Teleport U2F console question

My auth server and proxy server are all running on aws and has lb with acm.

My configure is as below:
auth server:

[root@teleport_auth ~]# cat /etc/teleport.yaml
teleport:
  nodename: teleport-auth
  data_dir: /var/lib/teleport
  log:
    output: syslog
    severity: INFO
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  tokens:
          - "proxy:qwert"
          - "node:123456"
  authentication:
    type: local
    second_factor: u2f
    u2f:
      app_id: https://domain_name
      facets:
          - https://domain_name
ssh_service:
  enabled: "no"
proxy_service:
  enabled: "no"

proxy server:

teleport:
  nodename: teleport-proxy
  auth_token: qwert
  auth_servers:
          - domain_name:3025
  data_dir: /var/lib/teleport
  log:
    output: syslog
    severity: INFO
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  tunnel_listen_addr: 0.0.0.0:3024
  web_listen_addr: 0.0.0.0:3080
  public_addr: https://domain_name:443
  ssh_public_addr: domain_name:3023
auth_service:
  enabled: "no"
ssh_service:
  enabled: "no"

And now I can login by u2f in website but I can not login it in command line

LeodeMacBook-Pro:teleport Leo$ ./tsh login --proxy=domain_name:443 --user leo -d
INFO [CLIENT]    no host login given. defaulting to Leo client/api.go:752
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.xVbhXIGnHW/Listeners" client/api.go:1923
DEBU [CLIENT]    not using loopback pool for remote proxy addr: domain_name:443 client/api.go:1884
DEBU [CLIENT]    HTTPS client init(proxyAddr=domain_name:443, insecure=false) client/weblogin.go:252
Enter password for Teleport user leo:
DEBU [CLIENT]    not using loopback pool for remote proxy addr: domain_name:443 client/api.go:1884
DEBU [CLIENT]    HTTPS client init(proxyAddr=domain_name:443, insecure=false) client/weblogin.go:252
Please press the button on your U2F key

ERROR REPORT:
Original Error: *trace.AccessDeniedError invalid U2F response
Stack Trace:
	/tmp/20190802T103500/src/github.com/gravitational/teleport/lib/client/weblogin.go:503 github.com/gravitational/teleport/lib/client.SSHAgentU2FLogin
	/tmp/20190802T103500/src/github.com/gravitational/teleport/lib/client/api.go:1847 github.com/gravitational/teleport/lib/client.(*TeleportClient).u2fLogin
	/tmp/20190802T103500/src/github.com/gravitational/teleport/lib/client/api.go:1745 github.com/gravitational/teleport/lib/client.(*TeleportClient).localLogin
	/tmp/20190802T103500/src/github.com/gravitational/teleport/lib/client/api.go:1546 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
	/tmp/20190802T103500/src/github.com/gravitational/teleport/tool/tsh/tsh.go:426 main.onLogin
	/tmp/20190802T103500/src/github.com/gravitational/teleport/tool/tsh/tsh.go:321 main.Run
	/tmp/20190802T103500/src/github.com/gravitational/teleport/tool/tsh/tsh.go:171 main.main
	/usr/local/go/src/runtime/proc.go:209 runtime.main
	/usr/local/go/src/runtime/asm_amd64.s:1338 runtime.goexit
User Message: 


Firstly, the public_addr section of your proxy config shouldn’t contain the https://, just domain_name:443 - change this and restart the proxy server(s).

Now, there’s a few things I’d like you to try to solve this:

  1. Make sure that your facets entry is set to https://domain_name:443 rather than just https://domain_name, restart Teleport on your auth server and try logging in again.

If this doesn’t work…

  1. As per the config example at https://gravitational.com/teleport/docs/admin-guide/#configuration-file:
        u2f:
            # app_id must point to the URL of the Teleport Web UI (proxy) accessible
            # by the end users
            app_id: https://localhost:3080
            # facets must list all proxy servers if there are more than one deployed
            facets:
            - https://localhost:3080

I think that you may need to explicitly list the hostname and port for each of your proxy servers under the facets section, rather than just the load balancer in front of them.