option either.

[mighty-services]

But if a wildcard certificate is only optional, please share with me, how I can get access to websites. Right now the teleport cluster access (with the webUI and the tsh command) works fine. ALSO the implementation of new nodes runs flawless, but when I add a local website it's giving me a self-signed certificate warning.:

[webvictim]

So say your cluster is teleport.example.com and your application is app.teleport.example.com. You have two options:

• Get a wildcard certificate which has teleport.example.com and *.teleport.example.com as SANs (Subject Alternative Names)

  • The benefit of this method is that if you then add app2.teleport.example.com, the wildcard certificate will cover that app too.
  • The downside is that ACME services like Let's Encrypt or ZeroSSL will require a DNS challenge to issue a wildcard certificate, which may not be possible with all providers as you've mentioned above.

• If you can't use wildcards, you can get one or more certificates which cover teleport.example.com and app.teleport.example.com as SANs.

  • The downside of this is that every time you add a new application, you'll need a new certificate for it.

[mighty-services]

Thanks Webvictim,

so in my case, where I want to utilize the App-Section for many Services, wildcard is the only real option.

This didn't change with teleport 13.0 upward, right?

The change from that version on is, that a reverse proxy-szenario is supported by default, like you said here

[webvictim]

Yes, correct, nothing has changed with regard to certificate requirements in Teleport 13 - but we added the ability to deploy Teleport behind a layer 7 load balancer/HTTP proxy.

[Borega]

After some work I got this to work for applications. The Problem I am facing now is the following: it works only for applications that run on http. Some of my applications run on https with a self signed cert. These do not work. Any Idea how to get them to work?

[webvictim]

This config on the Teleport side should work:

app_service:
  enabled: true
  debug_app: true
  apps:
  - name: test
    uri: https://localhost:8888
    insecure_skip_verify: true

[Borega]

This is the way. Thank you

[mighty-services]

I finally made time to reset my teleport cluster WITH the DNS-Challenge, so I can issue Wildcard certificates. I have my nginx Proxy Manager setup to a local DNS-Provider, where I get my Certs for teleport.example.com and *.teleport.example.com from. I have the cluster up and running and it´s the same error again - I can add a SSH-Reesource, but no Application ressource. Once I implemented it, the log on the teleport node sais:

INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:3519092.1 service/service.go:2874
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted. pid:3519092.1 service/service.go:2874
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted/default. pid:3519092.1 service/service.go:2874
INFO [INSTANCE:] Successfully registered instance client. pid:3519092.1 service/service.go:2452
INFO [UPLOAD]    uploader will scan /var/lib/teleport/log/upload/streaming/default every 5s filesessions/fileasync.go:192
INFO [UPLOAD:1:] upload completer will run every 5m0s events/complete.go:143
WARN [PROC:1]    Unable to reuse Instance client for App. additionalSystemRoles=[Node] pid:3519092.1 service/connect.go:1060
INFO [PROC:1]    Reusing Instance client for Node. additionalSystemRoles=[Node] pid:3519092.1 service/connect.go:1057
INFO [PROC:1]    Node: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:3519092.1 service/connect.go:92
INFO [PROC:1]    App: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:3519092.1 service/connect.go:92
 INFO [NODE:1:CA] Cache "node" first init succeeded. cache/cache.go:910
 INFO             debug -> starting control-stream based heartbeat. regular/sshserver.go:887
 INFO [NODE:1]    Service is starting in tunnel mode. pid:3519092.1 service/service.go:2725
 INFO [APP:SERVI] Cache "apps" first init succeeded. cache/cache.go:910
 INFO [APP:SERVI] All applications successfully started. pid:3519092.1 service/service.go:5393
 INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status with period 10m0s. pid:3519092.1 service/connect.go:684

and the server sais:

