ACME TLS-ALPN-01 challenge requires port 443

[r0mant]

Description

What happened:

Generate Teleport config using:

teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com > /tmp/teleport.yaml

Start it as usual:

sudo -E /usr/local/bin/teleport start -d -c /tmp/teleport.yaml

Open https://teleport.example.com:3080 in browser and observe it fail to fetch certificate from Let's Encrypt:

ERRO [PROXY:SER] "proxy2021/02/27 00:49:17 http: TLS handshake error from 1.2.3.4:12345: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/123456789\" for domain \"teleport.example.com\": no viable challenge type found\n" utils/cli.go:272

Teleport uses TLS-ALPN-01 challenge which it seems like can only be done on port 443:

This challenge was developed after TLS-SNI-01 became deprecated, and is being developed as a separate standard. Like TLS-SNI-01, it is performed via TLS on port 443.

After editing /tmp/teleport.yaml to change web proxy port to 443, it works.

What you expected to happen:

Ideally the challenge should support any port but it doesn't seem to be currently possible.

Next best thing would probably be updating teleport configure command to generate config with port 443 and also add file config validation to make sure port is 443 if ACME is enabled.

Reproduction Steps

Described above.

Server Details

• Teleport version (run teleport version): Teleport v6.0.0-rc.1 git:v6.0.0-rc.1-0-g5470bb912 go1.15.5
• Server OS (e.g. from /etc/os-release): Amazon Linux 2
• Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): AWS EC2 instance