From 81e29e5792f8d81f98f0f1c9ed601fe707b0b9c8 Mon Sep 17 00:00:00 2001
From: Paul Schisa <75806143+pschisa@users.noreply.github.com>
Date: Fri, 12 Apr 2024 18:13:30 -0400
Subject: [PATCH] [v14] Update docs to call out acme is not for HA (#40482)

* Update docs to call out acme is not for HA

based on user issues, until https://github.com/gravitational/teleport/issues/27613#issue-1746989232 is implemented we should call out that using ACME is not for HA deployments

* Update proxy-service.yaml
---
 docs/pages/includes/config-reference/proxy-service.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/pages/includes/config-reference/proxy-service.yaml b/docs/pages/includes/config-reference/proxy-service.yaml
index 13851cedaf3e1..80cce14ef4ee3 100644
--- a/docs/pages/includes/config-reference/proxy-service.yaml
+++ b/docs/pages/includes/config-reference/proxy-service.yaml
@@ -127,6 +127,9 @@ proxy_service:
     # Also set using the CLI command:
     # 'teleport configure --acme --acme-email=email@example.com \
     # --cluster-name=tele.example.com -o file'
+    # This should NOT be enabled in a highly available Teleport deployment
+    # Using in HA can lead to too many failed authorizations and a lock-up
+    # of the ACME process (https://letsencrypt.org/docs/failed-validation-limit/)
     #acme:
     #  enabled: yes
     #  email: user@example.com