Issue with Teleport in k8s using Cloudflare Origin certificates for domain

[dudeisbrendan03]

Hi there,
We're using Cloudflare Origin and Teleport in Kubernetes and we're experiencing an issue building a train of trust for Teleport, it's saying that there is an issue building trust although we've provided Teleport with the issuer of the certificate provided

We're constantly given, no matter the cert provided, 'unabel to verify HTTPS certificate chain: certificate not signed by known authority'

I'm assuming this is as Origin CA is not a trusted authority, is there any possible way to make Teleport accept CF Origin CA as a valid authority without running it without the insecure param?

Thanks in advance

Edit:
Just checked the deployment again, looks like someone has already added --insecure, but the issue still remains. Any clues?

[dudeisbrendan03]

@webvictim Sorry for the ping but you've usually had insight on issues that other people haven't provided, I've had 3 people look into this clueless and I still have no idea what's going on

[webvictim]

When is it that you're getting the error? When trying to connect to the web UI, or add an agent etc?

As an aside, Teleport validates certificate chains using standard Golang logic (which is to use the system trust store i.e. /etc/ssl/certificates or similar). Theoretically you should be able to add the Cloudflare Origin CA to the system trust store to make this go away.

[dudeisbrendan03]

I'll update the images to include the certificate in the system store and see how it goes!
It's when trying to deploy Teleport for the auth server + web UI

[evrynet1]

If you remove the universal SSL from CF then enable it again then the new certificate will be issued by LetsEncrypt rather than CloudFlare CA which might fixes the problem here.

[dudeisbrendan03]

We don't use Universal SSL, and this we're not even at that stage yet this is just trying to start Teleport- trying to figure out if there's a better method than putting it into the system cert store (since it's in kubernetes, it's kind of a hassle to do, and I feel like it's stupid mounting it as an opaque or something).

…

On Thu, Oct 14, 2021 at 9:18 PM evrynet1 ***@***.***> wrote: If you remove the universal SSL from CF then enable it again then the new certificate will be issued by LetsEncrypt rather than CloudFlare CA which might fixes the problem here. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgravitational%2Fteleport%2Fdiscussions%2F8462%23discussioncomment-1479204&data=04%7C01%7C%7C4b46a4b112b64767045308d98f4fc1d3%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637698395005126639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zrKbrGDkK59aol1pKDWk5qcfaVjx2Ro%2BqQKoLKP6UZg%3D&reserved=0>, or unsubscribe <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABN3GAGHRADWKRCYEFRHUDTUG43IPANCNFSM5FGM4IFA&data=04%7C01%7C%7C4b46a4b112b64767045308d98f4fc1d3%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637698395005136637%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FcbLddzxRvATOfCSYnOc%2FobOE6cBX82Y%2BKU%2B8VsHXng%3D&reserved=0> .

[webvictim]

There's a PR here (#8372) that would add support for setting SSL_CERT_DIR in the teleport-kube-agent chart - if you raised a similar PR for the teleport-cluster chart we'd be happy to take a look.