In order to verify the public key belongs to the root CA and the public certificate and private key pair matches, here’s the output of the command line:
root@jumpnet-mgnt:/var/lib/teleport# openssl x509 -noout -modulus -in fullchain.pem | openssl md5 > /tmp/pub.txt
root@jumpnet-mgnt:/var/lib/teleport# openssl rsa -noout -modulus -in privkey.pem | openssl md5 > /tmp/priv.txt
root@jumpnet-mgnt:/var/lib/teleport# diff /tmp/pub.txt /tmp/priv.txt
root@jumpnet-mgnt:/var/lib/teleport# openssl verify -CAfile /usr/local/share/ca-certificates/graysonpeddie-ca.crt fullchain.pem
fullchain.pem: OK
root@jumpnet-mgnt:/var/lib/teleport#
I’ve been trying to get Teleport up and running in a Linux container that I created in Proxmox. Here’s the instructions that I follow for the private network deployment.
I have placed my root CA file in the /usr/local/share/ca-certificates
directory and updated the certificate store using update-ca-certificates
in Debian.
When I try to start or restart Teleport, I received an error message:
Jul 04 20:43:30 jumpnet-mgnt teleport[1842]: ERROR: "unable to verify HTTPS certificate chain in : \x1b[31mERROR: \x1b[0mWARNING:"
Jul 04 20:43:30 jumpnet-mgnt teleport[1842]: The certificate presented by the proxy is invalid: x509: certificate specifies an incompatible key usage.
Jul 04 20:43:30 jumpnet-mgnt teleport[1842]: Contact your Teleport system administrator to resolve this issue.
Jul 04 20:43:30 jumpnet-mgnt systemd[1]: teleport.service: Main process exited, code=exited, status=1/FAILURE
So who’s the Teleport administrator? I’m the only administrator. Thank you Teleport for a vague error message. And that reminds me of Portal Stories: Mel, Chapter 4:
(Sure, this video has nothing to do with my topic, but I thought I could make anyone laugh when Virgil said there’s no administrator left in the facility. )
This is the command I used to configure Teleport:
sudo teleport configure -o file --cluster-name=jumpnet-mgnt.graysonpeddie.lan --public-addr=jumpnet-mgnt.graysonpeddie.lan --cert-file=/var/lib/teleport/fullchain.pem --key-file=/var/lib/teleport/privkey.pem
There’s no configuration flag for specifying a root CA:
gpadmin-local@jumpnet-mgnt:~$ teleport configure --help
usage: teleport configure [<flags>]
Generate a simple config file to get started.
Flags:
--cluster-name Unique cluster name, e.g. example.com.
-o, --output Write to stdout with -o=stdout, default config file with -o=file or custom path with -o=file:///path
--acme Get automatic certificate from Letsencrypt.org using ACME.
--acme-email Email to receive updates from Letsencrypt.org.
--test Path to a configuration file to test.
--version Teleport configuration version.
--public-addr The hostport that the proxy advertises for the HTTP endpoint.
--cert-file Path to a TLS certificate file for the proxy.
--key-file Path to a TLS key file for the proxy.
--data-dir Path to a directory where Teleport keep its data.
--token Invitation token to register with an auth server.
--roles Comma-separated list of roles to create config with.
--auth-server Address of the auth server.
--app-name Name of the application to start when using app role.
--app-uri Internal address of the application to proxy.
In OPNsense, the certificate and private key file is consisted of .crt and .key respectively, so how do I go about solving the problem? Also, instead of placing a root CA file in the /usr/local/share/ca-certificates directory so that Teleport can trust a CA, how do I go about getting Teleport to trust my root CA that I created in OPNsense?