docs: add self signed certs guide

docs/config.json

@@ -389,6 +389,10 @@
             {
               "title": "Run Teleport as a Daemon",
               "slug": "/management/admin/daemon/"
+            },
+            {
+              "title": "Run Teleport with Self-Signed Certificates",
+              "slug": "/management/admin/self-signed-certs/"
             }
           ]
         },
@@ -803,10 +807,10 @@
           "title": "Access Controls",
           "slug": "/desktop-access/rbac/"
         },
-	{
-	    "title": "Directory Sharing",
-	    "slug": "/desktop-access/directory-sharing/"
-	},
+        {
+          "title": "Directory Sharing",
+          "slug": "/desktop-access/directory-sharing/"
+        },
         {
           "title": "Reference",
           "slug": "/desktop-access/reference/",

docs/pages/application-access/guides/connecting-apps.mdx

@@ -65,28 +65,7 @@ In our example:
 - `teleport.example.com` will host the Access Plane.
 - `*.teleport.example.com` will host all of the applications e.g. `grafana.teleport.example.com`.
 
-You can either configure Teleport to obtain a TLS certificate via Let's Encrypt or use an existing certificate and private key (e.g. using [certbot](https://certbot.eff.org/)).
-<Tabs>
-<TabItem label="Let's Encrypt">
-(!docs/pages/includes/acme.mdx!)
-</TabItem>
-<TabItem label="Existing Credentials">
-If you have obtained certificate/key pairs for your domain they can be provided directly
-to the proxy service:
-
-```yaml
-proxy_service:
-  enabled: "yes"
-  web_listen_addr: "0.0.0.0:443"
-  public_addr: "teleport.example.com:443"
-  https_keypairs:
-  - key_file: "/etc/letsencrypt/live/teleport.example.com/privkey.pem"
-    cert_file: "/etc/letsencrypt/live/teleport.example.com/fullchain.pem"
-  - key_file: "/etc/letsencrypt/live/*.teleport.example.com/privkey.pem"
-    cert_file: "/etc/letsencrypt/live/*.teleport.example.com/fullchain.pem"
-```
-</TabItem>
-</Tabs>
+(!docs/pages/includes/tls-certificate-setup.mdx!)
 
 ### Create a user
 

docs/pages/deploy-a-cluster/open-source.mdx

@@ -110,34 +110,7 @@ Take a look at the [Installation Guide](../installation.mdx) for more options.
 Generate a configuration file for Teleport using the `teleport configure` command.
 This command requires information about a TLS certificate and private key.
 
-If you are running Teleport on the internet, we recommend using Let's Encrypt to
-receive your key and certificate automatically. For private networks or custom
-deployments, use your own private key and certificate.
-
-<Tabs>
-  <TabItem label="Public internet deployment with Let's Encrypt">
-  (!docs/pages/includes/acme.mdx!)
-
-  </TabItem>
-
-  <TabItem label="Private network deployment">
-  On your Teleport host, place a valid private key and a certificate chain in `/var/lib/teleport/privkey.pem`
-  and `/var/lib/teleport/fullchain.pem` respectively.
-
-  The leaf certificate must have a subject that corresponds to the domain of your Teleport host, e.g., `*.teleport.example.com`.
-
-  Configure Teleport, changing the values of the `--cluster-name` and `--public-addr` flags to match the domain name of your Teleport host.
-
-  ```code
-  $ sudo teleport configure -o file \
-      --cluster-name=tele.example.com \
-      --public-addr=tele.example.com:443 \
-      --cert-file=/var/lib/teleport/fullchain.pem \
-      --key-file=/var/lib/teleport/privkey.pem
-  ```
-  </TabItem>
-
-</Tabs>
+(!docs/pages/includes/tls-certificate-setup.mdx!)
 
 Next, configure Teleport to provide secure access to your web service. Edit your
 Teleport configuration file (`/etc/teleport.yaml`) to include the following,

docs/pages/deploy-a-cluster/teleport-enterprise/getting-started.mdx

@@ -144,30 +144,7 @@ If you are exposing your Teleport host to the internet, we recommend using Let's
 Encrypt to receive your key and certificate automatically. For private networks
 or custom deployments, use your own private key and certificate.
 