[AUDIT]     INFO cert.create cert_type:user cluster_name:teleport.example.com code:TC000I ei:0 event:cert.create client_ip:10.0.9.103 expires:2023-10-20T04:23:21.09981113Z logins:[root ubuntu -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z private_key_policy:none roles:[access editor] route_to_cluster:teleport.example.com teleport_cluster:teleport.example.com aws_role_arns:<nil> azure_identities:<nil> db_names:<nil> db_roles:<nil> db_users:<nil> gcp_service_accounts:<nil> host_user_gid:[] host_user_uid:[] kubernetes_groups:<nil> kubernetes_users:<nil> logins:[root ubuntu] windows_logins:<nil> user:teleport-admin time:2023-10-19T17:50:45.865Z uid:17fbf19d-d3e9-4b90-a375-b24d49d25ad1 events/emitter.go:271
[UNIFIED_R] WARN Restart watch on error: cache "auth" does not support watching resource "access_list". pid:3186.1 resource-kind:[{node false  map[]   {} [] 0} {db_server false  map[]   {} [] 0} {app_server false  map[]   {} [] 0} {saml_idp_service_provider false  map[]   {} [] 0} {windows_desktop false  map[]   {} [] 0} {kube_server false  map[]   {} [] 0} {access_list false  map[]   {} [] 0}] services/watcher.go:259
[UNIFIED_R] WARN Maximum staleness of 1m0s exceeded, failure started at 2023-10-19 19:39:01.944847097 +0200 CEST m=+1.360931600. pid:3186.1 resource-kind:[{node false  map[]   {} [] 0} {db_server false  map[]   {} [] 0} {app_server false  map[]   {} [] 0} {saml_idp_service_provider false  map[]   {} [] 0} {windows_desktop false  map[]   {} [] 0} {kube_server false  map[]   {} [] 0} {access_list false  map[]   {} [] 0}] services/watcher.go:233
[DISCOVERY] WARN Unhealthy connection to teleport.example.com 10.0.9.103:51864: agent disconnected. reversetunnel/conn.go:181
[PROXY:SER] WARN Closing remote connection to agent. addr:10.0.9.103:51864 serverID:99385e33-00f8-4d8e-830d-815cc740f078.teleport.example.com trace.fields:map[cluster:teleport.example.com] reversetunnel/localsite.go:695
[PROXY:SER] WARN Failed to close heartbeat channel: EOF trace.fields:map[cluster:teleport.example.com] reversetunnel/localsite.go:681
[DISCOVERY] WARN Unhealthy connection to teleport.example.com 10.0.9.103:51882: agent disconnected. reversetunnel/conn.go:181
[PROXY:SER] WARN Closing remote connection to agent. addr:10.0.9.103:51882 serverID:99385e33-00f8-4d8e-830d-815cc740f078.teleport.example.com trace.fields:map[cluster:teleport.example.com] reversetunnel/localsite.go:695
[PROXY:SER] WARN Failed to close heartbeat channel: EOF trace.fields:map[cluster:teleport.example.com] reversetunnel/localsite.go:681
[AUTH]      WARN Omitting service "App" for control stream of instance "99385e33-00f8-4d8e-830d-815cc740f078" (unknown or unauthorized). auth/auth_with_roles.go:1099
