Unable to add local ACME CA

[danb35]

I run a local certificate authority on my LAN using the Smallstep software, which exposes an ACME endpoint. When I try to add that CA to LeGo Certhub, I get this error:

An API error has occurred.
Status Code: 400
Message: error: specified acme directory url is not https or did not return a valid directory json response

It is a HTTPS URL and does return a JSON response:

╰─ curl https://ca.familybrown.org/acme/acme/directory                                                                           ─╯
{"newNonce":"https://ca.familybrown.org/acme/acme/new-nonce","newAccount":"https://ca.familybrown.org/acme/acme/new-account","newOrder":"https://ca.familybrown.org/acme/acme/new-order","revokeCert":"https://ca.familybrown.org/acme/acme/revoke-cert","keyChange":"https://ca.familybrown.org/acme/acme/key-change","meta":{}}

I suspect the issue is that its cert is signed by its own CA, which isn't trusted within the Docker container; here's what happens if I try the same curl command inside the Docker container:

57c567739c68:/app# curl https://ca.familybrown.org/acme/acme/directory
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[gregtwallace]

I think you have arrived at the answer. Have you tried adding your trusted root to the container?

[danb35]

I'd be concerned about losing it in the case of an update, but I guess that's a down-the-road problem. But how would I do that? Just drop a copy of the cert in /etc/ssl/certs/?

[danb35]

Just drop a copy of the cert in /etc/ssl/certs/?

Well, not exactly that. Put a copy of the cert in /usr/local/share/ca-certificates/ (inside the container), and then ran update-ca-certificates. Now curl succeeds inside the container, and so does adding the local CA. But the question remains whether this will survive an upgrade.

[gregtwallace]

Since the container will never have your local CA installed you will always need to modify it in this way. I'd suggest writing a script for upgrades to automatically perform the extra steps.

Alternatively, depending on your comfort level, you could build your own container from the Dockerfile (https://github.com/gregtwallace/legocerthub/blob/master/Dockerfile) after modifying it to add your CA: https://stackoverflow.com/questions/42292444/how-do-i-add-a-ca-root-certificate-inside-a-docker-image

Either way, this is expected behavior. Good luck!