-<Tabs>
-  <TabItem label="Public internet deployment with Let's Encrypt">
-  (!docs/pages/includes/acme.mdx!)
-
-  </TabItem>
-
-  <TabItem label="Private network deployment">
-  On your Teleport host, place a valid private key and a certificate chain in `/var/lib/teleport/privkey.pem`
-  and `/var/lib/teleport/fullchain.pem` respectively.
-
-  The leaf certificate must have a subject that corresponds to the domain of your Teleport host, e.g., `*.teleport.example.com`.
-
-  Configure Teleport, changing the values of the `--cluster-name` and `--public-addr` flags to match the domain name of your Teleport host.
-
-  ```code
-  $ sudo teleport configure -o file \
-      --cluster-name=tele.example.com \
-      --public-addr=tele.example.com:443 \
-      --cert-file=/var/lib/teleport/fullchain.pem \
-      --key-file=/var/lib/teleport/privkey.pem
-  ```
-  </TabItem>
-
-</Tabs>
+(!docs/pages/includes/tls-certificate-setup.mdx!)
 
 Next, configure Teleport to provide secure access to your web service. Edit your
 Teleport configuration file (`/etc/teleport.yaml`) to include the following,

docs/pages/includes/tls-certificate-setup.mdx

@@ -0,0 +1,59 @@
+If you are running Teleport on the internet, we recommend using Let's Encrypt to
+receive your key and certificate automatically. For private networks or custom
+deployments, use your own private key and certificate.
+<Tabs>
+
+  <TabItem label="Public internet deployment with Let's Encrypt">
+    Let's Encrypt verifies that you control the domain name of your Teleport cluster
+    by communicating with the HTTPS server listening on port 443 of your Teleport
+    Proxy Service.
+
+    You can configure the Teleport Proxy Service to complete the Let's Encrypt
+    verification process when it starts up.
+
+    On the host where you will start the Teleport Auth Service and Proxy Service,
+    run the following `teleport configure` command, where `tele.example.com` is the
+    domain name of your Teleport cluster and `user@example.com` is an email address
+    used for notifications (you can use any domain):
+
+    ```code
+    $ DOMAIN=tele.example.com
+    $ EMAIL=user@example.com
+    $ teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | \
+    sudo tee /etc/teleport.yaml > /dev/null
+    ```
+
+    The `--acme`, `--acme-email`, and `--cluster-name` flags will add the following
+    settings to your Teleport configuration file:
+
+    ```yaml
+    proxy_service:
+      enabled: "yes"
+      web_listen_addr: 0.0.0.0:443
+      public_addr: tele.example.com:443
+      acme:
+        enabled: "yes"
+        email: user@example.com
+    ```
+
+    Port 443 on your Teleport Proxy Service host must allow traffic from all sources.
+  </TabItem>
+
+  <TabItem label="Private network deployment">
+  On your Teleport host, place a valid private key and a certificate chain in `/var/lib/teleport/privkey.pem`
+  and `/var/lib/teleport/fullchain.pem` respectively.
+
+  The leaf certificate must have a subject that corresponds to the domain of your Teleport host, e.g., `*.teleport.example.com`.
+
+  Configure Teleport, changing the values of the `--cluster-name` and `--public-addr` flags to match the domain name of your Teleport host.
+
+  ```code
+  $ sudo teleport configure -o file \
+      --cluster-name=tele.example.com \
+      --public-addr=tele.example.com:443 \
+      --cert-file=/var/lib/teleport/fullchain.pem \
+      --key-file=/var/lib/teleport/privkey.pem
+  ```
+  </TabItem>
+
+</Tabs>

docs/pages/management/admin.mdx

@@ -16,6 +16,8 @@ cluster maintenance tasks.
 
 - [Teleport Daemon](./admin/daemon.mdx): Set up Teleport as a daemon on Linux with systemd.
 - [Upgrade the Teleport Binary](./admin/upgrading-the-teleport-binary.mdx): Upgrade the `teleport` binary without losing connections.
+- [Run Teleport with Self-Signed Certificates](./admin/self-signed-certs.mdx): Set up Teleport in a local 
+environment without configuring TLS certificates.
 
 ## Manage users and resources