[CA]        INFO Generating TLS certificate 1.3.9999.1.15=#13046e6f6e65,1.3.9999.1.9=#130a31302e302e392e313033,1.3.9999.1.7=#131674656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.5=#131674656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.6=#13236d69676874792d636c6f75642e74656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.4=#132439343138393564382d626333342d346135322d623663302d343836333230353339313630,CN=teleport-admin,OU=usage:apps,O=access+O=editor,POSTALCODE={\"aws_role_arns\":null\,\"azure_identities\":null\,\"db_names\":null\,\"db_roles\":null\,\"db_users\":null\,\"gcp_service_accounts\":null\,\"host_user_gid\":[\"\"]\,\"host_user_uid\":[\"\"]\,\"kubernetes_groups\":null\,\"kubernetes_users\":null\,\"logins\":[\"root\"\,\"ubuntu\"]\,\"windows_logins\":null},STREET=teleport.example.com,L=root+L=ubuntu+L=-teleport-internal-join dns_names:[] key_usage:5 not_after:2023-10-20 04:23:21.001610962 +0000 UTC tlsca/ca.go:1128
[AUDIT]     INFO cert.create cert_type:user cluster_name:teleport.example.com code:TC000I ei:0 event:cert.create client_ip:10.0.9.103 expires:2023-10-20T04:23:21.001610962Z logins:[root ubuntu -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z private_key_policy:none roles:[access editor] cluster_name:teleport.example.com name: public_addr:cloud.teleport.example.com session_id:941895d8-bc34-4a52-b6c0-486320539160 route_to_cluster:teleport.example.com teleport_cluster:teleport.example.com aws_role_arns:<nil> azure_identities:<nil> db_names:<nil> db_roles:<nil> db_users:<nil> gcp_service_accounts:<nil> host_user_gid:[] host_user_uid:[] kubernetes_groups:<nil> kubernetes_users:<nil> logins:[root ubuntu] windows_logins:<nil> usage:[usage:apps] user:teleport-admin time:2023-10-19T17:52:08.53Z uid:cbfedca2-ed3f-4633-aa83-68fb8d104207 events/emitter.go:271
[AUDIT]     INFO app.session.start addr.remote:10.0.9.103:53708 app_name:cloud app_public_addr:cloud.teleport.example.com app_uri:https://localhost:8080 cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default private_key_policy:none public_addr:cloud.teleport.example.com server_id:fb5cf72f-e3ca-4c78-872e-c1c3bcb0832b sid:941895d8-bc34-4a52-b6c0-486320539160 time:2023-10-19T17:52:09.141Z uid:07b72d82-5cbf-4fe4-add7-199c2d4cf7e0 user:teleport-admin events/emitter.go:271
[AUDIT]     INFO app.session.start addr.remote:10.0.9.103:53708 app_name:cloud app_public_addr:cloud.teleport.example.com app_uri:https://localhost:8080 cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default private_key_policy:none public_addr:cloud.teleport.example.com server_id:fb5cf72f-e3ca-4c78-872e-c1c3bcb0832b sid:941895d8-bc34-4a52-b6c0-486320539160 time:2023-10-19T17:52:09.141Z uid:07b72d82-5cbf-4fe4-add7-199c2d4cf7e0 user:teleport-admin events/emitter.go:271
[UNIFIED_R] WARN Restart watch on error: cache "auth" does not support watching resource "access_list". pid:3186.1 resource-kind:[{node false  map[]   {} [] 0} {db_server false  map[]   {} [] 0} {app_server false  map[]   {} [] 0} {saml_idp_service_provider false  map[]   {} [] 0} {windows_desktop false  map[]   {} [] 0} {kube_server false  map[]   {} [] 0} {access_list false  map[]   {} [] 0}] services/watcher.go:259
[UNIFIED_R] WARN Maximum staleness of 1m0s exceeded, failure started at 2023-10-19 19:39:01.944847097 +0200 CEST m=+1.360931600. pid:3186.1 resource-kind:[{node false  map[]   {} [] 0} {db_server false  map[]   {} [] 0} {app_server false  map[]   {} [] 0} {saml_idp_service_provider false  map[]   {} [] 0} {windows_desktop false  map[]   {} [] 0} {kube_server false  map[]   {} [] 0} {access_list false  map[]   {} [] 0}] services/watcher.go:233

