External domains appear in ACME cert provisioning logs

[voidburn]

Hello community,

We've noticed a large amount of external domains attempting to provision acme certificates in our proxies. These are domains that are not in the proxy_service.public_addr list.

This is an example taken from the logs:

• 2025-06-11T05:38:13.944Z WARN [ALPN:PROX] Failed to handle client connection: acme can't get a cert for domain www.slashed.cloud, add it to the proxy_service.public_addr
• 2025-06-11T03:54:48.061Z WARN [ALPN:PROX] Failed to handle client connection: acme can't get a cert for domain front.else.app, add it to the proxy_service.public_addr
• 2025-06-11T03:57:01.965Z WARN [ALPN:PROX] Failed to handle client connection: acme can't get a cert for domain www.textstudio.com, add it to the proxy_service.public_addr
• 2025-06-11T01:56:46.702Z WARN [ALPN:PROX] Failed to handle client connection: acme can't get a cert for domain www.nst.com.my, add it to the proxy_service.public_addr

This is particularly concerning for us (at least from the verbiage of the logged errors), because it looks like an external - unauthorized - client can get as far as attempting to provision certificates using our proxy.

Can anyone tell how or why is this happening? Should it be considered harmless spam?

[zmb3]

Teleport will attempt to get certs for web applications enrolled in the cluster. Is it possible that you have enrolled apps with these public addresses?

[voidburn]

100% not, that's what is concerning me. This looks like someone externally trying to register resources using my proxies, but how would they get as far as that without valid tokens?

[voidburn]

The version of Teleport we use in our proxy is 16.5.12. We don't have a cluster, it's a single proxy+auth deployment on the same machine, for a very small amount of nodes/web apps we use internally, running on always up to date Debian 12, firewall only opens port 443.

I can confirm that there are no registered resources that we cannot recognize ourselves. The frequency and variety of these log entries is very high, this is what just came through in 1 hour:

[zmb3]

Gotcha. Then this is most likely someone on the internet poking at your deployment.

A common DoS attack is to make a bunch of connections to a server supporting ACME, but asking for an incorrect host name. This forces the server into attempting to obtain certs for these domains, which fails but will eventually result in your server getting rate limited and becoming unable to get/renew real certs when the time comes.

You don't need to take any action, the warnings you see in the logs are happening because Teleport is refusing to attempt to get certs for these bogus domains.