Open hardillb opened 5 months ago
hardillb
commented
5 months ago Just as a follow up I enabled HTTPS for keycloak using cert-manager the acme provider from the step-ca instance I have.
This lead to step-ca not starting because it claimed it didn't trust the certificate issued to keycloak...
How do I get a step-ca instance (running in docker) to trust certificates issued by it's self?
hslatman
commented
5 months ago @hardillb maybe we can add the Step CA root to the trusted roots at the time of performing the OIDC requests. We do that in other places, but apparently not here. There might be a reason for that, but I don't know at this time.
At the moment you could add Step CA's root certificate to the Docker image by running step ca bootstrap ..., similar to what you would do on another client system.
The original issue is a valid concern, and will be picked up 🙂
hardillb
commented
5 months ago I don't think running step ca bootstrap will work.
The $STEPPATH is already set to /home/step in the container so it would just put a copy of the root cert in the same place (/home/step/certs/root_ca.crt).
And adding --install won't help because the container user is step and there is no usable sudo binary in the container to update things as root.
Or have I missed something?
hslatman
commented
5 months ago Or have I missed something?
No, I think you're right. I wasn't thinking clearly about it being in the Docker context; sorry 😞
My colleague @jdoss mentioned during triage that it can be done by having the Step CA root on the Docker host, and then mounting it in the Docker container in the right place at runtime.
We also discussed https://github.com/smallstep/certificates/issues/1909, and we decided that we want the CA to trust itself by default, and that change will be made.
hardillb
commented
5 months ago No problem, thanks for the update.
I'll try mounting the the root cert into the container on /usr/local/share/ca-certificates and see if that works in the mean time (but I think that still needs update-ca-certificates running as root to take effect)
I'll keep an eye on both issues.
Steps to Reproduce
Setup up OIDC provider with a HTTP URL and try and use it to issue a new SSH certificate
e.g. follow these instructions (but do not enable HTTPS for Keycloak)
The error message on the line after this test for the URL not starting with
https://only mentions github/google not the real reasonhttps://github.com/smallstep/cli/blob/e6c5f218f0b13699a328a937f02b9de0907e1654/command/oauth/cmd.go#L330
Your Environment
stepCLI Version - Smallstep CLI/0.23.0 (linux/amd64), Release Date: 2022-11-12T00:00:59ZExpected Behavior
The error message mention that the URL provided is not https
Actual Behavior
This error message is less than helpful, but a at least it gave me the command that failed...
Additional Context
Yes I know I can use smallstep ca to issue a cert for keycloak, but it was already up and running without when I ran the test and it was lucky that googling the error message took me to the code and I could understand what the error actually meant by reading the test that triggered it
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).