search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.35k stars 415 forks source link

Step CA in Docker doesn't trust it's self #1909

Open tashian opened 3 days ago

tashian commented 3 days ago

Discussed in https://github.com/smallstep/certificates/discussions/1904

Originally posted by **hardillb** June 29, 2024 I'm running a Step CA in the provided docker container, I've got it set up with a ACME provisioner which I'm using with cert-manger to issue certificates for Ingress objects exposing services in my Kubernetes cluster. I was trying to add a ODIC provisioner to issue SSH certificates, My SSO provider is a Keyclock install in my Kubernetes environment. I had initially not setup up HTTPS for Keycloak and ran into [this](https://github.com/smallstep/cli/issues/1216) problem. So I used cert-manager to add a Step CA issued certificate to the Keycloak ingress, this works just fine from my browser and other tools where I have imported the Step CA root certificate, but when I try to add the ODIC provider again, I get errors like this in the logs: ``` time="2024-06-29T09:44:38Z" level=error duration=79.061144ms duration-ns=79061144 error="error initializing provisioner keycloak: failed to connect to https://keycloak.k8s.loc/realms/FlowFuse/.well-known/openid-configuration: Get \"https://keycloak.k8s.loc/realms/FlowFuse/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority" fields.time="2024-06-29T09:44:38Z" method=PUT name=ca path=/admin/provisioners/keycloak protocol=HTTP/2.0 referer= remote-address=192.168.1.111 request-id=fa8127d1-02c0-4f18-a6c4-55d91f37d46a response="{\"type\":\"internalServerError\",\"detail\":\"the server experienced an internal error\",\"message\":\"error initializing provisioner keycloak: failed to connect to https://keycloak.k8s.loc/realms/FlowFuse/.well-known/openid-configuration: Get \\\"https://keycloak.k8s.loc/realms/FlowFuse/.well-known/openid-configuration\\\": tls: failed to verify certificate: x509: certificate signed by unknown authority\"}" size=396 status=500 user-agent="Smallstep CLI/0.21.0 (linux/amd64)" user-id= ``` This implies that the step-ca instance doesn't trust certificates it issued. How do I fix this?