Teleport and Root CA

In order to verify the public key belongs to the root CA and the public certificate and private key pair matches, here’s the output of the command line:

root@jumpnet-mgnt:/var/lib/teleport# openssl x509 -noout -modulus -in fullchain.pem | openssl md5 > /tmp/pub.txt
root@jumpnet-mgnt:/var/lib/teleport# openssl rsa -noout -modulus -in privkey.pem | openssl md5 > /tmp/priv.txt
root@jumpnet-mgnt:/var/lib/teleport# diff /tmp/pub.txt /tmp/priv.txt 
root@jumpnet-mgnt:/var/lib/teleport# openssl verify -CAfile /usr/local/share/ca-certificates/graysonpeddie-ca.crt fullchain.pem 
fullchain.pem: OK

I’ve been trying to get Teleport up and running in a Linux container that I created in Proxmox. Here’s the instructions that I follow for the private network deployment.

I have placed my root CA file in the /usr/local/share/ca-certificates directory and updated the certificate store using update-ca-certificates in Debian.

When I try to start or restart Teleport, I received an error message:

Jul 04 20:43:30 jumpnet-mgnt teleport[1842]: ERROR: "unable to verify HTTPS certificate chain in : \x1b[31mERROR: \x1b[0mWARNING:"
Jul 04 20:43:30 jumpnet-mgnt teleport[1842]:   The certificate presented by the proxy is invalid: x509: certificate specifies an incompatible key usage.
Jul 04 20:43:30 jumpnet-mgnt teleport[1842]:   Contact your Teleport system administrator to resolve this issue.
Jul 04 20:43:30 jumpnet-mgnt systemd[1]: teleport.service: Main process exited, code=exited, status=1/FAILURE

So who’s the Teleport administrator? I’m the only administrator. Thank you Teleport for a vague error message. And that reminds me of Portal Stories: Mel, Chapter 4:

(Sure, this video has nothing to do with my topic, but I thought I could make anyone laugh when Virgil said there’s no administrator left in the facility. :laughing:)

This is the command I used to configure Teleport:

sudo teleport configure -o file --cluster-name=jumpnet-mgnt.graysonpeddie.lan --public-addr=jumpnet-mgnt.graysonpeddie.lan  --cert-file=/var/lib/teleport/fullchain.pem --key-file=/var/lib/teleport/privkey.pem

There’s no configuration flag for specifying a root CA:

gpadmin-local@jumpnet-mgnt:~$ teleport configure --help
usage: teleport configure [<flags>]

Generate a simple config file to get started.

      --cluster-name  Unique cluster name, e.g.
  -o, --output        Write to stdout with -o=stdout, default config file with -o=file or custom path with -o=file:///path
      --acme          Get automatic certificate from using ACME.
      --acme-email    Email to receive updates from
      --test          Path to a configuration file to test.
      --version       Teleport configuration version.
      --public-addr   The hostport that the proxy advertises for the HTTP endpoint.
      --cert-file     Path to a TLS certificate file for the proxy.
      --key-file      Path to a TLS key file for the proxy.
      --data-dir      Path to a directory where Teleport keep its data.
      --token         Invitation token to register with an auth server.
      --roles         Comma-separated list of roles to create config with.
      --auth-server   Address of the auth server.
      --app-name      Name of the application to start when using app role.
      --app-uri       Internal address of the application to proxy.

In OPNsense, the certificate and private key file is consisted of .crt and .key respectively, so how do I go about solving the problem? Also, instead of placing a root CA file in the /usr/local/share/ca-certificates directory so that Teleport can trust a CA, how do I go about getting Teleport to trust my root CA that I created in OPNsense?