Adding a second Auth server to the cluster

Hello!
I have 1 Auth Teleport server and Load Balancer(Haproxy) on other node.
Auth's configuration:

teleport:
  auth_token: my-little-token
  auth_servers: [ "my-site.example:3025" ]
  advertise_ip: 192.168.33.35
  log:
      output: /var/lib/teleport/teleport.log
      severity: DEBUG

auth_service:
  # enable the auth service:
  enabled: "yes"
  tokens:
  # this static token is used for other nodes to join this Teleport cluster
  - proxy,node:my-little-token

  cluster_name: "main"
  proxy_checks_host_keys: no
  session_recording: "proxy"

  # by default, local authentication will be used with 2FA
  authentication:
      second_factor: otp
  listen_addr: 0.0.0.0:3025
  public_addr: my-site.example:3025

# SSH is also enabled on this node:
ssh_service:
  enabled: "yes"

proxy_service:
    enabled: "no

part of the Haproxy configuration:

frontend teleport_auth
    mode tcp
    timeout client 500ss
    bind 192.168.33.37:3025
    use_backend teleport_auth_backend
    maxconn 500
    option tcplog

backend teleport_auth_backend
    mode tcp
    timeout server 500ss
    server authserver 192.168.33.35:3025

I added a second Auth server with the configuration /etc/teleport.yaml of the first server (changed IP to 192.168.33.38 in config).
Changed Haproxy's backend:

backend teleport_auth_backend
    mode tcp
    timeout server 500ss
    balance roundrobin
    server authserver 192.168.33.35:3025
    server auth2server 192.168.33.38:3025

I get errors on startup:

Sep 16 13:06:40 auth2server teleport[3449]: [AUTH]    Auth service 4.3.5:v4.3.5-0-g122349e78 is starting on 0.0.0.0:3025.
Sep 16 13:06:40 auth2server teleport[3449]: http: TLS handshake error from 127.0.0.1:60878: remote error: tls: bad certificate
Sep 16 13:06:51 auth2server teleport[3449]: http: TLS handshake error from 127.0.0.1:60884: remote error: tls: bad certificate

Clearing the /var/lib/teleport directory didn’t help.

What did I do wrong?

I guess it’s available only for highly available back-ends (DynamoDB, S3, etcd)?

will there be support for Сonsul?

Exactly correct, yes - HA storage is needed to use more than one auth server. etcd is probably the simplest non-proprietary one to get up and running.

There are no plans to implement Consul currently.

1 Like