On the WebPage I still see

and in the logs there are these events at that moment popping up:

[CA]        INFO Generating TLS certificate 1.3.9999.1.15=#13046e6f6e65,1.3.9999.1.9=#130a31302e302e392e313033,1.3.9999.1.7=#131674656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.5=#131674656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.6=#13236d69676874792d636c6f75642e74656c65706f72742e6f72672d6d69676874792e6465,1.3.9999.1.4=#132462343636623566392d306465342d343331332d623061382d313162303261323964313835,CN=teleport-admin,OU=usage:apps,O=access+O=editor,POSTALCODE={\"aws_role_arns\":null\,\"azure_identities\":null\,\"db_names\":null\,\"db_roles\":null\,\"db_users\":null\,\"gcp_service_accounts\":null\,\"host_user_gid\":[\"\"]\,\"host_user_uid\":[\"\"]\,\"kubernetes_groups\":null\,\"kubernetes_users\":null\,\"logins\":[\"root\"\,\"ubuntu\"]\,\"windows_logins\":null},STREET=teleport.example.com,L=root+L=ubuntu+L=-teleport-internal-join dns_names:[] key_usage:5 not_after:2023-10-20 04:23:21.001835132 +0000 UTC tlsca/ca.go:1128
[AUDIT]     INFO cert.create cert_type:user cluster_name:teleport.example.com code:TC000I ei:0 event:cert.create client_ip:10.0.9.103 expires:2023-10-20T04:23:21.001835132Z logins:[root ubuntu -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z private_key_policy:none roles:[access editor] cluster_name:teleport.example.com name: public_addr:cloud.teleport.example.com session_id:b466b5f9-0de4-4313-b0a8-11b02a29d185 route_to_cluster:teleport.example.com teleport_cluster:teleport.example.com aws_role_arns:<nil> azure_identities:<nil> db_names:<nil> db_roles:<nil> db_users:<nil> gcp_service_accounts:<nil> host_user_gid:[] host_user_uid:[] kubernetes_groups:<nil> kubernetes_users:<nil> logins:[root ubuntu] windows_logins:<nil> usage:[usage:apps] user:teleport-admin time:2023-10-19T18:00:42.073Z uid:0108bf07-7cdf-4e37-bd1a-52a261708b80 events/emitter.go:271
[AUDIT]     INFO app.session.start addr.remote:10.0.9.103:36028 app_name:cloud app_public_addr:cloud.teleport.example.com app_uri:https://localhost:8080 cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default private_key_policy:none public_addr:cloud.teleport.example.com server_id:fb5cf72f-e3ca-4c78-872e-c1c3bcb0832b sid:b466b5f9-0de4-4313-b0a8-11b02a29d185 time:2023-10-19T18:00:42.24Z uid:1fe83023-09da-4a53-ae12-6578f28808ca user:teleport-admin events/emitter.go:271
[AUDIT]     INFO app.session.start addr.remote:10.0.9.103:36028 app_name:cloud app_public_addr:cloud.teleport.example.com app_uri:https://localhost:8080 cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default private_key_policy:none public_addr:cloud.teleport.example.com server_id:fb5cf72f-e3ca-4c78-872e-c1c3bcb0832b sid:b466b5f9-0de4-4313-b0a8-11b02a29d185 time:2023-10-19T18:00:42.24Z uid:1fe83023-09da-4a53-ae12-6578f28808ca user:teleport-admin events/emitter.go:271
[UNIFIED_R] WARN Restart watch on error: cache "auth" does not support watching resource "access_list". pid:3186.1 resource-kind:[{node false  map[]   {} [] 0} {db_server false  map[]   {} [] 0} {app_server false  map[]   {} [] 0} {saml_idp_service_provider false  map[]   {} [] 0} {windows_desktop false  map[]   {} [] 0} {kube_server false  map[]   {} [] 0} {access_list false  map[]   {} [] 0}] services/watcher.go:259

I try to analyse the data but I failed understanding the issue.

[mighty-services]

I checked the API-Token and I can read and write with it in the DNS-Zones. The Cert gets delivered successfully, nginx-sais:

nginx-app  | [10/19/2023] [6:32:31 PM] [Nginx    ] › ℹ  info      Reloading Nginx
nginx-app  | [10/19/2023] [6:32:31 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Hetzner for Cert #95: *.teleport.example.com, teleport.example.com
nginx-app  | [10/19/2023] [6:32:31 PM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_hetzner_api_token = amSZ3iOY39phzTuqqjtZ728FXy61pl7a' > '/etc/letsencrypt/credentials/credentials-95' && chmod 600 '/etc/letsencrypt/credentials/credentials-95' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-hetzner~=1.0.4  && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-95" --agree-tos --email "[email protected]" --domains "*.teleport.example.com,teleport.example.com" --authenticator dns-hetzner --dns-hetzner-credentials "/etc/letsencrypt/credentials/credentials-95"
nginx-app  | [10/19/2023] [6:32:39 PM] [SSL      ] › ℹ  info      Requesting a certificate for *.teleport.example.com and teleport.example.com
nginx-app  | 
nginx-app  | Successfully received certificate.
nginx-app  | Certificate is saved at: /etc/letsencrypt/live/npm-95/fullchain.pem
nginx-app  | Key is saved at:         /etc/letsencrypt/live/npm-95/privkey.pem
nginx-app  | This certificate expires on 2024-01-17.
nginx-app  | These files will be updated when the certificate renews.
nginx-app  | NEXT STEPS:
nginx-app  | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
nginx-app  | 
nginx-app  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx-app  | If you like Certbot, please consider supporting our work by:
nginx-app  |  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
nginx-app  |  * Donating to EFF:                    https://eff.org/donate-le
nginx-app  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx-app  | [10/19/2023] [6:32:39 PM] [Nginx    ] › ℹ  info      Reloading Nginx
nginx-app  | [10/19/2023] [6:32:39 PM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/51.conf
nginx-app  | [10/19/2023] [6:32:39 PM] [Nginx    ] › ℹ  info      Reloading Nginx