smallstep/certificates

[Bug]: Absent DB property makes ACME provisioner fail silently

Opened this issue · 0 comments

TL;DR

When the "db" property is not set in ca.json, and you are using an ACME provisioner, the ACME provisioner does not work, and gives no indication of this to the user at startup. (The endpoints just 404).

Steps to Reproduce

# generate basic CA:
step ca init --context testing
# Enter options as follows:
#   Standalone
#   Testing
#   localhost
#   :1443
#   admin
#   admin

# make pw file to prevent interactivity
echo "admin" > admin.txt

# start CA in background, runs on port :1443
step-ca --context testing --password-file admin.txt &

# add the ACME provisioner
step ca provisioner add acme --type ACME --context testing

# DIVERGENCE POINT -- Skip this step to see normal behavior.
# Make "db" property go missing in ca.json, causing none to load
sed -i 's/db/db2/' .step/authorities/testing/config/ca.json

# restart server
pkill step-ca
step-ca --context testing --password-file admin.txt &

# request /acme/acme/directory URL
curl -k https://localhost:1443/acme/acme/directory
# returns 404 :(
# (or 200 if you skipped the divergent step)

Your Environment

  • OS - Debian "bookworm", kernel 6.1.0-28-amd
  • step-ca Version - Smallstep CA/0.28.1 (linux/amd64)

Expected Behavior

I expected step-ca to either:

  • fail to start, with an explicit error message that db is required for an ACME provisioner;
  • start with a warning, telling me the ACME provisioner is disabled as it requires a database.

Actual Behavior

step-ca starts normally, but there is no ACME functionality, despite not informing the user of this.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).