Add notes about wildcard certificates #9454
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
cf5ec8c to
d463dbd
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
d463dbd to
bf10176
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
bf10176 to
aa85ee9
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
aa85ee9 to
43afe5f
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
3 times, most recently
from
de89404 to
600d423
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
600d423 to
1265f03
Compare
zmb3
reviewed
Feb 4, 2022
There was a problem hiding this comment.
Whether or not we agree with them, many organizations still see the requirement for a wildcard certificate as less secure or harder to obtain.
It would be nice if we could find a way to suggest wildcard certificates for their ease of use without scaring away folks who don't want to use wildcards.
| - We will assume your Teleport cluster is accessible at `teleport.example.com` and `*.teleport.example.com`. Configured DNS records are required to automatically fetch a [Let's Encrypt](https://letsencrypt.org) certificate. | ||
|
|
||
| <Admonition type="note" title="Teleport and Wildcard Certificates"> | ||
| Teleport assigns a subdomain to each application you have configured for Application Access (e.g., `grafana.teleport.example.com`), so you need to create a DNS A record with a wildcard subdomain (e.g., `*.teleport.example.com`). This way, Let's Encrypt can issue a wildcard certificate, enabling clients to verify your Teleport hosts regardless of the application they are accessing. |
There was a problem hiding this comment.
You don't necessarily need a wildcard certificate, this is just the quickest and easiest solution.
Can we word this in such a way to at least suggest that the alternative of requesting only the subdomains you plan to put behind app access is possible?
| @@ -41,6 +45,10 @@ using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. | |||
| We will assume that you have configured DNS records for `teleport.example.com` | |||
| and `*.teleport.example.com` to point to the Teleport node. | |||
|
|
|||
| <Admonition type="note" title="Why do I need a wildcard certificate?"> | |||
There was a problem hiding this comment.
Should this be an include? I would think so, given it's copied several times.
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
1265f03 to
4f04e02
Compare
zmb3
approved these changes
Feb 10, 2022
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
2 times, most recently
from
0cc6199 to
fd584ec
Compare
r0mant
reviewed
Feb 14, 2022
| @@ -131,8 +133,7 @@ for web apps using [application access](../../application-access/introduction.md | |||
|
|
|||
| # Create a JSON file changeset for AWS. | |||
| $ jq -n --arg ip ${MYIP?} --arg dns ${MYDNS?} '{"Comment": "Create records", "Changes": [ | |||
| {"Action": "CREATE", "ResourceRecordSet": {"Name": $dns, "Type": "A", "TTL": 300, "ResourceRecords": [{ "Value": $ip}]}}, | |||
| {"Action": "CREATE", "ResourceRecordSet": {"Name": ("*." + $dns), "Type": "A", "TTL": 300, "ResourceRecords": [{ "Value": $ip}]}} | |||
There was a problem hiding this comment.
I'm not sure why are we removing the commands for creating wildcard records? If we do that, it is no longer a copy-pasteable example :) Same below.
There was a problem hiding this comment.
Good point—I've restored the original commands while adding a reminder to adjust them for your environment in case, say, a user doesn't want to create a wildcard record.
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
2 times, most recently
from
2ea8f54 to
2713841
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
2 times, most recently
from
e8b4f71 to
075784b
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
075784b to
dc685be
Compare
|
@r0mant Would you have time to give this one another look? Thanks! |
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
dc685be to
9ae8b12
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
3 times, most recently
from
a903a90 to
c1bb9db
Compare
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
c1bb9db to
36ba8b9
Compare
russjones
approved these changes
Mar 18, 2022
Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378
- Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain
ptgott
force-pushed
the
paul.gottschling/wildcards-5378
branch
from
36ba8b9 to
67d4b5d
Compare
ptgott
added a commit
that referenced
this pull request
Mar 21, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 21, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 21, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
ptgott
added a commit
that referenced
this pull request
Mar 22, 2022
Backports #9454 * Add notes about wildcard certificates Guides to getting started with Teleport on various platforms recommend creating a DNS record for *.teleport.com. It would help prospective users to know why this is needed. This change adds context for why Application Access requires a wildcard subdomain. Fixes #5378 * Respond to PR feedback - Move information into a partial - Mention that you can create a DNS A record for each application- specific subdomain * Restore DNS-related cloud provider commands
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Guides to getting started with Teleport on various platforms
recommend creating a DNS record for *.teleport.com. It would help
prospective users to know why this is needed. This change adds
context for why Application Access requires a wildcard subdomain.
Fixes #5378