maxhoesel-ansible/ansible-collection-smallstep

provisioners not set in config

strarsis opened this issue ยท 2 comments

strarsis commented

The provisioners are not set in the small step CA server configuration (ca.json) and config defaults (defaults.json) -
hence the CA server can't handle any requests (as ACME using certbot).
I also set step_acme_cert_ca_provisioner explicitly to ACME, but it is still not used in the CA server configs,
also after purging all step CA server related files (using a fresh VM).

Playbook used for the host localca:

- hosts: localca
  become: yes

  tasks:
    - name: Install step-ca (local CA)
      include_role:
        name: maxhoesel.smallstep.step_ca
      vars:
        step_acme_cert_ca_provisioner: "ACME"

        # CA info
        step_ca_name: Test Dev CA
        step_ca_root_password: "test"
        step_ca_intermediate_password: "test"

Resulting ca.json - no authority/provisioner is present:

{
	"root": "/etc/step-ca/certs/root_ca.crt",
	"federatedRoots": null,
	"crt": "/etc/step-ca/certs/intermediate_ca.crt",
	"key": "/etc/step-ca/secrets/intermediate_ca_key",
	"address": ":443",
	"insecureAddress": "",
	"dnsNames": [
		"localca",
		"10.0.2.15"
	],
	"logger": {
		"format": "text"
	},
	"db": {
		"type": "badgerv2",
		"dataSource": "/etc/step-ca/db",
		"badgerFileLoadingMode": ""
	},
	"authority": {
		"template": {},
		"backdate": "1m0s"
	},
	"tls": {
		"cipherSuites": [
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
		],
		"minVersion": 1.2,
		"maxVersion": 1.3,
		"renegotiation": false
	}
}

defaults.json:

{
	"ca-url": "https://localca",
	"ca-config": "/etc/step-ca/config/ca.json",
	"fingerprint": "[...]",
	"root": "/etc/step-ca/certs/root_ca.crt"
}

authority/provisioners part of another, manually created ca.json configuration -
note the ACME provisioner besides the other JWK provisioner.

	"authority": {
		"provisioners": [
			{
				"type": "JWK",
				"name": "dev@localca",
				"key": {
					"use": "sig",
					"kty": "EC",
					"kid": "[...]",
					"crv": "P-256",
					"alg": "ES256",
					"x": "[...]",
					"y": "[...]-bABdOu2f9KtbyZ_hXTKPUjtNM"
				},
				"encryptedKey": "[...]"
			},
			{
				"type": "ACME",
				"name": "acme"
			}
		]
	},
maxhoesel commented

Perhaps I'm missing something, but did you add an ACME provisioner to the CA? step_ca only initializes the CA - it does not add any improvisers. If you want to use ACME, you first have to add an ACME provisioner to the CA yourself using the step_ca_provisioner_module, then your clients can use that. The step_acme_cert role has an example at the bottom that should work.

# Configure your CA to include an ACME provisioner
- hosts: step_ca
  become: yes
  tasks:
    - name: Add an ACME provisioner to the CA
      maxhoesel.smallstep.step_ca_provisioner:
        name: ACME
        type: ACME
      become_user: step-ca
      notify: reload step-ca
  handlers:
    - name: reload step-ca
      systemd:
        name: step-ca
        state: reloaded
  • ๐Ÿ‘1
  • ๐ŸŽ‰1
  • ๐Ÿš€1
  • ๐Ÿ‘€1
strarsis commented

This makes sense, thanks!