Application Redirects Fail with 'Access Denied' Error After Updating to Teleport Version 17.1.1 Due to Certificate Validation Issues

[fabriciofeijo]

--- bug report ---
Expected behavior:
After updating the Teleport clients to version 17.1.1, application redirects should work normally using valid certificates automatically generated by Teleport with ACME (Let's Encrypt).

Current behavior:
After the update to version 17.1.1, application redirects stopped working, showing the error message "Access Denied" and indicating that the certificate is invalid or self-signed. However, the certificate generated by the self-hosted Teleport server is valid, as we can access the server without any issues.

Bug details:

• Teleport version:

  • Server: 17.1.1
  • Client: 17.1.1

• Recreation steps:

  1. Update the Teleport clients from version 16.4.6 to 17.1.1.

  2. Configure the server and client using the following configuration files:

     Server (proxy_service):

     proxy_service:
       enabled: "yes"
       web_listen_addr: 0.0.0.0:443
       public_addr: teleportdomain:443
       https_keypairs: []
       https_keypairs_reload_interval: 0s
       acme:
         enabled: "yes"
         email: support@teleportdomain

     Client (app_service):

     app_service:
       enabled: yes
       debug_app: false
       apps:
       - name: "oban"
         uri: "https://localhost:4002/oban"
         rewrite:
           headers:
             - "Authorization: Basic XXX"
         insecure_skip_verify: true
         labels:
           apptype: oban

  3. Attempt to access the configured application redirect on the client.

  4. Observe that the "Access Denied" error appears, indicating certificate-related issues.

• Debug logs:
  Error message displayed:

[fabriciofeijo]

Dec 23 14:08:32 teleport-graviton teleport[1827620]: User Message: acme/autocert: missing server name] alpnproxy/proxy.go:346
Dec 23 14:08:32 teleport-graviton teleport[1827620]: 2024-12-23T14:08:32-03:00 WARN [ALPN:PROX] Failed to handle client connection: with proxy_service.acme on, IP URL https://IP is not supported, use one of the domains in proxy_service.public_addr: teleportdomain alpnproxy/proxy.go:341
Dec 23 14:08:33 teleport-graviton teleport[1827620]: 2024-12-23T14:08:33-03:00 WARN [ALPN:PROX] Failed to handle client connection: with proxy_service.acme on, IP URL https://IP is not supported, use one of the domains in proxy_service.public_addr: teleportdomain alpnproxy/proxy.go:341

[zmb3]

Likely due to #49679

[fabriciofeijo]

I first downgraded from version 17.1.1 to 17.1.0, but the issue remained. Then, I downgraded to version 17.0.5, and the web app redirection started working properly again.

[joaoubaldo]

We (c-jm) are experiencing the same after upgrading from 17.0.4. Starting from 17.0.5 we had issues with web app access or access requests (issue).

[zmb3]

This block looks suspicious to me:

https://github.com/gravitational/teleport/pull/49679/files#diff-7d8ffe9ea5d6ad068374c3e127aebd1134bf1b1dadd707fce6796d68fca84b7bR67-R74

Prior to that, parseMfaChallengeJson would never return null.